Is Monitoring Enough? Strategic Agent Selection For Stealthy Attack in Multi-Agent Discussions
This addresses security vulnerabilities in multi-agent systems for AI developers and users, but it is incremental as it builds on existing attack scenarios.
The paper tackles the problem of securing multi-agent discussions under continuous monitoring by anomaly detectors, showing that existing attacks fail due to detectable patterns, but their novel attack method remains effective, indicating monitoring alone is insufficient to eliminate adversarial risks.
Multi-agent discussions have been widely adopted, motivating growing efforts to develop attacks that expose their vulnerabilities. In this work, we study a practical yet largely unexplored attack scenario, the discussion-monitored scenario, where anomaly detectors continuously monitor inter-agent communications and block detected adversarial messages. Although existing attacks are effective without discussion monitoring, we show that they exhibit detectable patterns and largely fail under such monitoring constraints. But does this imply that monitoring alone is sufficient to secure multi-agent discussions? To answer this question, we develop a novel attack method explicitly tailored to the discussion-monitored scenario. Extensive experiments demonstrate that effective attacks remain possible even under continuous monitoring, indicating that monitoring alone does not eliminate adversarial risks.