← All posts

Stateful monitoring catches distributed agent attacks across accounts

arXiv preprint: attackers split harmful tasks across benign-looking sessions — clustering weak signals catches misuse ~30% earlier with negligible latency for most traffic.

Stateful monitoring catches distributed agent attacks across accounts
Contents

In brief

LLMs find severe software vulnerabilities; agents are increasingly abused for cyberattacks. Attackers split harmful work across many accounts so each transcript looks benign — danger appears only in aggregate. Monitors that score one context at a time miss this structurally.

What they studied

The authors build a distributed agent attack scaffold that completes hard security tasks while hiding the objective across subagents. A standard monitor catches it five times less often than prior single-account attacks.

Their defense is a stateful online monitor: weak suspicion signals are clustered across transcripts; a heavy LLM runs only on escalation. On simulated datacenter traffic it detects distributed attacks ~30% earlier with negligible added latency for ~99% of benign traffic.

Key findings

  • Agent safety cannot rely on single-session analysis alone.
  • Aggregate weak signals + rare escalation beats scoring every turn with a large model.
  • After red-teaming, the same pipeline also catches standard jailbreaks when attackers reuse variants across accounts.

What this means for developers

  1. Add a cross-user monitoring layer for multi-tenant agent APIs.
  2. Store behavior aggregates, not just the latest prompt.
  3. Escalate to LLMs sparingly — cheap heuristics and clustering first.
  4. Red-team task splitting across sessions, not only one-shot malicious prompts.

Limitations

Evaluated on simulated traffic; thresholds need product-specific tuning. Advantage narrows as benign background traffic grows very large.