Explainable and Fine-Grained Safeguarding of LLM Multi-Agent Systems via Bi-Level Graph Anomaly Detection

TL;DR

This paper introduces XG-Guard, an explainable framework that uses bi-level graph anomaly detection to identify malicious agents in multi-agent systems by leveraging both coarse and fine-grained textual cues for improved security and interpretability.

Contribution

The paper presents a novel bi-level agent encoder and theme-based anomaly detector that jointly model sentence- and token-level information, enhancing detection accuracy and interpretability in MAS security.

Findings

Robust detection performance across diverse MAS topologies.

Enhanced interpretability through token-level contribution analysis.

Effective identification of malicious agents in various attack scenarios.

Abstract

Large language model (LLM)-based multi-agent systems (MAS) have shown strong capabilities in solving complex tasks. As MAS become increasingly autonomous in various safety-critical tasks, detecting malicious agents has become a critical security concern. Although existing graph anomaly detection (GAD)-based defenses can identify anomalous agents, they mainly rely on coarse sentence-level information and overlook fine-grained lexical cues, leading to suboptimal performance. Moreover, the lack of interpretability in these methods limits their reliability and real-world applicability. To address these limitations, we propose XG-Guard, an explainable and fine-grained safeguarding framework for detecting malicious agents in MAS. To incorporate both coarse and fine-grained textual information for anomalous agent identification, we utilize a bi-level agent encoder to jointly model the sentence- and token-level representations of each agent. A theme-based anomaly detector further captures the evolving discussion focus in MAS dialogues, while a bi-level score fusion mechanism quantifies token-level contributions for explanation. Extensive experiments across diverse MAS topologies and attack scenarios demonstrate robust detection performance and strong interpretability of XG-Guard.