Skip to content
Sagan

Paper

AgentShield: Deception-based Compromise Detection for Tool-using LLM Agents

Unreadunread

AI summary

Most defenses against indirect prompt injection (IPI) in tool-using LLM agents try to prevent attacks upfront, leaving no detection when attacks slip through, and have only been tested in English. AgentShield instead embeds deception-based traps—fake tools, fake credentials, and allowlisted parameters—into the agent's tool interface. When a compromised agent follows an attacker's hidden instruction, it almost always touches a trap, providing both a real-time compromise signal and zero-false-positive labels for training a self-supervised classifier. Across 176 cross-lingual attack prompts and four LLMs, AgentShield catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests, and survives adaptive attacks with zero evasion on commercial models.

Main takeaways:

  • Existing IPI defenses only try to prevent attacks, not detect compromises that slip through, and haven't been tested in low-resource languages like Kurdish or Arabic.
  • AgentShield places three layers of traps (fake tools, fake credentials, allowlisted parameters) in the agent's tool interface; a compromised agent following hidden instructions touches a trap.
  • Trap triggers provide real-time detection and zero-false-positive labels for training a self-supervised classifier without manual annotation.
  • Evaluated on 176 cross-lingual attacks and four LLMs: catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests.
  • Survives systematic adaptive-attack evaluation with zero evasion on commercial models; the classifier transfers across models and languages without retraining.