Don't Trust Stubborn Neighbors: A Security Framework for Agentic Networks

TL;DR

This paper introduces a theoretical framework based on social opinion models to analyze security vulnerabilities in LLM-based multi-agent systems, demonstrating how malicious agents can manipulate collective outcomes and proposing a trust-adaptive defense mechanism.

Contribution

It applies the Friedkin-Johnsen opinion formation model to LLM-MAS, revealing susceptibility to manipulation and proposing a novel trust-adaptive defense to enhance security.

Findings

A single stubborn agent can dominate MAS dynamics.

Increasing benign agents or stubbornness improves security.

Trust-adaptive defense effectively mitigates manipulation.

Abstract

Large Language Model (LLM)-based Multi-Agent Systems (MASs) are increasingly deployed for agentic tasks, such as web automation, itinerary planning, and collaborative problem solving. Yet, their interactive nature introduces new security risks: malicious or compromised agents can exploit communication channels to propagate misinformation and manipulate collective outcomes. In this paper, we study how such manipulation can arise and spread by borrowing the Friedkin-Johnsen opinion formation model from social sciences to propose a general theoretical framework to study LLM-MAS. Remarkably, this model closely captures LLM-MAS behavior, as we verify in extensive experiments across different network topologies and attack and defense scenarios. Theoretically and empirically, we find that a single highly stubborn and persuasive agent can take over MAS dynamics, underscoring the systems' high susceptibility to attacks by triggering a persuasion cascade that reshapes collective opinion. Our theoretical analysis reveals three mechanisms to increase system security: a) increasing the number of benign agents, b) increasing the innate stubbornness or peer-resistance of agents, or c) reducing trust in potential adversaries. Because scaling is computationally expensive and high stubbornness degrades the network's ability to reach consensus, we propose a new mechanism to mitigate threats by a trust-adaptive defense that dynamically adjusts inter-agent trust to limit adversarial influence while maintaining cooperative performance. Extensive experiments confirm that this mechanism effectively defends against manipulation.