FlowGuard: From Signals to Evidence for MCP Security Detection

📅 2026-07-16
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Existing MCP security detection methods rely on static semantic signals and struggle to reliably identify execution-based risks as well as semantic risks embedded in metadata or response content. This work proposes FlowGuard—the first unified detection framework that integrates runtime execution evidence with semantic analysis—to enable collaborative verification of both risk types. FlowGuard operates through a pipeline comprising semantic risk pre-screening, reconnaissance-guided payload optimization, pattern-compliance probe generation, evidence-based adjudication, and history-guided refinement. Evaluated on a benchmark of 1,880 MCP use cases, FlowGuard achieves F1 scores of 0.879 for command injection and 0.942 for file system access, while reducing end-to-end latency by up to 2.23×. In real-world deployment, it uncovered 523 security issues across 326 servers.
📝 Abstract
The Model Context Protocol (MCP) enables LLM agents to interact with external tools through metadata exchange, tool invocation, and response consumption. Existing MCP security scanners primarily reason about suspicious semantic signals rather than real execution behaviors, which can lead to unreliable risk assessment. For example, credential-like strings may simply be placeholders rather than actual leakage. This gap requires runtime evidence for execution-related risks and careful semantic analysis for risks carried in metadata or returned content. We present FlowGuard, an evidence-grounded MCP security detection system. FlowGuard combines semantic risk triage, recon-guided payload narrowing, schema-valid probe generation, evidence adjudication, and history-guided refinement. It verifies execution-related risks through runtime evidence and detects semantic risks in tool metadata and returned content. We evaluate FlowGuard on an executable benchmark containing 1,880 MCP cases across five vulnerability categories. FlowGuard achieves F1 scores of 0.879 and 0.942 on the execution-related Command Injection and File System Access categories, respectively. Compared with existing dynamic scanners, FlowGuard reduces end-to-end latency by up to 2.23x. In the real-world evaluation, FlowGuard reports 523 findings across 326 servers. These results show that evidence-grounded detection can assess both execution-related and semantic risks in MCP interactions.
Problem

Research questions and friction points this paper is trying to address.

MCP security
execution behavior
semantic risk
runtime evidence
credential leakage
Innovation

Methods, ideas, or system contributions that make the work stand out.

evidence-grounded detection
Model Context Protocol
runtime evidence
semantic risk analysis
dynamic security scanning
🔎 Similar Papers
No similar papers found.