{"id":"https://openalex.org/W7155077488","doi":"https://doi.org/10.48550/arxiv.2604.17562","title":"SafeAgent: A Runtime Protection Architecture for Agentic Systems","display_name":"SafeAgent: A Runtime Protection Architecture for Agentic Systems","publication_year":2026,"publication_date":"2026-04-19","ids":{"openalex":"https://openalex.org/W7155077488","doi":"https://doi.org/10.48550/arxiv.2604.17562"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.17562","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.17562","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.17562","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5134201695","display_name":"Hailin Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Hailin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5061755083","display_name":"Eugene Ilyushin","orcid":"https://orcid.org/0000-0002-9891-8658"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ilyushin, Eugene","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5134118196","display_name":"Jie Ni","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ni, Jie","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5134122425","display_name":"Min Zhu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhu, Min","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.39089998602867126,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.39089998602867126,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.31700000166893005,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.03200000151991844,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/stateful-firewall","display_name":"Stateful firewall","score":0.6563000082969666},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.510699987411499},{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.4544000029563904},{"id":"https://openalex.org/keywords/core","display_name":"Core (optical fiber)","score":0.44269999861717224},{"id":"https://openalex.org/keywords/reuse","display_name":"Reuse","score":0.4088999927043915},{"id":"https://openalex.org/keywords/runtime-verification","display_name":"Runtime verification","score":0.3953999876976013},{"id":"https://openalex.org/keywords/baseline","display_name":"Baseline (sea)","score":0.3944999873638153},{"id":"https://openalex.org/keywords/state","display_name":"State (computer science)","score":0.38109999895095825}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7716000080108643},{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.6563000082969666},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.510699987411499},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.4544000029563904},{"id":"https://openalex.org/C2164484","wikidata":"https://www.wikidata.org/wiki/Q5170150","display_name":"Core (optical fiber)","level":2,"score":0.44269999861717224},{"id":"https://openalex.org/C206588197","wikidata":"https://www.wikidata.org/wiki/Q846574","display_name":"Reuse","level":2,"score":0.4088999927043915},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4032000005245209},{"id":"https://openalex.org/C202973057","wikidata":"https://www.wikidata.org/wiki/Q7380130","display_name":"Runtime verification","level":3,"score":0.3953999876976013},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.3944999873638153},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.38109999895095825},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.3560999929904938},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.3474999964237213},{"id":"https://openalex.org/C183115368","wikidata":"https://www.wikidata.org/wiki/Q856577","display_name":"Weighting","level":2,"score":0.34369999170303345},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.3334999978542328},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.32919999957084656},{"id":"https://openalex.org/C9996903","wikidata":"https://www.wikidata.org/wiki/Q1749235","display_name":"Cryptographic nonce","level":3,"score":0.2827000021934509},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.28220000863075256},{"id":"https://openalex.org/C98025372","wikidata":"https://www.wikidata.org/wiki/Q477538","display_name":"Systems architecture","level":3,"score":0.28189998865127563},{"id":"https://openalex.org/C106189395","wikidata":"https://www.wikidata.org/wiki/Q176789","display_name":"Markov decision process","level":3,"score":0.2667999863624573},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.2540000081062317},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2531999945640564}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.17562","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.17562","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.17562","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.17562","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.7931355834007263,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"model":[2],"(LLM)":[3],"agents":[4],"are":[5],"vulnerable":[6],"to":[7],"prompt-injection":[8],"attacks":[9],"that":[10,36,66,78,119,139],"propagate":[11],"through":[12,59,96],"multi-step":[13],"workflows,":[14],"tool":[15],"interactions,":[16],"and":[17,73,94,107,116,126,142],"persistent":[18,81],"context,":[19],"making":[20],"input-output":[21],"filtering":[22],"alone":[23],"insufficient":[24],"for":[25,98],"reliable":[26],"protection.":[27],"This":[28],"paper":[29],"presents":[30],"SafeAgent,":[31],"a":[32,41,63,74,89],"runtime":[33,64],"security":[34],"architecture":[35],"treats":[37],"agent":[38,71],"safety":[39],"as":[40,88],"stateful":[42],"decision":[43,76],"problem":[44],"over":[45,80,124],"evolving":[46],"interaction":[47],"trajectories.":[48],"The":[49,84],"proposed":[50],"design":[51],"separates":[52],"execution":[53],"governance":[54],"from":[55],"semantic":[56],"risk":[57,99],"reasoning":[58],"two":[60],"coordinated":[61],"components:":[62],"controller":[65],"mediates":[67],"actions":[68],"around":[69],"the":[70],"loop":[72],"context-aware":[75,90],"core":[77,85],"operates":[79],"session":[82],"state.":[83],"is":[86],"formalized":[87],"advanced":[91],"machine":[92],"intelligence":[93],"instantiated":[95],"operators":[97],"encoding,":[100],"utility-cost":[101],"evaluation,":[102],"consequence":[103],"modeling,":[104],"policy":[105,143],"arbitration,":[106],"state":[108],"synchronization.":[109],"Experiments":[110],"on":[111],"Agent":[112],"Security":[113],"Bench":[114],"(ASB)":[115],"InjecAgent":[117],"show":[118,138],"SafeAgent":[120],"consistently":[121],"improves":[122],"robustness":[123],"baseline":[125],"text-level":[127],"guardrail":[128],"methods":[129],"while":[130],"maintaining":[131],"competitive":[132],"benign-task":[133],"performance.":[134],"Ablation":[135],"studies":[136],"further":[137],"recovery":[140],"confidence":[141],"weighting":[144],"determine":[145],"distinct":[146],"safety-utility":[147],"operating":[148],"points.":[149]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-22T00:00:00"}