Memory poisoning and secure multi-agent systems

TL;DR

This paper explores memory poisoning attacks in multi-agent systems, analyzing different memory types, discussing security risks, and proposing mitigation strategies to enhance agent security by design.

Contribution

It provides a comprehensive review of memory systems, assesses attack feasibility, and introduces mitigation approaches including cryptography and private knowledge retrieval.

Findings

Memory poisoning attacks are feasible across various memory types.

Cryptography-based solutions can mitigate some memory poisoning threats.

Local inference with private knowledge retrieval offers a promising mitigation strategy.

Abstract

Memory poisoning attacks for Agentic AI and multi-agent systems (MAS) have recently caught attention. It is partially due to the fact that Large Language Models (LLMs) facilitate the construction and deployment of agents. Different memory systems are being used nowadays in this context, including semantic, episodic, and short-term memory. This distinction between the different types of memory systems focuses mostly on their duration but also on their origin and their localization. It ranges from the short-term memory originated at the user's end localized in the different agents to the long-term consolidated memory localized in well established knowledge databases. In this paper, we first present the main types of memory systems, we then discuss the feasibility of memory poisoning attacks in these different types of memory systems, and we propose mitigation strategies. We review the already existing security solutions to mitigate some of the alleged attacks, and we discuss adapted solutions based on cryptography. We propose to implement local inference based on private knowledge retrieval as an example of mitigation strategy for memory poisoning for semantic memory. We also emphasize actual risks in relation to interactions between agents, which can cause memory poisoning. These latter risks are not so much studied in the literature and are difficult to formalize and solve. Thus, we contribute to the construction of agents that are secure by design.