ACIArena: Toward Unified Evaluation for Agent Cascading Injection

TL;DR

ACIArena is a comprehensive framework for evaluating the security robustness of multi-agent systems against cascading injection attacks across various attack surfaces and objectives.

Contribution

It introduces a unified specification and benchmark suite covering multiple MAS implementations and attack scenarios, addressing limitations of prior simplified evaluations.

Findings

Evaluating MAS robustness solely through topology is insufficient.

Role design and interaction control are crucial for robustness.

Narrowly scoped defenses often fail in real-world settings.

Abstract

Collaboration and information sharing empower Multi-Agent Systems (MAS) but also introduce a critical security risk known as Agent Cascading Injection (ACI). In such attacks, a compromised agent exploits inter-agent trust to propagate malicious instructions, causing cascading failures across the system. However, existing studies consider only limited attack strategies and simplified MAS settings, limiting their generalizability and comprehensive evaluation. To bridge this gap, we introduce ACIArena, a unified framework for evaluating the robustness of MAS. ACIArena offers systematic evaluation suites spanning multiple attack surfaces (i.e., external inputs, agent profiles, inter-agent messages) and attack objectives (i.e., instruction hijacking, task disruption, information exfiltration). Specifically, ACIArena establishes a unified specification that jointly supports MAS construction and attack-defense modules. It covers six widely used MAS implementations and provides a benchmark of 1,356 test cases for systematically evaluating MAS robustness. Our benchmarking results show that evaluating MAS robustness solely through topology is insufficient; robust MAS require deliberate role design and controlled interaction patterns. Moreover, defenses developed in simplified environments often fail to transfer to real-world settings; narrowly scoped defenses may even introduce new vulnerabilities. ACIArena aims to provide a solid foundation for advancing deeper exploration of MAS design principles.