SHIELD: An Auto-Healing Agentic Defense Framework for LLM Resource Exhaustion Attacks
Nirhoshan Sivaroopan, Kanchana Thilakarathna, Albert Zomaya, Manu, Yi Guo, Jo Plested, Tim Lynar, Jack Yang, Wangli Yang
TL;DR
SHIELD tackles sponge attacks that exhaust LLM resources by introducing a training-free, multi-agent defense with a three-stage cascade (semantic similarity, substring matching, and LLM-based reasoning) and a closed auto-healing loop. The Knowledge Updater Agent and Prompt Optimization Agent enable autonomous defense evolution without model retraining, improving robustness against unknown and evolving attack patterns. Empirical results show SHIELD outperforms perplexity-based and static LLM defenses across non-semantic and semantic sponge prompts, while reducing end-to-end latency through early-stage filtering and knowledge-driven improvements. The framework offers a practical, deployable approach to self-healing LLM security with sustained adaptation in real-world environments.
Abstract
Sponge attacks increasingly threaten LLM systems by inducing excessive computation and DoS. Existing defenses either rely on statistical filters that fail on semantically meaningful attacks or use static LLM-based detectors that struggle to adapt as attack strategies evolve. We introduce SHIELD, a multi-agent, auto-healing defense framework centered on a three-stage Defense Agent that integrates semantic similarity retrieval, pattern matching, and LLM-based reasoning. Two auxiliary agents, a Knowledge Updating Agent and a Prompt Optimization Agent, form a closed self-healing loop, when an attack bypasses detection, the system updates an evolving knowledgebase, and refines defense instructions. Extensive experiments show that SHIELD consistently outperforms perplexity-based and standalone LLM defenses, achieving high F1 scores across both non-semantic and semantic sponge attacks, demonstrating the effectiveness of agentic self-healing against evolving resource-exhaustion threats.
