🤖 AI Summary
This work addresses the challenge of securing communication edges in multi-agent systems under non-uniform attack risks, where defense resources are limited and prior knowledge of attacks is unavailable. The authors propose MESA, a novel framework that reveals— for the first time—the highly concentrated impact of edge-level attacks. MESA ranks communication edges by security criticality without requiring attack labels, by integrating six graph-theoretic metrics with two dynamic probing strategies: ablation and masking. Designed to integrate seamlessly with LangGraph workflows, the method demonstrates consistent efficacy across diverse network topologies and open-source large language models. Empirical results show a strong correlation between MESA’s rankings and actual attack success rates (mean Spearman ρ = +0.60), enabling the interception of approximately three times more successful attacks than random allocation by monitoring only the top 10% most critical edges.
📝 Abstract
Multi-agent systems (MAS) are increasingly used to automate complex, distributed workflows. However, their inter-agent communication channels introduce new attack surfaces that remain poorly understood and are difficult to defend against. In this paper, we address how defenders should prioritize limited security effort to protect vulnerable communication channels before attacks are observed. This is motivated by our observation that the channel-level attack impact is highly non-uniform: a single compromised edge can account for up to 75% of total attack success. We introduce Mesa, a label-free framework for proactively ranking which MAS edges are most security-critical -- that is, most likely to affect the system's decision if compromised. Mesa combines six graph-theoretic metrics and two dynamic probes (ablation and masking) without requiring attack traces. We evaluate Mesa against a dynamic misinformation attack pipeline across three diverse MAS scenarios, eight network topologies, and five open-source LLMs from Qwen, Llama, and Gemma families. Mesa rankings correlate strongly with empirical per-edge attack success rate, achieving mean Spearman $ρ=+0.60$ (peaking at $+0.73$). In resource-constrained defense deployment, monitoring the top 10% of Mesa-ranked edges intercepts about 3x the successful attacks as random allocation. We further test Mesa under varying attacker and defender models and LangGraph workflows and characterize its limits under adaptive attacks and high-redundancy graphs. Overall, our results show that edge-level risk in MAS is often concentrated and predictable, allowing proactive hardening of multi-agent infrastructures.