Detect Insider Agents in Multi-Agent Networks with XG-Guard’s Explainable GAD
XG-Guard introduces a novel unsupervised graph anomaly detection framework that jointly encodes sentence- and token-level features of LLM agents, leverages theme-based anomaly scoring and covariance-based score fusion to pinpoint malicious agents in multi-agent systems, providing fine-grained explanations and enabling automatic communication isolation.
Introduction As multi-agent systems (MAS) built on large language model (LLM) agents become more capable, their inter‑agent communication also amplifies security risks: a compromised agent can inject malicious content, steer reasoning, and cause the whole system to converge on harmful outputs.
Recent work applies Graph Anomaly Detection (GAD) as an unsupervised defense, modeling agents and their communications as a graph and training a GAD model to locate attacked nodes. Existing methods suffer two major limitations: they only use coarse‑grained sentence embeddings, ignoring fine‑grained token signals, and they lack interpretability, offering only a binary anomaly decision.
Core Contributions
Problem modeling: first unsupervised GAD for MAS that is explainable.
Method design: XG-Guard combines coarse‑ and fine‑grained representations with a theme‑based anomaly detector.
Empirical validation: extensive experiments across diverse MAS topologies and attack strategies show superior defense performance and reliable explanations.
Method Overview
XG-Guard consists of four stages.
Stage 1 – Bi-Level Agent Encoder
The encoder produces two representations for each agent’s output:
Sentence‑level (coarse) features that capture overall semantics.
Token‑level (fine) features that retain word‑level details.
A graph neural network (GNN) then propagates messages over the communication graph, yielding node encodings that fuse textual and structural information.
Stage 2 – Theme‑Based Unsupervised Anomaly Detector
Normal MAS collaboration stays on‑topic; malicious agents deviate or embed hidden harmful statements. XG-Guard first aggregates current dialogue features into a “theme prototype”. It then measures the distance between each agent’s sentence‑ and token‑level embeddings and the prototype, producing two anomaly scores (sentence‑level and token‑level).
Stage 3 – Covariance‑Based Score Fusion and Explanation
Because token‑level prototypes can be polluted by malicious content, directly merging coarse and fine scores may degrade performance. XG-Guard introduces a covariance‑based fusion mechanism that aligns the two scores, producing a unified anomaly score. The aligned token‑level scores highlight suspicious keywords, offering fine‑grained explanations.
Stage 4 – Isolation of Malicious Agents
When an agent is identified as malicious, XG-Guard cuts all its edges in the communication graph, preventing the spread of harmful information to other agents.
Experimental Results
Experiments cover multiple MAS communication structures and attack patterns under a strictly unsupervised setting (no labeled attacks in training).
Main Experiments XG-Guard outperforms state‑of‑the‑art unsupervised detectors on ROAUC and ASR@3, and matches supervised baselines on several datasets. It also maintains high performance across different LLM backbones (GPT‑4o‑mini, DeepSeek‑V3, Qwen‑30B‑A3B), demonstrating strong generalization.
Ablation Studies Removing the score‑fusion module (-Fusion) or the token‑level information (-Token) each causes a significant drop in detection performance. Without token details, the model misses subtle malicious cues; without adaptive fusion, it confuses normal topic drift with true anomalies, sometimes yielding ROAUC below 50%.
Explainability Visualizations show that XG-Guard can pinpoint the exact sentence or token responsible for an anomaly, such as a malicious agent spreading misleading information or attempting to invoke a tool for personal data theft.
Conclusion
XG-Guard presents a new unsupervised safeguarding framework for MAS that leverages token‑level features to both detect malicious agents and provide transparent, fine‑grained explanations, thereby enhancing the reliability and auditability of multi‑agent LLM systems.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
