← Back to Library

Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection

Authors: Yangyang Wei, Yijie Xu, Zhenyuan Li, Xiangmin Shen, Shouling Ji

Published: 2026-03-04

arXiv ID: 2603.04469v1

Added to Library: 2026-03-06 04:00 UTC

Red Teaming

📄 Abstract

Multi-Agent System is emerging as the \textit{de facto} standard for complex task orchestration. However, its reliance on autonomous execution and unstructured inter-agent communication introduces severe risks, such as indirect prompt injection, that easily circumvent conventional input guardrails. To address this, we propose \SysName, a framework that shifts the defensive paradigm from static input filtering to execution-aware analysis. By extracting and reconstructing Cross-Agent Semantic Flows, \SysName synthesizes fragmented operational primitives into contiguous behavioral trajectories, enabling a holistic view of system activity. We leverage a Supervisor LLM to scrutinize these trajectories, identifying anomalies across data flow violations, control flow deviations, and intent inconsistencies. Empirical evaluations demonstrate that \SysName effectively detects over ten distinct compound attack vectors, achieving F1-scores of 85.3\% and 66.7\% for node-level and path-level end-to-end attack detection, respectively. The source code is available at https://anonymous.4open.science/r/MAScope-71DC.

🔍 Key Points

  • Introduction of the MAScope framework that enhances security in Multi-Agent Systems (MAS) by transitioning from static input filtering to execution-aware analysis.
  • The proposal of a Cross-Agent Semantic Flow reconstruction approach, enabling a holistic view of system activities and enhanced tracking of multi-agent interactions.
  • Utilization of a Supervisor LLM to audit reconstructed behavioral trajectories against anomalies in data and control flow, as well as intent consistency.
  • Empirical results demonstrating robust detection capabilities, achieving high F1-scores of 85.3% (node-level) and 66.7% (path-level) for various compound attack vectors drawn from the OWASP Top 10 vulnerabilities.
  • Demonstration of the ability to effectively detect compound attacks that exploit the complexities of interactions within MAS, highlighting vulnerabilities that traditional safeguard measures overlook.

💡 Why This Paper Matters

This paper presents significant advancements in the security of Multi-Agent Systems, offering a novel approach to threat detection that addresses critical vulnerabilities arising from autonomous execution and unstructured communication. The introduction of MAScope not only enhances the understanding of inter-agent dynamics but also provides proven methodologies for effective anomaly detection, underscoring the need for a shift in defensive strategies. As reliance on MAS increases across various sectors, the implications of this work are vital for ensuring operational integrity and protecting sensitive data.

🎯 Why It's Interesting for AI Security Researchers

Research in AI security stands to benefit considerably from this paper as it tackles some of the most pressing security challenges faced by Multi-Agent Systems. The innovative methods established for execution-aware analysis and semantic flow reconstruction offer new ways to detect complex adversarial behaviors that existing static defenses may miss. This research could provide a foundation for developing robust security protocols in AI applications that rely on multi-agent interactions, making it particularly relevant for researchers focusing on AI safety, cybersecurity, and system integrity.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF