DynaTrust: Defending Multi-Agent Systems Against Sleeper Agents via Dynamic Trust Graphs

TL;DR

DynaTrust introduces a dynamic trust graph approach to defend multi-agent systems against sleeper agents by continuously updating trust and restructuring the graph, significantly improving detection success and reducing false positives.

Contribution

The paper presents DynaTrust, a novel dynamic trust graph method that adapts to evolving adversaries and maintains system utility, outperforming existing static defense techniques.

Findings

Increases defense success rate by 41.7%.

Achieves over 86% success rate under adversarial conditions.

Reduces false positive rate significantly.

Abstract

Large Language Model-based Multi-Agent Systems (MAS) have demonstrated remarkable collaborative reasoning capabilities but introduce new attack surfaces, such as the sleeper agent, which behave benignly during routine operation and gradually accumulate trust, only revealing malicious behaviors when specific conditions or triggers are met. Existing defense works primarily focus on static graph optimization or hierarchical data management, often failing to adapt to evolving adversarial strategies or suffering from high false-positive rates (FPR) due to rigid blocking policies. To address this, we propose DynaTrust, a novel defense method against sleeper agents. DynaTrust models MAS as a dynamic trust graph~(DTG), and treats trust as a continuous, evolving process rather than a static attribute. It dynamically updates the trust of each agent based on its historical behaviors and the confidence of selected expert agents. Instead of simply blocking, DynaTrust autonomously restructures the graph to isolate compromised agents and restore task connectivity to ensure the usability of MAS. To assess the effectiveness of DynaTrust, we evaluate it on mixed benchmarks derived from AdvBench and HumanEval. The results demonstrate that DynaTrust outperforms the state-of-the-art method AgentShield by increasing the defense success rate by 41.7%, achieving rates exceeding 86% under adversarial conditions. Furthermore, it effectively balances security with utility by significantly reducing FPR, ensuring uninterrupted system operations through graph adaptation.