Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection

A research team including Yangyang Wei, Yijie Xu, and Zhenyuan Li has published a groundbreaking paper titled 'Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection' on arXiv. The work introduces SysName, a security framework designed specifically for the emerging threat landscape of multi-agent AI systems, where traditional input filtering fails against sophisticated attacks like indirect prompt injection. As AI agents become the standard for complex task orchestration, their autonomous execution and unstructured communication create severe security risks that conventional approaches cannot address.

The SysName framework operates by extracting and reconstructing what the researchers term 'Cross-Agent Semantic Flows'—essentially synthesizing fragmented operational primitives into contiguous behavioral trajectories that provide a holistic view of system activity. A Supervisor LLM then scrutinizes these trajectories across three dimensions: data flow violations, control flow deviations, and intent inconsistencies. Empirical evaluations demonstrate impressive detection capabilities, with SysName identifying over ten distinct compound attack vectors and achieving F1-scores of 85.3% for node-level detection and 66.7% for path-level end-to-end attack detection. The open-source availability of the code means enterprise security teams can immediately begin implementing this execution-aware approach to protect their AI agent deployments.