Quantifying Conversation Drift in MCP via Latent Polytope

TL;DR

This paper introduces SecMCP, a framework that detects conversation drift in large language models using latent polytope modeling, effectively identifying security threats like hijacking and misinformation with high accuracy.

Contribution

It presents a novel latent polytope-based method to quantify conversation drift and demonstrates its effectiveness in securing MCP-enabled LLMs against adversarial threats.

Findings

SecMCP achieves AUROC > 0.915 in threat detection.

Latent polytope modeling effectively captures conversation deviations.

System maintains usability while enhancing security.

Abstract

The Model Context Protocol (MCP) enhances large language models (LLMs) by integrating external tools, enabling dynamic aggregation of real-time data to improve task execution. However, its non-isolated execution context introduces critical security and privacy risks. In particular, adversarially crafted content can induce tool poisoning or indirect prompt injection, leading to conversation hijacking, misinformation propagation, or data exfiltration. Existing defenses, such as rule-based filters or LLM-driven detection, remain inadequate due to their reliance on static signatures, computational inefficiency, and inability to quantify conversational hijacking. To address these limitations, we propose SecMCP, a secure framework that detects and quantifies conversation drift, deviations in latent space trajectories induced by adversarial external knowledge. By modeling LLM activation vectors within a latent polytope space, SecMCP identifies anomalous shifts in conversational dynamics, enabling proactive detection of hijacking, misleading, and data exfiltration. We evaluate SecMCP on three state-of-the-art LLMs (Llama3, Vicuna, Mistral) across benchmark datasets (MS MARCO, HotpotQA, FinQA), demonstrating robust detection with AUROC scores exceeding 0.915 while maintaining system usability. Our contributions include a systematic categorization of MCP security threats, a novel latent polytope-based methodology for quantifying conversation drift, and empirical validation of SecMCP's efficacy.