LLM agents rely on memory for autonomous decision-making, yet their memories are vulnerable to stealthy malicious injection attacks—where adversaries insert seemingly benign records that trigger deceptive behavior only under specific contexts, initiating self-reinforcing error loops. Method: We propose the first proactive defense framework tailored for LLM agent memory, innovatively integrating a dual-memory architecture with consensus-based verification. It enables memory self-auditing, multi-path reasoning comparison, anomaly detection, and lesson extraction—achieving memory self-correction without modifying the agent’s core architecture. The framework incrementally strengthens its defense capability through accumulated experience, effectively disrupting gradual adversarial manipulation. Contribution/Results: Extensive experiments across multiple benchmarks demonstrate >95% reduction in attack success rate, with <0.5% degradation in normal task performance. Our approach significantly enhances the security and robustness of memory systems in LLM agents.

Large Language Model (LLM) agents use memory to learn from past interactions, enabling autonomous planning and decision-making in complex environments. However, this reliance on memory introduces a critical security risk: an adversary can inject seemingly harmless records into an agent's memory to manipulate its future behavior. This vulnerability is characterized by two core aspects: First, the malicious effect of injected records is only activated within a specific context, making them hard to detect when individual memory entries are audited in isolation. Second, once triggered, the manipulation can initiate a self-reinforcing error cycle: the corrupted outcome is stored as precedent, which not only amplifies the initial error but also progressively lowers the threshold for similar attacks in the future. To address these challenges, we introduce A-MemGuard (Agent-Memory Guard), the first proactive defense framework for LLM agent memory. The core idea of our work is the insight that memory itself must become both self-checking and self-correcting. Without modifying the agent's core architecture, A-MemGuard combines two mechanisms: (1) consensus-based validation, which detects anomalies by comparing reasoning paths derived from multiple related memories and (2) a dual-memory structure, where detected failures are distilled into ``lessons'' stored separately and consulted before future actions, breaking error cycles and enabling adaptation. Comprehensive evaluations on multiple benchmarks show that A-MemGuard effectively cuts attack success rates by over 95% while incurring a minimal utility cost. This work shifts LLM memory security from static filtering to a proactive, experience-driven model where defenses strengthen over time. Our code is available in https://github.com/TangciuYueng/AMemGuard