AegisUI: Behavioral Anomaly Detection for Structured User Interface Protocols in AI Agent Systems

TL;DR

AegisUI introduces a framework for detecting behavioral anomalies in dynamically generated user interfaces of AI agents, using feature extraction and machine learning to identify malicious payloads across multiple attack types.

Contribution

The paper presents a novel benchmarking framework and dataset for behavioral anomaly detection in UI payloads, comparing multiple machine learning detectors in this context.

Findings

Random Forest achieved highest accuracy (0.931) and precision (0.980).

Autoencoder detects anomalies without malicious labels during training.

Layout abuse is easiest to detect, manipulative UI is hardest.

Abstract

AI agents that build user interfaces on the fly assembling buttons, forms, and data displays from structured protocol payloads are becoming common in production systems. The trouble is that a payload can pass every schema check and still trick a user: a button might say "View invoice" while its hidden action wipes an account, or a display widget might quietly bind to an internal salary field. Current defenses stop at syntax; they were never built to catch this kind of behavioral mismatch. We built AegisUI to study exactly this gap. The framework generates structured UI payloads, injects realistic attacks into them, extracts numeric features, and benchmarks anomaly detectors end-to-end. We produced 4000 labeled payloads (3000 benign, 1000 malicious) spanning five application domains and five attack families: phishing interfaces, data leakage, layout abuse, manipulative UI, and workflow anomalies. From each payload we extracted 18 features covering structural, semantic, binding, and session dimensions, then compared three detectors: Isolation Forest (unsupervised), a benign-trained autoencoder (semi-supervised), and Random Forest (supervised). On a stratified 80/20 split, Random Forest scored best overall (accuracy 0.931, precision 0.980, recall 0.740, F1 0.843, ROC-AUC 0.952). The autoencoder came second (F1 0.762, ROC-AUC 0.863) and needs no malicious labels at training time, which matters when deploying a new system that lacks attack history. Per-attack-type analysis showed that layout abuse is easiest to catch while manipulative UI payloads are hardest. All code, data, and configurations are released for full reproducibility.