这篇论文用具体实验证明,多智能体系统里单独检查每个智能体的信息根本不够,分布式后门能让所有局部检查都正常,但组合起来就成攻击了。
本文揭示多智能体系统中的分布式后门攻击,恶意负载被分割到多个智能体,使局部监控每个步骤都通过,但组合后形成攻击。作者形式化定义了“可观测边界”:若片段在监控视角下看似良性,则任何检测器都无法捕获。实验表明,局部监控在0.874 mean AUROC下无法检测到攻击,只有监控看到组合对象时才恢复信号。解码视图门控可阻断所有测试攻击,但需知道编码族。
When Local Monitors Miss Compositional Harm: Diagnosing Distributed Backdoors in Multi-Agent Systems
As multi-agent, tool-using LLM systems are deployed, a common safety net is a runtime monitor that checks each message, tool call, or step on its own. We show this net has a fundamental hole. A distributed backdoor splits a harmful payload across agents, so every local check passes while the assembled object is the attack. The monitor can be right on every step and still miss the attack. The problem is not splitting itself: split fragments can still leak suspicious tokens or provenance edges. The hard case is \emph{local benignness}. No fragment carries the harm, and what is left looks like ordinary benign traffic. We formalize this as an \emph{observability boundary}: a monitor catches only what its view can tell apart from benign traffic. We prove that once the fragments look benign in the monitored view, no detector on that view can catch them, however strong it is. Across a controlled testbed, an external benchmark, and end-to-end agent runs, local monitors lose the signal exactly as local evidence disappears, and it returns only when the monitor sees the assembled object. A monitor trained only on benign traffic recovers the attack's code structure across held-out encodings (0.874 mean AUROC). A decoded-view gate, given the encoding family, blocks every tested attack. But seeing more is not enough: full-trace monitors and decoders still fail unless they reach the representation where the payload is exposed. Local safety is not global safety when harm is compositional, and the open problem is finding that representation.