ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems

TL;DR

This paper introduces ShieldNet, a network-level guardrail system that detects supply-chain threats in agent systems by analyzing network interactions, significantly improving detection accuracy over existing methods.

Contribution

The paper presents ShieldNet, a novel network-based framework for detecting supply-chain attacks in agent systems, and introduces SC-Inject-Bench, a comprehensive benchmark for evaluating such threats.

Findings

ShieldNet achieves up to 0.995 F-1 score in detection.

ShieldNet introduces minimal runtime overhead.

Existing MCP scanners perform poorly on supply-chain threat detection.

Abstract

Existing research on LLM agent security mainly focuses on prompt injection and unsafe input/output behaviors. However, as agents increasingly rely on third-party tools and MCP servers, a new class of supply-chain threats has emerged, where malicious behaviors are embedded in seemingly benign tools, silently hijacking agent execution, leaking sensitive data, or triggering unauthorized actions. Despite their growing impact, there is currently no comprehensive benchmark for evaluating such threats. To bridge this gap, we introduce SC-Inject-Bench, a large-scale benchmark comprising over 10,000 malicious MCP tools grounded in a taxonomy of 25+ attack types derived from MITRE ATT&CK targeting supply-chain threats. We observe that existing MCP scanners and semantic guardrails perform poorly on this benchmark. Motivated by this finding, we propose ShieldNet, a network-level guardrail framework that detects supply-chain poisoning by observing real network interactions rather than surface-level tool traces. ShieldNet integrates a man-in-the-middle (MITM) proxy and an event extractor to identify critical network behaviors, which are then processed by a lightweight classifier for attack detection. Extensive experiments show that ShieldNet achieves strong detection performance (up to 0.995 F-1 with only 0.8% false positives) while introducing little runtime overhead, substantially outperforming existing MCP scanners and LLM-based guardrails.