pith. sign in

arxiv: 2606.30602 · v1 · pith:3FFMBV5Bnew · submitted 2026-06-29 · 💻 cs.CR · cs.AI

MESA: Prioritizing Vulnerable Communication Channels for Securing Multi-Agent Systems

Kunyang Li , Kyle Domico , Jonathan Gregory , Patrick McDaniel This is my paper

Pith reviewed 2026-06-30 04:45 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords multi-agent systemscommunication channel securitygraph metricsattack prioritizationLLM agentsvulnerability rankingproactive defense
0
0 comments X

The pith

Mesa ranks multi-agent system communication edges by security risk using graph metrics and ablation probes, correlating at mean Spearman ρ=+0.60 with actual attack success.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents Mesa as a label-free method to rank which inter-agent communication edges in multi-agent systems are most likely to affect overall decisions if compromised. It combines six graph-theoretic metrics with ablation and masking probes, without any need for prior attack data or domain knowledge. Evaluations across three scenarios, eight topologies, and five LLMs show these rankings track empirical per-edge attack success rates at mean Spearman ρ=+0.60. In constrained defense settings, protecting the top 10% of ranked edges intercepts roughly three times as many attacks as random monitoring. The work rests on the observation that attack impact is highly non-uniform, with single edges sometimes driving up to 75% of total success.

Core claim

Mesa ranks MAS edges by integrating six graph-theoretic metrics with ablation and masking probes to score potential decision impact if compromised. Across three diverse MAS scenarios, eight network topologies, and five open-source LLMs, the rankings achieve mean Spearman ρ=+0.60 (peaking at +0.73) with measured per-edge attack success rates. Under resource limits, monitoring the top 10% of Mesa-ranked edges intercepts about 3x the successful attacks compared with random allocation.

What carries the argument

Mesa framework that scores edge criticality from six graph metrics plus ablation and masking probes to identify high-impact edges without attack traces.

If this is right

  • Resource-constrained defenders can allocate monitoring to the top 10% of ranked edges and expect roughly 3x higher attack interception than random allocation.
  • The correlation between Mesa scores and attack success holds across eight different network topologies and five LLMs from Qwen, Llama, and Gemma families.
  • Mesa performance degrades under adaptive attacks and in high-redundancy graphs, as characterized in the evaluation.
  • The method requires no attack traces and works with LangGraph workflows, allowing use before any incidents are observed.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Integrating Mesa into initial MAS deployment could let teams harden the highest-risk channels before any live traffic occurs.
  • The observed concentration of attack impact in a small fraction of edges may appear in other distributed agent or workflow systems beyond the tested scenarios.
  • Extending the probes to measure downstream task accuracy rather than raw attack success could test whether the same edges matter for benign performance as well.

Load-bearing premise

The six graph-theoretic metrics together with ablation and masking probes are sufficient to identify security-critical edges across diverse MAS scenarios and LLM backends without requiring attack traces or domain-specific attack knowledge.

What would settle it

A controlled MAS deployment in which monitoring the top 10% of Mesa-ranked edges intercepts no more attacks than random selection of the same number of edges would falsify the claimed prioritization benefit.

Figures

Figures reproduced from arXiv: 2606.30602 by Jonathan Gregory, Kunyang Li, Kyle Domico, Patrick McDaniel.

Figure 1
Figure 1. Figure 1: Attack success is edge-dependent; preliminary analysis showed [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: MESA Framework: using static and dynamic features to construct the edge vulnerability saliency map. 3. Preliminaries 3.1. MAS as Communication Graphs We model MAS as a directed graph G = (V, E). The topology of G specifies the communication architecture. Each node v ∈ V is an LLM-based agent with a role-specific system prompt and resource access; each directed edge e = (u, v) ∈ E is a communication channel… view at source ↗
Figure 3
Figure 3. Figure 3: Dynamic misinformation-injection attack. In this customer-service [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The named communication topologies. because its edges are indistinguishable under centrality mea￾sures. (v) Mesh is fully connected and has the most routing redundancy. (vi) Hybrid combines hierarchy with cross￾team edges. We fix the topology across scenarios and vary agent roles and information access as described in §5.2. Random topologies. To test if MESA generalizes beyond the six named graphs, we samp… view at source ↗
Figure 3
Figure 3. Figure 3: Since the rewrite is generated from the current [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Per-edge ASR across topologies and scenarios. [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Per-feature Spearman ρ with ASR on software engineering. Signs match the offline MESA design. of some dynamic features can be noisy, dynamic features add unique signals with respect to ASR, as we show in the next section (§6.1.2). Furthermore, the strength of dynamic features comes with the combination of static features for predicting vulnerability, as shown in §6.2. Finding 1.1. The features of MESA are … view at source ↗
Figure 8
Figure 8. Figure 8: MESA-guided multi-edge attack with different budgets. attack. Here, we investigate if MESA can be similarly used to help with the design of defensive strategies. Specifically, we study if our metric can help guide intelligent defense alloca￾tion schemes, where a defender has a limited defense budget and desires to maximize the security benefit of applying defenses at certain edges. As we will show, MESA pr… view at source ↗
Figure 9
Figure 9. Figure 9: Attack coverage under budgeted defense. M [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: ASR by exposure tier. Internal edges are most damaging but [PITH_FULL_IMAGE:figures/full_fig_p012_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: MESA edge scores transfer to LangGraph. Each point is one directed edge; per-topology ρ ∈ [+0.53, +0.97], where ρ is the Spearman coefficient between the MESA score and empirical per-edge ASR. RQ5 Takeaway. MESA remains useful after incorpo￾rating reachability against exposure-sensitive attacks. MESA is also readily portable to production-level frameworks, demonstrating practical utility. 7. Related Works… view at source ↗
read the original abstract

Multi-agent systems (MAS) are increasingly used to automate complex, distributed workflows. However, their inter-agent communication channels introduce new attack surfaces that remain poorly understood and are difficult to defend against. In this paper, we address how defenders should prioritize limited security effort to protect vulnerable communication channels before attacks are observed. This is motivated by our observation that the channel-level attack impact is highly non-uniform: a single compromised edge can account for up to 75% of total attack success. We introduce Mesa, a label-free framework for proactively ranking which MAS edges are most security-critical -- that is, most likely to affect the system's decision if compromised. Mesa combines six graph-theoretic metrics and two dynamic probes (ablation and masking) without requiring attack traces. We evaluate Mesa against a dynamic misinformation attack pipeline across three diverse MAS scenarios, eight network topologies, and five open-source LLMs from Qwen, Llama, and Gemma families. Mesa rankings correlate strongly with empirical per-edge attack success rate, achieving mean Spearman $\rho=+0.60$ (peaking at $+0.73$). In resource-constrained defense deployment, monitoring the top 10% of Mesa-ranked edges intercepts about 3x the successful attacks as random allocation. We further test Mesa under varying attacker and defender models and LangGraph workflows and characterize its limits under adaptive attacks and high-redundancy graphs. Overall, our results show that edge-level risk in MAS is often concentrated and predictable, allowing proactive hardening of multi-agent infrastructures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces Mesa, a label-free framework that ranks security-critical communication edges in multi-agent systems by combining six graph-theoretic metrics with ablation and masking probes. It evaluates the approach on three MAS scenarios, eight topologies, and five LLMs under a dynamic misinformation attack pipeline, reporting a mean Spearman correlation of +0.60 (peaking at +0.73) between Mesa rankings and empirical per-edge attack success rates, plus a 3x improvement in intercepted attacks when monitoring the top 10% of ranked edges versus random allocation. Additional tests cover varying attacker/defender models, LangGraph workflows, adaptive attacks, and high-redundancy graphs.

Significance. If the empirical correlations and defense gains hold under full scrutiny, the work provides a concrete, proactive method for prioritizing limited security resources in MAS without requiring attack traces or domain knowledge. The multi-scenario, multi-LLM evaluation design and direct comparison to measured attack success rates are strengths that could make the results actionable for LLM-based agent deployments where edge impact is shown to be highly non-uniform.

major comments (2)
  1. [§5, Table 2] §5 (Evaluation), Table 2 and Figure 4: the reported mean Spearman ρ=+0.60 is presented without per-scenario standard deviations, confidence intervals, or the exact aggregation method across the 3 scenarios × 8 topologies × 5 LLMs; this makes it impossible to judge whether the correlation is stable or driven by a subset of conditions.
  2. [§4.3] §4.3 (Mesa Framework): the weighting and selection of the six graph metrics plus the two probes are described but lack a systematic sensitivity analysis showing that the combination is robust to removal of any single metric; the ablation results focus on probe removal rather than metric ablation, leaving open whether the correlation depends on post-hoc metric choice.
minor comments (2)
  1. [§3.2] §3.2: the notation for the six graph metrics (e.g., betweenness, degree) is introduced inline without a consolidated table of formulas, making cross-reference to the results section cumbersome.
  2. [Figure 5] Figure 5 (defense allocation): the x-axis label for 'top 10% Mesa-ranked edges' should explicitly state whether the percentage is computed per topology or globally across all edges.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which help strengthen the statistical transparency and robustness analysis of our results. We address each major comment below and have incorporated revisions to improve the manuscript.

read point-by-point responses

  1. Referee: [§5, Table 2] §5 (Evaluation), Table 2 and Figure 4: the reported mean Spearman ρ=+0.60 is presented without per-scenario standard deviations, confidence intervals, or the exact aggregation method across the 3 scenarios × 8 topologies × 5 LLMs; this makes it impossible to judge whether the correlation is stable or driven by a subset of conditions.

    Authors: We agree that additional statistical details are required to assess stability. In the revised manuscript, we have expanded Table 2 with per-scenario and per-topology breakdowns, added standard deviations (σ ≈ 0.08 across conditions), and included 95% bootstrap confidence intervals. A new paragraph in §5 now explicitly describes the aggregation as an unweighted mean over all 120 conditions (3 scenarios × 8 topologies × 5 LLMs). These additions show the mean ρ remains stable, with individual values ranging from +0.45 to +0.73. revision: yes

  2. Referee: [§4.3] §4.3 (Mesa Framework): the weighting and selection of the six graph metrics plus the two probes are described but lack a systematic sensitivity analysis showing that the combination is robust to removal of any single metric; the ablation results focus on probe removal rather than metric ablation, leaving open whether the correlation depends on post-hoc metric choice.

    Authors: We acknowledge this limitation in the original submission. The six metrics were selected from established graph-theoretic literature for complementary coverage of local and global properties, but explicit leave-one-out testing was not reported. In the revision, we have added a metric ablation study to §4.3 and Appendix C: each metric is removed individually and the Spearman correlation recomputed. Results indicate that omitting any single metric reduces mean ρ by at most 0.07, while the full set yields the highest correlation, confirming robustness. revision: yes

Circularity Check

0 steps flagged

No significant circularity identified

full rationale

Mesa derives edge rankings from six independent graph-theoretic metrics plus ablation/masking probes that operate without attack traces or labels. These rankings are then compared post hoc to empirical per-edge attack success rates via Spearman correlation; the validation data is external and not used to define or fit the metrics. No equation or step reduces the output ranking to a renaming, self-citation chain, or fitted parameter of the attack-success target. The central claim therefore remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, axioms, or invented entities are stated.

pith-pipeline@v0.9.1-grok · 5806 in / 1246 out tokens · 63569 ms · 2026-06-30T04:45:19.331808+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 1 canonical work pages

  1. [1]

    MedAgents: Large Language Models as Collaborators for Zero-shot Medical Reasoning,

    X. Tang, A. Zou, Z. Zhang, Z. Li, Y . Zhao, X. Zhang, A. Cohan, and M. Gerstein, “MedAgents: Large Language Models as Collaborators for Zero-shot Medical Reasoning,” Jun. 2024, arXiv:2311.10537 [cs]. [Online]. Available: http://arxiv.org/abs/2311.10537

    arXiv 2024

  2. [2]

    AgentClinic: a multimodal agent benchmark to evaluate AI in simulated clinical environments,

    S. Schmidgall, R. Ziaei, C. Harris, E. Reis, J. Jopling, and M. Moor, “AgentClinic: a multimodal agent benchmark to evaluate AI in simulated clinical environments,” May 2025, arXiv:2405.07960 [cs]. [Online]. Available: http://arxiv.org/abs/2405.07960

    Pith/arXiv arXiv 2025

  3. [3]

    MetaGPT: Meta Programming for A Multi- Agent Collaborative Framework,

    S. Hong, M. Zhuge, J. Chen, X. Zheng, Y . Cheng, C. Zhang, J. Wang, Z. Wang, S. K. S. Yau, Z. Lin, L. Zhou, C. Ran, L. Xiao, C. Wu, and J. Schmidhuber, “MetaGPT: Meta Programming for A Multi- Agent Collaborative Framework,” Nov. 2024, arXiv:2308.00352 [cs]. [Online]. Available: http://arxiv.org/abs/2308.00352

    Pith/arXiv arXiv 2024

  4. [4]

    ChatDev: Communicative Agents for Software Development,

    C. Qian, W. Liu, H. Liu, N. Chen, Y . Dang, J. Li, C. Yang, W. Chen, Y . Su, X. Cong, J. Xu, D. Li, Z. Liu, and M. Sun, “ChatDev: Communicative Agents for Software Development,” Jun. 2024, arXiv:2307.07924 [cs]. [Online]. Available: http: //arxiv.org/abs/2307.07924

    Pith/arXiv arXiv 2024

  5. [5]

    LLM-Powered AI Agent Systems and Their Applications in Industry,

    G. Liang and Q. Tong, “LLM-Powered AI Agent Systems and Their Applications in Industry,” May 2025. [Online]. Available: https://arxiv.org/abs/2505.16120v1

    Pith/arXiv arXiv 2025

  6. [6]

    Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems,

    D. Lee and M. Tiwari, “Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems,” Oct. 2024, arXiv:2410.07283 [cs]. [Online]. Available: http://arxiv.org/abs/2410.07283

    Pith/arXiv arXiv 2024

  7. [7]

    Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection,

    K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection,” May 2023, arXiv:2302.12173 [cs]. [Online]. Available: http://arxiv.org/abs/2302.12173

    Pith/arXiv arXiv 2023

  8. [8]

    Agent Smith: A Single Image Can Jailbreak One Million Multimodal LLM Agents Exponentially Fast,

    X. Gu, X. Zheng, T. Pang, C. Du, Q. Liu, Y . Wang, J. Jiang, and M. Lin, “Agent Smith: A Single Image Can Jailbreak One Million Multimodal LLM Agents Exponentially Fast,” Jun. 2024, arXiv:2402.08567 [cs]. [Online]. Available: http://arxiv.org/abs/2402.08567

    arXiv 2024

  9. [9]

    Flooding Spread of Manipulated Knowledge in LLM-Based Multi-Agent Communities,

    T. Ju, Y . Wang, X. Ma, P. Cheng, H. Zhao, Y . Wang, L. Liu, J. Xie, Z. Zhang, and G. Liu, “Flooding Spread of Manipulated Knowledge in LLM-Based Multi-Agent Communities,” Jul. 2024, arXiv:2407.07791 [cs]. [Online]. Available: http://arxiv.org/abs/2407. 07791

    arXiv 2024

  10. [10]

    Multi-Agent Systems Execute Arbitrary Malicious Code,

    H. Triedman, R. Jha, and V . Shmatikov, “Multi-Agent Systems Execute Arbitrary Malicious Code,” Sep. 2025, arXiv:2503.12188 [cs]. [Online]. Available: http://arxiv.org/abs/2503.12188

    arXiv 2025

  11. [11]

    Red-Teaming LLM Multi-Agent Systems via Communication Attacks,

    P. He, Y . Lin, S. Dong, H. Xu, Y . Xing, and H. Liu, “Red-Teaming LLM Multi-Agent Systems via Communication Attacks,” Jun. 2025, arXiv:2502.14847 [cs]. [Online]. Available: http://arxiv.org/abs/2502.14847

    arXiv 2025

  12. [12]

    A2ASecBench: A Protocol-Aware Security Benchmark for Agent- to-Agent Multi-Agent Systems,

    T. Li, C. Chu, Y . Zheng, B. Zhang, N. Z. Gong, and C. Xiao, “A2ASecBench: A Protocol-Aware Security Benchmark for Agent- to-Agent Multi-Agent Systems,” Oct. 2025. [Online]. Available: https://openreview.net/forum?id=LfdFnakqGJ

    2025

  13. [13]

    Learning to Conceal Risk: Controllable Multi-turn Red Teaming for LLMs in the Financial Domain,

    G. Cheng, H. Jin, W. Zhang, H. Wang, and J. Zhuang, “Learning to Conceal Risk: Controllable Multi-turn Red Teaming for LLMs in the Financial Domain,” Apr. 2026, arXiv:2509.10546 [cs.CL]. [Online]. Available: http://arxiv.org/abs/2509.10546

    Pith/arXiv arXiv 2026

  14. [14]

    Medical large language models are vulnerable to data-poisoning attacks,

    D. A. Alber, Z. Yang, A. Alyakin, E. Yang, S. Rai, A. A. Valliani, J. Zhang, G. R. Rosenbaum, A. K. Amend-Thomas, D. B. Kurland, C. M. Kremer, A. Eremiev, B. Negash, D. D. Wiggan, M. A. Nakatsuka, K. L. Sangwon, S. N. Neifert, H. A. Khan, A. V . Save, A. Palla, E. A. Grin, M. Hedman, M. Nasir-Moin, X. C. Liu, L. Y . Jiang, M. A. Mankowski, D. L. Segev, Y ...

    2025

  15. [15]

    Practical and Ethical Challenges of Large Language Models in Education: A Systematic Scoping Review,

    L. Yan, L. Sha, L. Zhao, Y . Li, R. Martinez-Maldonado, G. Chen, X. Li, Y . Jin, and D. Ga ˇsevi´c, “Practical and Ethical Challenges of Large Language Models in Education: A Systematic Scoping Review,”British Journal of Educational Technology, vol. 55, no. 1, pp. 90–112, Jan. 2024, arXiv:2303.13379 [cs.CL]. [Online]. Available: http://arxiv.org/abs/2303.13379

    arXiv 2024

  16. [16]

    Error and attack tolerance of complex networks,

    R. Albert, H. Jeong, and A.-L. Barab ´asi, “Error and attack tolerance of complex networks,”Nature, vol. 406, no. 6794, pp. 378–382, Jul

  17. [17]

    Available: https://www.nature.com/articles/35019019

    [Online]. Available: https://www.nature.com/articles/35019019

    arXiv

  18. [18]

    Attack vulnerability of complex networks,

    P. Holme, B. J. Kim, C. N. Yoon, and S. K. Han, “Attack vulnerability of complex networks,”Physical Review E, vol. 65, no. 5, p. 056109, May 2002. [Online]. Available: https://link.aps.org/ doi/10.1103/PhysRevE.65.056109

    work page doi:10.1103/physreve.65.056109 2002

  19. [19]

    Evaluating Large Language Models Trained on Code,

    M. Chen, J. Tworek, H. Jun, Q. Yuan, H. P. d. O. Pinto, J. Kaplan, H. Edwards, Y . Burda, N. Joseph, G. Brockman, A. Ray, R. Puri, G. Krueger, M. Petrov, H. Khlaaf, G. Sastry, P. Mishkin, B. Chan, S. Gray, N. Ryder, M. Pavlov, A. Power, L. Kaiser, M. Bavarian, C. Winter, P. Tillet, F. P. Such, D. Cummings, M. Plappert, F. Chantzis, E. Barnes, A. Herbert-V...

    Pith/arXiv arXiv 2021

  20. [20]

    Training Verifiers to Solve Math Word Problems,

    K. Cobbe, V . Kosaraju, M. Bavarian, M. Chen, H. Jun, L. Kaiser, M. Plappert, J. Tworek, J. Hilton, R. Nakano, C. Hesse, and J. Schulman, “Training Verifiers to Solve Math Word Problems,” Oct. 2021. [Online]. Available: https://arxiv.org/abs/2110.14168v2

    Pith/arXiv arXiv 2021

  21. [21]

    COMMON- SENSEQA: A Question Answering Challenge Targeting Common- sense Knowledge

    A. Talmor, J. Herzig, N. Lourie, and J. Berant, “COMMON- SENSEQA: A Question Answering Challenge Targeting Common- sense Knowledge.”

  22. [22]

    LangGraph overview

    “LangGraph overview.” [Online]. Available: https://docs.langchain. com/oss/python/langgraph/overview

  23. [23]

    AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation,

    Q. Wu, G. Bansal, J. Zhang, Y . Wu, B. Li, E. Zhu, L. Jiang, X. Zhang, S. Zhang, J. Liu, A. H. Awadallah, R. W. White, D. Burger, and C. Wang, “AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation,” Oct. 2023, arXiv:2308.08155 [cs]. [Online]. Available: http://arxiv.org/abs/2308.08155

    Pith/arXiv arXiv 2023

  24. [24]

    CAMEL: Communicative Agents for

    G. Li, H. A. A. K. Hammoud, H. Itani, D. Khizbullin, and B. Ghanem, “CAMEL: Communicative Agents for ”Mind” Exploration of Large Language Model Society,” Nov. 2023, arXiv:2303.17760 [cs]. [Online]. Available: http://arxiv.org/abs/2303.17760

    Pith/arXiv arXiv 2023

  25. [25]

    Improving Factuality and Reasoning in Language Models through Multiagent Debate,

    Y . Du, S. Li, A. Torralba, J. B. Tenenbaum, and I. Mordatch, “Improving Factuality and Reasoning in Language Models through Multiagent Debate,” May 2023, arXiv:2305.14325 [cs]. [Online]. Available: http://arxiv.org/abs/2305.14325

    Pith/arXiv arXiv 2023

  26. [26]

    Encouraging Divergent Thinking in Large Language Models through Multi-Agent Debate,

    T. Liang, Z. He, W. Jiao, X. Wang, Y . Wang, R. Wang, Y . Yang, S. Shi, and Z. Tu, “Encouraging Divergent Thinking in Large Language Models through Multi-Agent Debate,” in Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing, Y . Al-Onaizan, M. Bansal, and Y .-N. Chen, Eds. Miami, Florida, USA: Association for Computation...

    2024

  27. [27]

    ChatEval: Towards Better LLM-based Evaluators through Multi-Agent Debate,

    C.-M. Chan, W. Chen, Y . Su, J. Yu, W. Xue, S. Zhang, J. Fu, and Z. Liu, “ChatEval: Towards Better LLM-based Evaluators through Multi-Agent Debate,” Aug. 2023, arXiv:2308.07201 [cs]. [Online]. Available: http://arxiv.org/abs/2308.07201

    Pith/arXiv arXiv 2023

  28. [28]

    NetSafe: Exploring the Topological Safety of Multi-agent Networks,

    M. Yu, S. Wang, G. Zhang, J. Mao, C. Yin, Q. Liu, Q. Wen, K. Wang, and Y . Wang, “NetSafe: Exploring the Topological Safety of Multi-agent Networks,” Oct. 2024, arXiv:2410.15686 [cs]. [Online]. Available: http://arxiv.org/abs/2410.15686

    arXiv 2024

  29. [29]

    Language Agents as Optimizable Graphs,

    M. Zhuge, W. Wang, L. Kirsch, F. Faccio, D. Khizbullin, and J. Schmidhuber, “Language Agents as Optimizable Graphs,” Aug. 2024, arXiv:2402.16823 [cs]. [Online]. Available: http: //arxiv.org/abs/2402.16823

    arXiv 2024

  30. [30]

    A Dynamic LLM- Powered Agent Network for Task-Oriented Agent Collaboration,

    Z. Liu, Y . Zhang, P. Li, Y . Liu, and D. Yang, “A Dynamic LLM- Powered Agent Network for Task-Oriented Agent Collaboration,” Nov. 2024, arXiv:2310.02170 [cs]. [Online]. Available: http: //arxiv.org/abs/2310.02170

    Pith/arXiv arXiv 2024

  31. [31]

    CrewAI Documentation - CrewAI

    “CrewAI Documentation - CrewAI.” [Online]. Available: https: //docs.crewai.com

  32. [32]

    A2A Protocol

    “A2A Protocol.” [Online]. Available: https://a2a-protocol.org/latest/

  33. [33]

    G-Safeguard: A Topology-Guided Security Lens and Treatment on LLM-based Multi-agent Systems,

    S. Wang, G. Zhang, M. Yu, G. Wan, F. Meng, C. Guo, K. Wang, and Y . Wang, “G-Safeguard: A Topology-Guided Security Lens and Treatment on LLM-based Multi-agent Systems,” Feb. 2025, arXiv:2502.11127 [cs]. [Online]. Available: http: //arxiv.org/abs/2502.11127

    arXiv 2025

  34. [34]

    Topological Structure Learning Should Be A Research Priority for LLM-Based Multi-Agent Systems,

    J. Yang, M. Zhang, Y . Jin, H. Chen, Q. Wen, L. Lin, Y . He, S. Kumar, W. Xu, J. Evans, and J. Wang, “Topological Structure Learning Should Be A Research Priority for LLM-Based Multi-Agent Systems,” Oct. 2025, arXiv:2505.22467 [cs]. [Online]. Available: http://arxiv.org/abs/2505.22467

    arXiv 2025

  35. [35]

    Universal and Transferable Adversarial Attacks on Aligned Language Models,

    A. Zou, Z. Wang, N. Carlini, M. Nasr, J. Z. Kolter, and M. Fredrikson, “Universal and Transferable Adversarial Attacks on Aligned Language Models,” Dec. 2023, arXiv:2307.15043 [cs]. [Online]. Available: http://arxiv.org/abs/2307.15043

    Pith/arXiv arXiv 2023

  36. [36]

    BadAgent: Inserting and Activating Backdoor Attacks in LLM Agents,

    Y . Wang, D. Xue, S. Zhang, and S. Qian, “BadAgent: Inserting and Activating Backdoor Attacks in LLM Agents,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). Bangkok, Thailand: Association for Computational Linguistics, 2024, pp. 9811–9827. [Online]. Available: https://aclanthology.org/202...

    2024

  37. [37]

    AgentPoison: Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases,

    Z. Chen, Z. Xiang, C. Xiao, D. Song, and B. Li, “AgentPoison: Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases,” Jul. 2024, arXiv:2407.12784 [cs.LG]. [Online]. Available: http://arxiv.org/abs/2407.12784

    arXiv 2024

  38. [38]

    The Early Bird Catches the Leak: Unveiling Timing Side Channels in LLM Serving Systems,

    L. Song, Z. Pang, W. Wang, Z. Wang, X. Wang, H. Chen, W. Song, Y . Jin, D. Meng, and R. Hou, “The Early Bird Catches the Leak: Unveiling Timing Side Channels in LLM Serving Systems,” Oct. 2025, arXiv:2409.20002 [cs]. [Online]. Available: http://arxiv.org/abs/2409.20002

    arXiv 2025

  39. [39]

    Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems,

    R. Liang, L. Yin, J. Chen, C. Wu, X. Zhang, H. Gu, Z. Zhang, and Y . Liu, “Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems,” Dec. 2025, arXiv:2512.04129 [cs]. [Online]. Available: http://arxiv.org/abs/2512.04129

    Pith/arXiv arXiv 2025

  40. [40]

    Memory Injection Attacks on LLM Agents via Query-Only Interaction,

    S. Dong, S. Xu, P. He, Y . Li, J. Tang, T. Liu, H. Liu, and Z. Xiang, “Memory Injection Attacks on LLM Agents via Query-Only Interaction,” Feb. 2026, arXiv:2503.03704 [cs]. [Online]. Available: http://arxiv.org/abs/2503.03704

    arXiv 2026

  41. [41]

    LumiMAS: A Comprehensive Framework for Real- Time Monitoring and Enhanced Observability in Multi-Agent Systems,

    R. Solomon, Y . Y . Levi, L. Vaknin, E. Aizikovich, A. Baras, E. Ohana, A. Giloni, S. Bose, C. Picardi, Y . Elovici, and A. Shabtai, “LumiMAS: A Comprehensive Framework for Real- Time Monitoring and Enhanced Observability in Multi-Agent Systems,” Feb. 2026, arXiv:2508.12412 [cs]. [Online]. Available: http://arxiv.org/abs/2508.12412

    arXiv 2026

  42. [42]

    MegaAgent: A Large-Scale Autonomous LLM-based Multi-Agent System Without Predefined SOPs,

    Q. Wang, T. Wang, Z. Tang, Q. Li, N. Chen, J. Liang, and B. He, “MegaAgent: A Large-Scale Autonomous LLM-based Multi-Agent System Without Predefined SOPs,” May 2025, arXiv:2408.09955 [cs.MA]. [Online]. Available: http://arxiv.org/abs/2408.09955

    arXiv 2025

  43. [43]

    SentinelAgent: Graph-based Anomaly Detection in Multi-Agent Systems,

    X. He, D. Wu, Y . Zhai, and K. Sun, “SentinelAgent: Graph-based Anomaly Detection in Multi-Agent Systems,” May 2025. [Online]. Available: https://arxiv.org/abs/2505.24201v1

    arXiv 2025

  44. [44]

    BlindGuard: Safeguarding LLM-based Multi-Agent Systems under Unknown Attacks,

    R. Miao, Y . Liu, Y . Wang, X. Shen, Y . Tan, Y . Dai, S. Pan, and X. Wang, “BlindGuard: Safeguarding LLM-based Multi-Agent Systems under Unknown Attacks,” Aug. 2025, arXiv:2508.08127 [cs]. [Online]. Available: http://arxiv.org/abs/2508.08127

    Pith/arXiv arXiv 2025

  45. [45]

    The Limitations of Deep Learning in Adversarial Settings,

    N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The Limitations of Deep Learning in Adversarial Settings,” in2016 IEEE European Symposium on Security and Privacy (EuroS&P), Mar. 2016, pp. 372–387. [Online]. Available: https://ieeexplore.ieee.org/document/7467366/

    arXiv 2016

  46. [46]

    Magentic-One: A Generalist Multi-Agent System for Solving Complex Tasks,

    A. Fourney, G. Bansal, H. Mozannar, C. Tan, E. Salinas, Erkang, Zhu, F. Niedtner, G. Proebsting, G. Bassman, J. Gerrits, J. Alber, P. Chang, R. Loynd, R. West, V . Dibia, A. Awadallah, E. Kamar, R. Hosn, and S. Amershi, “Magentic-One: A Generalist Multi-Agent System for Solving Complex Tasks,” Nov. 2024, arXiv:2411.04468 [cs.AI]. [Online]. Available: http...

    Pith/arXiv arXiv 2024

  47. [47]

    AgentVerse: Facilitating Multi-Agent Collaboration and Exploring Emergent Behaviors,

    W. Chen, Y . Su, J. Zuo, C. Yang, C. Yuan, C.-M. Chan, H. Yu, Y . Lu, Y .-H. Hung, C. Qian, Y . Qin, X. Cong, R. Xie, Z. Liu, M. Sun, and J. Zhou, “AgentVerse: Facilitating Multi-Agent Collaboration and Exploring Emergent Behaviors,” Oct. 2023, arXiv:2308.10848 [cs]. [Online]. Available: http://arxiv.org/abs/2308.10848

    Pith/arXiv arXiv 2023

  48. [48]

    Build a personal assistant with subagents

    “Build a personal assistant with subagents.” [Online]. Avail- able: https://docs.langchain.com/oss/python/langchain/multi-agent/ subagents-personal-assistant

  49. [49]

    $t$-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains,

    S. Yao, N. Shinn, P. Razavi, and K. Narasimhan, “$t$-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains,” Jun. 2024, arXiv:2406.12045 [cs]. [Online]. Available: http://arxiv.org/abs/2406.12045

    Pith/arXiv arXiv 2024

  50. [50]

    MindFlow: Revolutionizing E-commerce Customer Support with Multimodal LLM Agents,

    M. Gong, X. Huang, C. Yang, X. Peng, H. Wang, Y . Liu, and L. Jiang, “MindFlow: Revolutionizing E-commerce Customer Support with Multimodal LLM Agents,” 2025, version Number: 1. [Online]. Available: https://arxiv.org/abs/2507.05330

    arXiv 2025

  51. [51]

    Monitoring LLM-based Multi-Agent Systems Against Corruptions via Node Evaluation,

    C. Wu, Z. Zhang, M. Xu, Z. Wei, and M. Sun, “Monitoring LLM-based Multi-Agent Systems Against Corruptions via Node Evaluation,” Oct. 2025, arXiv:2510.19420 [cs]. [Online]. Available: http://arxiv.org/abs/2510.19420

    Pith/arXiv arXiv 2025

  52. [52]

    TAMAS: Benchmarking Adversarial Risks in Multi-Agent LLM Systems,

    I. Kavathekar, H. Jain, A. Rathod, P. Kumaraguru, and T. Ganu, “TAMAS: Benchmarking Adversarial Risks in Multi-Agent LLM Systems,” Nov. 2025, arXiv:2511.05269 [cs]. [Online]. Available: http://arxiv.org/abs/2511.05269

    arXiv 2025

  53. [53]

    MASpi: A Unified Environment for Evaluating Prompt Injection Robustness in LLM-Based Multi-Agent Systems,

    H. An, M. Li, J. Zhang, N. Xu, C. Zhou, C. Li, T. Du, and S. Ji, “MASpi: A Unified Environment for Evaluating Prompt Injection Robustness in LLM-Based Multi-Agent Systems,” Oct. 2025. [Online]. Available: https://openreview.net/forum?id=1khmNRuIf9&

    2025

  54. [54]

    A Multi-Agent LLM Defense Pipeline Against Prompt Injection Attacks,

    S. M. A. Hossain, R. K. Shayoni, M. R. Ameen, A. Islam, M. F. Mridha, and J. Shin, “A Multi-Agent LLM Defense Pipeline Against Prompt Injection Attacks,” Dec. 2025, arXiv:2509.14285 [cs.CR]. [Online]. Available: http://arxiv.org/abs/2509.14285

    arXiv 2025

  55. [55]

    Exposing Weak Links in Multi-Agent Systems under Adversarial Prompting,

    N. Arora, S. Joel, I. Kavathekar, Palak, R. Gandhi, Y . Pandya, T. Ganu, A. Kanade, and A. Nambi, “Exposing Weak Links in Multi-Agent Systems under Adversarial Prompting,” Nov. 2025, arXiv:2511.10949 [cs]. [Online]. Available: http://arxiv.org/abs/2511. 10949 Appendix A. Properties of the MESAScore We view the finite edge setEas the sample space. Each edg...

    arXiv 2025