Saved in:
Bibliographic Details
Main Authors: Shi, Haoran, Yao, Hongwei, Shao, Shuo, Jiao, Shaopeng, Peng, Ziqi, Qin, Zhan, Wang, Cong
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2508.06418
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916888114626560
author Shi, Haoran
Yao, Hongwei
Shao, Shuo
Jiao, Shaopeng
Peng, Ziqi
Qin, Zhan
Wang, Cong
author_facet Shi, Haoran
Yao, Hongwei
Shao, Shuo
Jiao, Shaopeng
Peng, Ziqi
Qin, Zhan
Wang, Cong
contents The Model Context Protocol (MCP) enhances large language models (LLMs) by integrating external tools, enabling dynamic aggregation of real-time data to improve task execution. However, its non-isolated execution context introduces critical security and privacy risks. In particular, adversarially crafted content can induce tool poisoning or indirect prompt injection, leading to conversation hijacking, misinformation propagation, or data exfiltration. Existing defenses, such as rule-based filters or LLM-driven detection, remain inadequate due to their reliance on static signatures, computational inefficiency, and inability to quantify conversational hijacking. To address these limitations, we propose SecMCP, a secure framework that detects and quantifies conversation drift, deviations in latent space trajectories induced by adversarial external knowledge. By modeling LLM activation vectors within a latent polytope space, SecMCP identifies anomalous shifts in conversational dynamics, enabling proactive detection of hijacking, misleading, and data exfiltration. We evaluate SecMCP on three state-of-the-art LLMs (Llama3, Vicuna, Mistral) across benchmark datasets (MS MARCO, HotpotQA, FinQA), demonstrating robust detection with AUROC scores exceeding 0.915 while maintaining system usability. Our contributions include a systematic categorization of MCP security threats, a novel latent polytope-based methodology for quantifying conversation drift, and empirical validation of SecMCP's efficacy.
format Preprint
id arxiv_https___arxiv_org_abs_2508_06418
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Quantifying Conversation Drift in MCP via Latent Polytope
Shi, Haoran
Yao, Hongwei
Shao, Shuo
Jiao, Shaopeng
Peng, Ziqi
Qin, Zhan
Wang, Cong
Computation and Language
The Model Context Protocol (MCP) enhances large language models (LLMs) by integrating external tools, enabling dynamic aggregation of real-time data to improve task execution. However, its non-isolated execution context introduces critical security and privacy risks. In particular, adversarially crafted content can induce tool poisoning or indirect prompt injection, leading to conversation hijacking, misinformation propagation, or data exfiltration. Existing defenses, such as rule-based filters or LLM-driven detection, remain inadequate due to their reliance on static signatures, computational inefficiency, and inability to quantify conversational hijacking. To address these limitations, we propose SecMCP, a secure framework that detects and quantifies conversation drift, deviations in latent space trajectories induced by adversarial external knowledge. By modeling LLM activation vectors within a latent polytope space, SecMCP identifies anomalous shifts in conversational dynamics, enabling proactive detection of hijacking, misleading, and data exfiltration. We evaluate SecMCP on three state-of-the-art LLMs (Llama3, Vicuna, Mistral) across benchmark datasets (MS MARCO, HotpotQA, FinQA), demonstrating robust detection with AUROC scores exceeding 0.915 while maintaining system usability. Our contributions include a systematic categorization of MCP security threats, a novel latent polytope-based methodology for quantifying conversation drift, and empirical validation of SecMCP's efficacy.
title Quantifying Conversation Drift in MCP via Latent Polytope
topic Computation and Language
url https://arxiv.org/abs/2508.06418