Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

Tian Zhang, Yiwei Xu, Juan Wang, Keyan Guo, Xiaoyang Xu, Bowen Xiao, Quanlong Guan, Jinlin Fan, Jiawei Liu, Zhiquan Liu, Hongxin Hu

TL;DR

This work proposes AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents that is the first inference-time defense to model multi-turn IPI as a temporal causal takeover and eliminates successful attacks and maintains strong utility under attack.

Abstract

Large language model (LLM) agents increasingly rely on external tools and retrieval systems to autonomously complete complex tasks. However, this design exposes agents to indirect prompt injection (IPI), where attacker-controlled context embedded in tool outputs or retrieved content silently steers agent actions away from user intent. Unlike prompt-based attacks, IPI unfolds over multi-turn trajectories, making malicious control difficult to disentangle from legitimate task execution. Existing inference-time defenses primarily rely on heuristic detection and conservative blocking of high-risk actions, which can prematurely terminate workflows or broadly suppress tool usage under ambiguous multi-turn scenarios. We propose AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents. To the best of our knowledge, AgentSentry is the first inference-time defense to model multi-turn IPI as a temporal causal takeover. It localizes takeover points via controlled counterfactual re-executions at tool-return boundaries and enables safe continuation through causally guided context purification that removes attack-induced deviations while preserving task-relevant evidence. We evaluate AgentSentry on the \textsc{AgentDojo} benchmark across four task suites, three IPI attack families, and multiple black-box LLMs. AgentSentry eliminates successful attacks and maintains strong utility under attack, achieving an average Utility Under Attack (UA) of 74.55 %, improving UA by 20.8 to 33.6 percentage points over the strongest baselines without degrading benign performance.

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

TL;DR

This work proposes AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents that is the first inference-time defense to model multi-turn IPI as a temporal causal takeover and eliminates successful attacks and maintains strong utility under attack.

Abstract

Large language model (LLM) agents increasingly rely on external tools and retrieval systems to autonomously complete complex tasks. However, this design exposes agents to indirect prompt injection (IPI), where attacker-controlled context embedded in tool outputs or retrieved content silently steers agent actions away from user intent. Unlike prompt-based attacks, IPI unfolds over multi-turn trajectories, making malicious control difficult to disentangle from legitimate task execution. Existing inference-time defenses primarily rely on heuristic detection and conservative blocking of high-risk actions, which can prematurely terminate workflows or broadly suppress tool usage under ambiguous multi-turn scenarios. We propose AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents. To the best of our knowledge, AgentSentry is the first inference-time defense to model multi-turn IPI as a temporal causal takeover. It localizes takeover points via controlled counterfactual re-executions at tool-return boundaries and enables safe continuation through causally guided context purification that removes attack-induced deviations while preserving task-relevant evidence. We evaluate AgentSentry on the \textsc{AgentDojo} benchmark across four task suites, three IPI attack families, and multiple black-box LLMs. AgentSentry eliminates successful attacks and maintains strong utility under attack, achieving an average Utility Under Attack (UA) of 74.55 %, improving UA by 20.8 to 33.6 percentage points over the strongest baselines without degrading benign performance.
Paper Structure (51 sections, 38 equations, 6 figures, 5 tables, 2 algorithms)

This paper contains 51 sections, 38 equations, 6 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Problem Statement
  3. Tool-augmented LLM agents
  4. IPI as a tool-mediated attack surface
  5. Temporal delay in multi-turn workflows
  6. Security Challenges for Tool-Augmented LLM Agents
  7. Problem Formulation and Threat Model
  8. Agent Model and Execution Semantics
  9. Boundary-Indexed Diagnostics
  10. Boundary-Local Defense Component
  11. Threat Model
  12. Defender Capabilities and Scope
  13. Design of AgentSentry
  14. Boundary Instrumentation
  15. Counterfactual Re-Execution
  16. ...and 36 more sections

Figures (6)

  • Figure 1: A representative attack chain of tool-mediated IPI.
  • Figure 2: AgentSentry pipeline for defending against multi-turn IPI.
  • Figure 3: Boundary-local causal gating and safe continuation in AgentSentry.
  • Figure 4: Security--utility trade-off of indirect prompt-injection defenses for tool-augmented LLM agents.
  • Figure 5: Boundary-aligned causal effects.
  • ...and 1 more figures