Saved in:
Bibliographic Details
Main Authors: Yan, Bingyu, Zhang, Xiaoming, Hou, Jinyu, Li, Chaozhuo, Zhou, Ziyi, Zhang, Xiaozhe, Zhang, Litian
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.16346
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913133542506496
author Yan, Bingyu
Zhang, Xiaoming
Hou, Jinyu
Li, Chaozhuo
Zhou, Ziyi
Zhang, Xiaozhe
Zhang, Litian
author_facet Yan, Bingyu
Zhang, Xiaoming
Hou, Jinyu
Li, Chaozhuo
Zhou, Ziyi
Zhang, Xiaozhe
Zhang, Litian
contents LLM-based multi-agent systems (LLM-MAS) have become a promising paradigm for solving complex tasks through role specialization, tool use, memory, and collaborative reasoning. However, these interactions create new security risks that malicious instructions injected through messages, tools, or memories can propagate across agents and rounds, causing system-level compromise. Existing defenses largely rely on local filtering or graph-based anomaly detection, but they often fail to trace fine-grained propagation paths or remediate contaminated states without disrupting benign collaboration. We propose PropGuard, a propagation-aware framework for safeguarding LLM-MAS. PropGuard constructs a dual-view spatio-temporal graph that combines response-centric risk estimation with full-state evidence preservation. Guided by these risk priors, a GE-GRPO trained inspector sequentially explores the full-state graph to recover compact suspicious propagation subgraphs. PropGuard then verifies harmful propagation through subgraph-aware diagnosis and applies source-guided remediation to correct upstream contamination and replay affected downstream interactions. Experiments across four communication architectures and five attack settings demonstrate that PropGuard consistently lowers attack success while maintaining high task-level defense success, achieving a favorable effectiveness--efficiency trade-off.
format Preprint
id arxiv_https___arxiv_org_abs_2605_16346
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle PropGuard: Safeguarding LLM-MAS via Propagation-Aware Exploration and Remediation
Yan, Bingyu
Zhang, Xiaoming
Hou, Jinyu
Li, Chaozhuo
Zhou, Ziyi
Zhang, Xiaozhe
Zhang, Litian
Machine Learning
Artificial Intelligence
Cryptography and Security
LLM-based multi-agent systems (LLM-MAS) have become a promising paradigm for solving complex tasks through role specialization, tool use, memory, and collaborative reasoning. However, these interactions create new security risks that malicious instructions injected through messages, tools, or memories can propagate across agents and rounds, causing system-level compromise. Existing defenses largely rely on local filtering or graph-based anomaly detection, but they often fail to trace fine-grained propagation paths or remediate contaminated states without disrupting benign collaboration. We propose PropGuard, a propagation-aware framework for safeguarding LLM-MAS. PropGuard constructs a dual-view spatio-temporal graph that combines response-centric risk estimation with full-state evidence preservation. Guided by these risk priors, a GE-GRPO trained inspector sequentially explores the full-state graph to recover compact suspicious propagation subgraphs. PropGuard then verifies harmful propagation through subgraph-aware diagnosis and applies source-guided remediation to correct upstream contamination and replay affected downstream interactions. Experiments across four communication architectures and five attack settings demonstrate that PropGuard consistently lowers attack success while maintaining high task-level defense success, achieving a favorable effectiveness--efficiency trade-off.
title PropGuard: Safeguarding LLM-MAS via Propagation-Aware Exploration and Remediation
topic Machine Learning
Artificial Intelligence
Cryptography and Security
url https://arxiv.org/abs/2605.16346