Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures

Published 24 Jun 2025 in cs.CR | (2506.19676v3)

Abstract: In recent years, Large-Language-Model-driven AI agents have exhibited unprecedented intelligence and adaptability, and are rapidly changing human production and life. Nowadays, agents are undergoing a new round of evolution. They no longer act as an isolated island like LLMs. Instead, they start to communicate with diverse external entities, such as other agents and tools, to perform more complex tasks collectively. Under this trend, agent communication is regarded as a foundational pillar of the future AI ecosystem, and many organizations have intensively begun to design related communication protocols (e.g., Anthropic's MCP and Google's A2A) within the recent few months. However, this new field exposes significant security hazards, which can cause severe damage to real-world scenarios. To help researchers quickly figure out this promising topic and benefit the future agent communication development, this paper presents a comprehensive survey of agent communication security. More precisely, we first present a clear definition of agent communication and categorize the entire lifecycle of agent communication into three stages: user-agent interaction, agent-agent communication, and agent-environment communication. Next, for each communication phase, we dissect related protocols and analyze the security risks according to the communication characteristics. Then, we summarize and outlook on the possible defense countermeasures for each risk. In addition, we conduct experiments using MCP and A2A to help readers better understand the novel vulnerabilities brought by agent communication. Finally, we discuss open issues and future directions in this promising research field.

Summary

  • The paper presents a comprehensive survey of LLM-driven AI agent communication protocols, highlighting security vulnerabilities and recommending defense strategies.
  • It analyzes diverse protocols across client-server, peer-to-peer, and hybrid architectures, detailing functional and security trade-offs in each model.
  • It emphasizes actionable countermeasures including registration verification, load balancing, and multi-source isolation to mitigate identified risks.

A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures (2506.19676)

Introduction

The paper presents a comprehensive survey on LLM-driven AI agent communication, focusing on the protocols that facilitate these interactions, the security risks involved, and potential defense strategies. As AI agents evolve to perform complex tasks through collaboration with other agents and tools, understanding the protocol designs and security challenges becomes pivotal for safe and efficient deployment in real-world scenarios.

Protocols for Agent Communication

Agent communication protocols are classified into several types based on architecture: client-server (CS), peer-to-peer (P2P), hybrid, and unspecified architectures. Each architecture has distinct characteristics influencing discovery process, flexibility, interoperability, and security posture.

CS-Based Communication Protocols

  • ACP-IBM enables client-server interaction with multi-turn state preservation and robust agent discovery mechanisms.
  • ACP-AGNTCY provides thread management and stateful operation, allowing scalable communication within centralized architectures.

P2P-Based Communication Protocols

  • ACP-AgentUnion and ACN facilitate decentralized communication, enhancing scalability and end-to-end security.
  • Agora dynamically switches modes to optimize task handling, enabling fluid experimentation across different agent networks.

Hybrid and Others

  • LMOS offers flexible discovery for both centralized and decentralized setups, expanding potential deployment scenarios.
  • A2A allows asynchronous priority scheduling, adapting discovery and execution schemes to varying contexts.

Security Risks in Agent Communication

Security risks in agent communication vary according to the architecture and include both specific and universal threats.

CS-Based Architecture Risks

  • Registration Pollution: Overloads or hijacks agent registration leading to scheduling issues.
  • Description Poisoning: Alters agent behavior via misleading capability descriptions.
  • Task Flooding: Exhausts system resources through excessive task submissions.
  • SEO Poisoning: Manipulates agent ranking via keyword stuffing, impacting discovery.

P2P-Based Architecture Risks

  • Non-convergence: Task loops or stalling due to decentralized orchestration.
  • Man-in-the-middle (MITM): Message interception, exploiting weak encryption.

Universal Risks

  • Agent Spoofing: Impersonates trusted agents for injection or info-theft.
  • Agent Exploitation/Trojan: Uses compromised/malicious agents as attack vectors.
  • Agent Bullying: Disrupts logic via negative feedback loops.
  • Privacy Leakage: Uncontrolled information spread between agents.
  • Responsibility Evasion: Difficult fault attribution in multi-agent interactions.
  • Denial of Service (DoS): Task overloads induce resource exhaustion.

Defense Countermeasure Prospect

To mitigate these risks, several strategies are proposed:

CS-Based Defense Strategies

  • Registration Verification: Enforce authentication and monitor dynamic behavior.
  • Capability Verification: Use benchmarks to confirm agent capabilities.
  • Load Balancing: Implement rate limiting and intelligent scheduling.
  • Anti-Manipulation Optimization: Apply adversarial training and randomization to search algorithms.

P2P-Based Defense Strategies

  • Lifecycle Monitoring: Coordination for early termination of non-convergent tasks.
  • Encryption Enhancements: Routine updates for security patches against MITM.

Universal Defense Strategies

  • Identity Authentication: MFA and blockchain DIDs for robust verification.
  • Agent Behavior Auditing: Log interaction history, detect procedural anomalies.
  • Access Control: Fine-grained permissions ensure safe data access.
  • Multi-Source Isolation: Prevent cross-agent contamination.
  • Attack Modeling and Testing: Use adversarial frameworks to stress-test agent systems.
  • Agent Orchestration: Optimize task scheduling and resource allocation dynamically.

Conclusion

The survey highlights the critical need for comprehensive security frameworks to protect agent-agent and agent-environment communication from both established and nascent threats. As AI systems grow more interconnected, maintaining trust, security, and reliability becomes increasingly challenging, necessitating adaptable defense strategies and rigorous protocol evaluation.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 8 tweets with 3 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free