Detect Insider Agents in Multi-Agent Networks with XG-Guard’s Explainable GAD

XG-Guard introduces a novel unsupervised graph anomaly detection framework that jointly encodes sentence- and token-level features of LLM agents, leverages theme-based anomaly scoring and covariance-based score fusion to pinpoint malicious agents in multi-agent systems, providing fine-grained explanations and enabling automatic communication isolation.

Machine Heart
Machine Heart
Machine Heart
Detect Insider Agents in Multi-Agent Networks with XG-Guard’s Explainable GAD

Introduction As multi-agent systems (MAS) built on large language model (LLM) agents become more capable, their inter‑agent communication also amplifies security risks: a compromised agent can inject malicious content, steer reasoning, and cause the whole system to converge on harmful outputs.

Recent work applies Graph Anomaly Detection (GAD) as an unsupervised defense, modeling agents and their communications as a graph and training a GAD model to locate attacked nodes. Existing methods suffer two major limitations: they only use coarse‑grained sentence embeddings, ignoring fine‑grained token signals, and they lack interpretability, offering only a binary anomaly decision.

Core Contributions

Problem modeling: first unsupervised GAD for MAS that is explainable.

Method design: XG-Guard combines coarse‑ and fine‑grained representations with a theme‑based anomaly detector.

Empirical validation: extensive experiments across diverse MAS topologies and attack strategies show superior defense performance and reliable explanations.

Method Overview

XG-Guard consists of four stages.

Stage 1 – Bi-Level Agent Encoder

The encoder produces two representations for each agent’s output:

Sentence‑level (coarse) features that capture overall semantics.

Token‑level (fine) features that retain word‑level details.

A graph neural network (GNN) then propagates messages over the communication graph, yielding node encodings that fuse textual and structural information.

Stage 2 – Theme‑Based Unsupervised Anomaly Detector

Normal MAS collaboration stays on‑topic; malicious agents deviate or embed hidden harmful statements. XG-Guard first aggregates current dialogue features into a “theme prototype”. It then measures the distance between each agent’s sentence‑ and token‑level embeddings and the prototype, producing two anomaly scores (sentence‑level and token‑level).

Stage 3 – Covariance‑Based Score Fusion and Explanation

Because token‑level prototypes can be polluted by malicious content, directly merging coarse and fine scores may degrade performance. XG-Guard introduces a covariance‑based fusion mechanism that aligns the two scores, producing a unified anomaly score. The aligned token‑level scores highlight suspicious keywords, offering fine‑grained explanations.

Stage 4 – Isolation of Malicious Agents

When an agent is identified as malicious, XG-Guard cuts all its edges in the communication graph, preventing the spread of harmful information to other agents.

Experimental Results

Experiments cover multiple MAS communication structures and attack patterns under a strictly unsupervised setting (no labeled attacks in training).

Main Experiments XG-Guard outperforms state‑of‑the‑art unsupervised detectors on ROAUC and ASR@3, and matches supervised baselines on several datasets. It also maintains high performance across different LLM backbones (GPT‑4o‑mini, DeepSeek‑V3, Qwen‑30B‑A3B), demonstrating strong generalization.

Ablation Studies Removing the score‑fusion module (-Fusion) or the token‑level information (-Token) each causes a significant drop in detection performance. Without token details, the model misses subtle malicious cues; without adaptive fusion, it confuses normal topic drift with true anomalies, sometimes yielding ROAUC below 50%.

Explainability Visualizations show that XG-Guard can pinpoint the exact sentence or token responsible for an anomaly, such as a malicious agent spreading misleading information or attempting to invoke a tool for personal data theft.

Conclusion

XG-Guard presents a new unsupervised safeguarding framework for MAS that leverages token‑level features to both detect malicious agents and provide transparent, fine‑grained explanations, thereby enhancing the reliability and auditability of multi‑agent LLM systems.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

multi-agent systemsunsupervised learningexplainable AILLM securitygraph anomaly detection
Machine Heart
Written by

Machine Heart

Professional AI media and industry service platform

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.