Researchers from Griffith University and Jilin University have introduced XG-Guard, a security framework for LLM-based multi-agent systems (MAS) that combines unsupervised graph anomaly detection with token-level explainability. The paper has been accepted to the ACL 2026 Main Conference and is available on arXiv as 2512.18733.
Key takeaways
- XG-Guard operates in a fully unsupervised mode — no labeled examples of malicious behavior or attack training data required
- The framework builds a dual representation (sentence-level + token-level) for each agent, processed through a GNN on the communication graph
- Tested across four MAS topologies, XG-Guard outperformed all compared unsupervised methods on ROAUC and ASR@3
- The explanation mechanism highlights specific tokens responsible for the anomaly detection — no separate post-hoc classifier needed
- Code and evaluation suite publicly available at github.com/CampanulaBells/XG-Guard
One rogue agent can poison the whole system
LLM-based multi-agent systems are increasingly deployed for complex reasoning and task automation, but their communication architecture introduces a new attack surface. A compromised agent can inject misleading information into shared reasoning, steer other agents toward harmful actions, or silently invoke tools to steal data. The attack can be subtle: a malicious instruction buried in a few tokens within a long, seemingly normal paragraph.
Existing defenses rely on Graph Anomaly Detection (GAD): agents are modeled as nodes in a communication graph, and a model is trained to flag suspicious nodes. The core weakness is coarse-grained representation — the full agent output is compressed into a single sentence vector. When malicious content occupies only a fraction of a lengthy message, its anomaly signal is diluted by the surrounding benign text.
The second limitation is opacity. Current GAD models can say "this agent is suspicious" but cannot indicate which specific tokens or phrases triggered the decision, making security audits difficult and limiting operator trust in automated isolation decisions.
Four modules, one integrated pipeline
XG-Guard (eXplainable and fine-Grained safeGuarding) — by Junjun Pan, Yixin Liu, Rui Miao, Yu Zheng, Kaize Ding, Quoc Viet Hung Nguyen, Alan Wee-Chung Liew, and Shirui Pan — addresses both limitations by design, combining four modules in a single framework.
The Bi-Level Agent Encoder constructs two parallel representations for each agent: coarse-grained (sentence-level), capturing overall semantic intent, and fine-grained (token-level), preserving the lexical detail of each token. Both pass through a GNN on the communication graph, so each agent's embedding reflects both its text semantics and its structural position within the network.
The Theme-based Anomaly Detector builds on a core intuition: cooperative agents stay on task; malicious ones deviate from the topic or inject hidden directives. The system aggregates all agents' representations into a single "theme prototype," then measures each agent's distance from that prototype — separately at sentence and token level — yielding two independent anomaly scores without any labeled data.
Directly combining those scores would be problematic: the token-level prototype is highly sensitive to fine-grained anomalies and can incorrectly absorb malicious agents' signals into the estimated norm. Covariance-based score fusion resolves this by aligning both signals before combination. After fusion, token-level anomaly scores also serve as explanations, highlighting the specific keywords responsible for the detection — without any additional classification module.
The fourth component is real-time isolation: once a malicious agent is identified, the system immediately severs all of its communication edges in the graph, cutting off the spread of poisoned information within the MAS.
Stable performance across topologies and backbones
Experiments covered four MAS topologies (Chain, Tree, Star, Random) and five attack scenarios: PI(CSQA), PI(MMLU), PI(GSM8k), TA-InjecAgent, and MA-PoisonRAG. In a strictly unsupervised setting — no labels, no malicious training examples — XG-Guard achieved higher ROAUC and ASR@3 than all compared unsupervised methods, matching supervised baselines on several datasets.
Backbone experiments with GPT-4o-mini, DeepSeek-V3, and Qwen-30B-A3B confirmed consistent high performance regardless of the underlying language model. Ablation results showed that removing the covariance fusion module or the token-level representation causes a significant ROAUC drop — in some configurations falling below 50%, equivalent to random classification.
Why this matters
Production deployments of multi-agent systems are scaling faster than methods to secure them. XG-Guard combines three properties that rarely coexist in a single solution: no requirement for labeled training data, token-level interpretability, and robustness across different MAS topologies and backbone models. For operators, this means deployment without a costly data-labeling process, and every agent isolation decision comes with a traceable token-level justification.
Limitations remain. The theme prototype is computed over a single dialogue round, which may reduce effectiveness against slow-burn attacks or scenarios where a majority of agents are compromised — neither case is benchmarked in the paper.
The broader significance is the closed loop: XG-Guard is the first work to connect unsupervised GAD and interpretability in a single integrated MAS security pipeline, without post-hoc explanation modules.
What's next?
- Full code and evaluation suite available at github.com/CampanulaBells/XG-Guard; ACL 2026 presentation scheduled for August 2026
- The arXiv paper (abs/2512.18733) includes complete result tables and architecture details
- The authors identify incremental theme prototype updates across multi-turn dialogues as a natural direction for future work





