CIA: Inferring the Communication Topology from LLM-based Multi-Agent Systems

arXiv cs.AI / 4/15/2026

💬 OpinionSignals & Early TrendsIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper shows that communication topologies in LLM-based multi-agent systems can be inferred even under a restrictive black-box threat model, creating privacy and intellectual-property risks.
It introduces a novel Communication Inference Attack (CIA) that uses adversarial queries to elicit intermediate agents’ reasoning outputs and then learns semantic correlations among them.
The method relies on global bias disentanglement and LLM-guided weak supervision to improve inference accuracy from limited observable information.
Experiments on MAS systems with optimized communication topologies demonstrate strong performance, with average AUC of 0.87 and peak AUC up to 0.99, suggesting the attack can reliably recover underlying communication structure.

Abstract

LLM-based Multi-Agent Systems (MAS) have demonstrated remarkable capabilities in solving complex tasks. Central to MAS is the communication topology which governs how agents exchange information internally. Consequently, the security of communication topologies has attracted increasing attention. In this paper, we investigate a critical privacy risk: MAS communication topologies can be inferred under a restrictive black-box setting, exposing system vulnerabilities and posing significant intellectual property threats. To explore this risk, we propose Communication Inference Attack (CIA), a novel attack that constructs new adversarial queries to induce intermediate agents' reasoning outputs and models their semantic correlations through the proposed global bias disentanglement and LLM-guided weak supervision. Extensive experiments on MAS with optimized communication topologies demonstrate the effectiveness of CIA, achieving an average AUC of 0.87 and a peak AUC of up to 0.99, thereby revealing the substantial privacy risk in MAS.