Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection

TL;DR

This work proposes \SysName, a framework that shifts the defensive paradigm from static input filtering to execution-aware analysis, and synthesizes fragmented operational primitives into contiguous behavioral trajectories, enabling a holistic view of system activity.

Abstract

Multi-Agent System is emerging as the \textit{de facto} standard for complex task orchestration. However, its reliance on autonomous execution and unstructured inter-agent communication introduces severe risks, such as indirect prompt injection, that easily circumvent conventional input guardrails. To address this, we propose \SysName, a framework that shifts the defensive paradigm from static input filtering to execution-aware analysis. By extracting and reconstructing Cross-Agent Semantic Flows, \SysName synthesizes fragmented operational primitives into contiguous behavioral trajectories, enabling a holistic view of system activity. We leverage a Supervisor LLM to scrutinize these trajectories, identifying anomalies across data flow violations, control flow deviations, and intent inconsistencies. Empirical evaluations demonstrate that \SysName effectively detects over ten distinct compound attack vectors, achieving F1-scores of 85.3\% and 66.7\% for node-level and path-level end-to-end attack detection, respectively. The source code is available at https://anonymous.4open.science/r/MAScope-71DC.

Figures (16)

• Figure 1: OWASP Top 10 Attack Surfaces in MAS
• Figure 2: MAScope Overview
• Figure 3: Hierarchical Sensitive Entity Constraint
• Figure 4: Case Study: Phishing propagation via malicious prompt ingestion that exploits email tools to harvest contacts and automate message distribution.
• Figure 5: System prompt for the NER agent outlining sensitive entity categories and extraction requirements for automated data leakage detection.