Can LLM Infer Risk Information From MCP Server System Logs?

TL;DR

This paper introduces a synthetic benchmark to evaluate LLMs' ability to detect security risks in MCP server system logs, highlighting the effectiveness of reinforcement learning techniques in improving detection accuracy.

Contribution

It presents the first benchmark dataset for assessing LLMs' risk inference from system logs and demonstrates reinforcement learning's superiority over supervised fine-tuning.

Findings

Reinforcement learning with GRPO improves detection accuracy to 83%.

Smaller models tend to miss risky logs, resulting in high false negatives.

Supervised fine-tuning increases false positives, over-flagging benign logs.

Abstract

Large Language Models (LLMs) demonstrate strong capabilities in solving complex tasks when integrated with external tools. The Model Context Protocol (MCP) has become a standard interface for enabling such tool-based interactions. However, these interactions introduce substantial security concerns, particularly when the MCP server is compromised or untrustworthy. While prior benchmarks primarily focus on prompt injection attacks or analyze the vulnerabilities of LLM-MCP interaction trajectories, limited attention has been given to the underlying system logs associated with malicious MCP servers. To address this gap, we present the first synthetic benchmark for evaluating LLMs' ability to identify security risks from system logs. We define nine categories of MCP server risks and generate 1,800 synthetic system logs using ten state-of-the-art LLMs. These logs are embedded in the return values of 243 curated MCP servers, yielding a dataset of 2,421 chat histories for training and 471 queries for evaluation. Our pilot experiments reveal that smaller models often fail to detect risky system logs, leading to high false negatives. While models trained with supervised fine-tuning (SFT) tend to over-flag benign logs, resulting in elevated false positives, Reinforcement Learning with Verifiable Reward (RLVR) offers a better precision-recall balance. In particular, after training with Group Relative Policy Optimization (GRPO), Llama3.1-8B-Instruct achieves 83 percent accuracy, surpassing the best-performing large remote model by 9 percentage points. Fine-grained, per-category analysis further underscores the effectiveness of reinforcement learning in enhancing LLM safety within the MCP framework. Code and data are available at https://github.com/PorUna-byte/MCP-RiskCue.