{"id":"https://openalex.org/W7138273102","doi":"https://doi.org/10.1609/aaai.v40i35.40224","title":"Attack the Messages, Not the Agents: A Multi-round Adaptive Stealthy Tampering Framework for LLM-MAS","display_name":"Attack the Messages, Not the Agents: A Multi-round Adaptive Stealthy Tampering Framework for LLM-MAS","publication_year":2026,"publication_date":"2026-03-14","ids":{"openalex":"https://openalex.org/W7138273102","doi":"https://doi.org/10.1609/aaai.v40i35.40224"},"language":null,"primary_location":{"id":"doi:10.1609/aaai.v40i35.40224","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i35.40224","pdf_url":null,"source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://doi.org/10.1609/aaai.v40i35.40224","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5110185844","display_name":"Bingyu Yan","orcid":"https://orcid.org/0009-0000-5269-4698"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Bingyu Yan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129642167","display_name":"Xiaoming Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiaoming Zhang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129743884","display_name":"Ziyi Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ziyi Zhou","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129670260","display_name":"Chaozhuo Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chaozhuo Li","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129666515","display_name":"Ruilin Zeng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ruilin Zeng","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129662660","display_name":"Yirui Qi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yirui Qi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129669737","display_name":"Tianbo Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tianbo Wang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5129749406","display_name":"Litian Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Litian Zhang","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5110185844"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":187.5,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.99786553,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":"40","issue":"35","first_page":"29784","last_page":"29792"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.6883000135421753,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.6883000135421753,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.03720000013709068,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.03020000085234642,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.8299000263214111},{"id":"https://openalex.org/keywords/adaptability","display_name":"Adaptability","score":0.6523000001907349},{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.487199991941452},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.4316999912261963},{"id":"https://openalex.org/keywords/tree","display_name":"Tree (set theory)","score":0.37700000405311584},{"id":"https://openalex.org/keywords/toolbox","display_name":"Toolbox","score":0.3718000054359436},{"id":"https://openalex.org/keywords/limit","display_name":"Limit (mathematics)","score":0.34790000319480896}],"concepts":[{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.8299000263214111},{"id":"https://openalex.org/C177606310","wikidata":"https://www.wikidata.org/wiki/Q5674297","display_name":"Adaptability","level":2,"score":0.6523000001907349},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6240000128746033},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.61080002784729},{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.487199991941452},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.4316999912261963},{"id":"https://openalex.org/C113174947","wikidata":"https://www.wikidata.org/wiki/Q2859736","display_name":"Tree (set theory)","level":2,"score":0.37700000405311584},{"id":"https://openalex.org/C2777655017","wikidata":"https://www.wikidata.org/wiki/Q1501161","display_name":"Toolbox","level":2,"score":0.3718000054359436},{"id":"https://openalex.org/C151201525","wikidata":"https://www.wikidata.org/wiki/Q177239","display_name":"Limit (mathematics)","level":2,"score":0.34790000319480896},{"id":"https://openalex.org/C2780980858","wikidata":"https://www.wikidata.org/wiki/Q110022","display_name":"Dual (grammatical number)","level":2,"score":0.334199994802475},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33149999380111694},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.30219998955726624},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2937999963760376},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2815000116825104},{"id":"https://openalex.org/C188198153","wikidata":"https://www.wikidata.org/wiki/Q1613840","display_name":"Limiting","level":2,"score":0.27219998836517334},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.25679999589920044},{"id":"https://openalex.org/C149672232","wikidata":"https://www.wikidata.org/wiki/Q337048","display_name":"Adaptive optimization","level":2,"score":0.25040000677108765}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1609/aaai.v40i35.40224","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i35.40224","pdf_url":null,"source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1609/aaai.v40i35.40224","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i35.40224","pdf_url":null,"source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.6066715121269226}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"model-based":[2],"multi-agent":[3],"systems":[4],"(LLM-MAS)":[5],"effectively":[6],"accomplish":[7],"complex":[8],"and":[9,35,43,96,111,135],"dynamic":[10],"tasks":[11],"through":[12],"inter-agent":[13],"communication,":[14],"but":[15],"this":[16,46],"reliance":[17],"introduces":[18],"substantial":[19],"safety":[20],"vulnerabilities.":[21],"Existing":[22],"attack":[23,78,119],"methods":[24],"targeting":[25],"LLM-MAS":[26],"either":[27],"compromise":[28],"agent":[29],"internals":[30],"or":[31],"rely":[32],"on":[33],"direct":[34],"overt":[36],"persuasion,":[37],"which":[38],"limit":[39],"their":[40],"effectiveness,":[41,133],"adaptability,":[42],"stealthiness.":[44],"In":[45],"paper,":[47],"we":[48,92],"propose":[49],"MAST,":[50,138],"a":[51],"Multi-round":[52],"Adaptive":[53],"Stealthy":[54],"Tampering":[55],"framework":[56],"designed":[57],"to":[58,75,89,127],"exploit":[59],"communication":[60,109,144],"vulnerabilities":[61],"within":[62],"the":[63,101,132,140],"system.":[64],"MAST":[65,115],"integrates":[66],"Monte":[67],"Carlo":[68],"Tree":[69],"Search":[70],"with":[71],"Direct":[72],"Preference":[73],"Optimization":[74],"train":[76],"an":[77],"policy":[79],"model":[80],"that":[81,114],"adaptively":[82],"generates":[83],"effective":[84],"multi-round":[85],"tampering":[86,102],"strategies.":[87],"Furthermore,":[88],"preserve":[90],"stealthiness,":[91,134],"impose":[93],"dual":[94],"semantic":[95],"embedding":[97],"similarity":[98],"constraints":[99],"during":[100],"process.":[103],"Comprehensive":[104],"experiments":[105],"across":[106],"diverse":[107],"tasks,":[108],"architectures,":[110],"LLMs":[112],"demonstrate":[113],"consistently":[116],"achieves":[117],"high":[118],"success":[120],"rates":[121],"while":[122],"significantly":[123],"enhancing":[124],"stealthiness":[125],"compared":[126],"baselines.":[128],"These":[129],"findings":[130],"highlight":[131],"adaptability":[136],"of":[137],"underscoring":[139],"need":[141],"for":[142],"robust":[143],"safeguards":[145],"in":[146],"LLM-MAS.":[147]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-03-31T07:56:22.981413","created_date":"2026-03-18T00:00:00"}