Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing
作者: Dvir Alsheich, Adar Peleg, Ben Hagag, Rom Himelstein, Amit Levi, Avi Mendelson
分类: cs.AI, cs.MA
发布日期: 2026-06-29
备注: 8 pages (9 more for appendix), 3 figures. Published at the Second Workshop on Agents in the Wild: Safety, Security, and Beyond (AIWILD) at ICML 2026
💡 一句话要点
提出ANTAP以解决多智能体系统中的路由安全问题
🎯 匹配领域: 支柱一:机器人控制 (Robot Control) 支柱二:RL算法与架构 (RL & Architecture) 支柱九:具身大模型 (Embodied Foundation Models)
关键词: 多智能体系统 路由机制 安全性 能力评估 动态查询 语言防火墙 对抗性攻击
📋 核心要点
- 现有的路由机制依赖于未经验证的代理,导致智能体能力的虚假表现,存在严重的安全漏洞。
- ANTAP通过动态查询智能体的真实能力,摒弃间接代理,采用基于能力测试的评估驱动路由架构。
- 实验表明,ANTAP在描述基础注入攻击中实现接近零的ASR,相较于基线有显著提升,并在自适应嵌入攻击中表现出更低的ASR。
📝 摘要(中文)
随着大型语言模型(LLMs)的快速整合,多智能体系统(MAS)得以发展,专门化的智能体协作执行复杂工作流。然而,现有的路由机制依赖未经验证的代理,导致智能体能力的虚假表现,进而引发安全漏洞。本文提出ANTAP(自动非文本智能体选择器),通过动态查询智能体以实证方式评估其真实能力,建立一种“语言防火墙”,有效抵御基于描述的攻击。实验结果显示,ANTAP在描述基础注入攻击中的ASR接近零,相较于基线的67.3%有显著提升。对于自适应嵌入攻击,ANTAP的ASR也显著低于嵌入基础基线,表现出良好的鲁棒性。
🔬 方法详解
问题定义:本文旨在解决多智能体系统中现有路由机制依赖未经验证的代理所带来的安全隐患。现有方法无法准确评估智能体的真实能力,导致恶意智能体可以轻易伪装其能力。
核心思路:ANTAP的核心思路是通过动态查询智能体的实际能力,采用实证评估而非依赖文本描述,从而提高路由的安全性和准确性。
技术框架:ANTAP的整体架构包括能力测试模块、行为操作提取模块和非文本代数投影模块。能力测试模块负责动态评估智能体,行为操作提取模块将评估结果转化为固定的行为操作,最后通过非文本代数投影进行路由。
关键创新:ANTAP的主要创新在于引入了“语言防火墙”概念,通过非文本的方式进行路由,避免了基于描述的攻击方式。这一设计与传统依赖文本描述的路由机制有本质区别。
关键设计:ANTAP在能力测试中采用动态查询策略,确保评估的实时性和准确性。其损失函数设计旨在最大化智能体能力的真实反映,同时网络结构优化以支持高效的行为操作提取。实验中还考虑了对抗性样本的影响,以增强系统的鲁棒性。
🖼️ 关键图片
📊 实验亮点
实验结果显示,ANTAP在描述基础注入攻击中的ASR接近零,相较于基线的67.3%有显著提升。此外,在自适应嵌入攻击中,ANTAP的ASR比嵌入基础基线降低了20%,展现出优异的鲁棒性和安全性。
🎯 应用场景
ANTAP的研究成果在多智能体系统的安全路由中具有广泛的应用潜力,特别是在需要高安全性和准确性的领域,如自动驾驶、智能制造和网络安全等。通过提高智能体的能力评估准确性,ANTAP能够有效防范恶意攻击,提升系统的整体安全性和可靠性。
📄 摘要(原文)
The rapid integration of Large Language Models (LLMs) has driven the evolution of Multi-Agent Systems (MAS), where specialized agents collaborate to execute complex workflows. Effective orchestration in these environments requires robust routing mechanisms to efficiently allocate tasks to the most suitable agent. However, existing routers fundamentally rely on unverified proxies, ranging from textual self-descriptions to static surrogate representations, to gauge an agent's competence. This reliance on non-empirical data creates a critical gap between an agent's projected profile and its actual operational capabilities, introducing severe security vulnerabilities. Malicious agents can easily misrepresent their proficiencies or harbor covert backdoors that evade both standard external analysis and static representation-learning techniques. In this work, we introduce ANTAP (Automatic Non-Textual Agent Picker), an evaluation-driven routing architecture that discards indirect proxies in favor of active capability testing. By dynamically querying agents to ascertain their true competencies empirically, ANTAP distills performance into fixed behavioral operators within a shared semantic space. At inference time, routing is performed via a purely non-textual algebraic projection, establishing a "linguistic firewall" that renders metadata-based attacks inexpressible. In our experiments, ANTAP achieves near-zero ASR against description-based injection attacks, compared to 67.3\% and above for the description-based router baseline. Against adaptive embedding attacks, ANTAP achieves substantially lower ASR than the embedding-based baseline, with a 20\% reduction, while remaining resilient to description manipulation by design.