Malicious agents in LLM-driven multi-agent systems (MAS) can distort collective decision-making by propagating adversarial messages—a security threat for which existing supervised defenses are ineffective against unseen attacks due to their reliance on labeled attack data. Method: We propose the first unsupervised defense framework that models only benign interaction patterns—without requiring any attack labels. It employs a hierarchical agent encoder to jointly capture individual, neighborhood, and global interaction dynamics; integrates directional noise injection and contrastive learning for robust representation learning; and introduces a corruption-guided detector for reliable anomaly identification. Contribution/Results: Evaluated across diverse communication topologies, our framework achieves high detection accuracy against previously unseen attacks—including prompt injection, memory poisoning, and tool misuse—outperforming supervised baselines significantly. It demonstrates strong generalization capability, practical deployability, and resilience to distributional shifts in agent behavior.

The security of LLM-based multi-agent systems (MAS) is critically threatened by propagation vulnerability, where malicious agents can distort collective decision-making through inter-agent message interactions. While existing supervised defense methods demonstrate promising performance, they may be impractical in real-world scenarios due to their heavy reliance on labeled malicious agents to train a supervised malicious detection model. To enable practical and generalizable MAS defenses, in this paper, we propose BlindGuard, an unsupervised defense method that learns without requiring any attack-specific labels or prior knowledge of malicious behaviors. To this end, we establish a hierarchical agent encoder to capture individual, neighborhood, and global interaction patterns of each agent, providing a comprehensive understanding for malicious agent detection. Meanwhile, we design a corruption-guided detector that consists of directional noise injection and contrastive learning, allowing effective detection model training solely on normal agent behaviors. Extensive experiments show that BlindGuard effectively detects diverse attack types (i.e., prompt injection, memory poisoning, and tool attack) across MAS with various communication patterns while maintaining superior generalizability compared to supervised baselines. The code is available at: https://github.com/MR9812/BlindGuard.