AegisMCP: Online Graph Intrusion Detection for Tool-Augmented LLMs on Edge Devices

TL;DR

AegisMCP is a real-time, protocol-level intrusion detection system for smart home MCP agent toolchains, utilizing behavioral graph learning to identify security breaches on edge devices efficiently.

Contribution

The paper introduces a novel protocol-level intrusion detector, NEBULA-Schema, and a streaming detection method for secure, real-time monitoring of MCP agent activity on edge hardware.

Findings

Achieves sub-second inference latency on edge hardware.

Outperforms traffic-only and sequence baselines.

Effective ablations confirm importance of DAG and permission signals.

Abstract

In this work, we study security of Model Context Protocol (MCP) agent toolchains and their applications in smart homes. We introduce AegisMCP, a protocol-level intrusion detector. Our contributions are: (i) a minimal attack suite spanning instruction-driven escalation, chain-of-tool exfiltration, malicious MCP server registration, and persistence; (ii) NEBULA-Schema (Network-Edge Behavioral Learning for Untrusted LLM Agents), a reusable protocol-level instrumentation that represents MCP activity as a streaming heterogeneous temporal graph over agents, MCP servers, tools, devices, remotes, and sessions; and (iii) a CPU-only streaming detector that fuses novelty, session-DAG structure, and attribute cues for near-real-time edge inference, with optional fusion of local prompt-guardrail signals. On an emulated smart-home testbed spanning multiple MCP stacks and a physical bench, AegisMCP achieves sub-second per-window model inference and end-to-end alerting. The latency of AegisMCP is consistently sub-second on Intel N150-class edge hardware, while outperforming traffic-only and sequence baselines; ablations confirm the importance of DAG and install/permission signals. We release code, schemas, and generators for reproducible evaluation.