MirrorGuard: Security Frameworks

• MirrorGuard is a comprehensive security framework that safeguards autonomous computer-use agents and provenance-based intrusion detection systems using simulation-to-real reasoning correction and adversarial detection.
• It leverages neural-symbolic simulation, structured reasoning templates, and contrastive learning to proactively correct unsafe operations in GUIs and to detect graph manipulation attacks.
• Extensive evaluations show MirrorGuard dramatically reduces unsafe rates and false refusals, enhancing overall system utility in both autonomous agent security and provenance IDS contexts.

MirrorGuard is a collective term for advanced security frameworks targeting two distinct but conceptually aligned domains: the defense of autonomous computer-use agents (CUAs) against unsafe GUI reasoning and the robust detection of adversarial graph manipulations in host system provenance. The MirrorGuard frameworks presented in "MirrorGuard: Toward Secure Computer-Use Agents via Simulation-to-Real Reasoning Correction" (Zhang et al., 19 Jan 2026) and "MirGuard: Towards a Robust Provenance-based Intrusion Detection System Against Graph Manipulation Attacks" (Sang et al., 14 Aug 2025) exemplify state-of-the-art neural-symbolic simulation, reasoning correction, and logic-aware contrastive learning methodologies for securing automation and provenance systems.

1. Security Threats in Autonomous Computer-Use Agents

CUAs, powered by large foundation models, directly interact with operating systems via GUIs to autonomously execute complex multi-step workflows. This grants them significant system-level privileges and exposes three principal security risks:

• Visual Semantic Spoofing (Perception Layer): CUAs may misinterpret visually manipulated screenshots, triggering actions on adversarial overlays (e.g., deceptive dialogs or buttons that conceal destructive payloads).
• Multimodal Reasoning Collapse (Reasoning Layer): Vision-LLMs (VLMs) obey textual policies but can hallucinate unsafe causal chains when instructions are relayed via GUI prompts, such as misusing rm -rf / for benign tasks.
• Implicit Privilege Escalation (Environment Layer): By synthesizing HID events, CUAs inherit unrestricted user powers without robust permission boundaries, enabling irreversible actions or data exfiltration.

Conventional "Monitor & Block" defenses operate via a binary gatekeeper $M$ that halts flagged actions, often at the cost of aborting benign task flows and degrading agent utility. MirrorGuard shifts this paradigm, advocating for intervention at the Thought phase—correcting unsafe reasoning chains before GUI operations are materialized (Zhang et al., 19 Jan 2026).

2. Neural-Symbolic Simulation Pipeline and Adversarial Data Generation

MirrorGuard's neural-symbolic simulation pipeline—dubbed "MirrorWorld"—mitigates the cost and risk of real-world system trajectory collection by synthesizing high-fidelity, text-only GUI interactions:

• Symbolic State Space $\hat{\mathcal{S}}$: Typed Pydantic schemas represent windows, filesystem trees, and GUI elements, enforcing object permanence.
• Neural Transition Function $$\mathcal{T}: \hat S_t\times a_t\rightarrow\hat S_{t+1}$$: A LLM (e.g., DeepSeek-V3.2-Exp) emulates semantic effects of actions, updating the symbolic world state exclusively in simulation.
• Deterministic Observation Function $\mathcal{O}: \hat S_t \rightarrow o_t$: Enumerates active window elements in natural language, excluding hallucinated artifacts.

The formal simulator tuple is $$M_{\text{sim}} = \langle\hat{\mathcal{S}},\mathcal{A},\mathcal{T},\mathcal{O}\rangle$$, where $\mathcal{A}$ encompasses HID command sets. MirrorGuard employs a hierarchical adversarial task-synthesis pipeline comprising contextual instantiation, explicit rule extraction (e.g., prohibiting untrusted binary downloads), and LLM-driven generation of stealthy, multi-step adversarial instructions. This pipeline produces over 1,288 unique task blueprints covering the OS-Harm and RiOSWorld taxonomies—all realized without direct OS manipulation (Zhang et al., 19 Jan 2026).

3. Reasoning Correction Architecture and Deployment

MirrorGuard's architecture interposes on the victim CUA's Perception–Thought–Action loop under the ReAct paradigm. Instead of blocking a final action $a_t$, MirrorGuard corrects the intermediate thought $th_t$ via a multimodal corrector $\mathcal{R}$:

$$th_t' = \mathcal{R}(th_t, o_t, h_t), \qquad a'_t \sim \pi(th_t')$$

The approach can be contrasted with Monitor-and-Block:

$$a_t^{\text{final}} = \begin{cases} \text{STOP} &\text{if }M(a_t, o_t) = \text{Insecure} \ a_t &\text{otherwise} \end{cases}$$

Algorithmically, MirrorGuard computes the corrected thought using $\mathcal{R}$ and either pre-fills the agent's buffer or intercepts the raw thought before action execution. $\mathcal{R}$ is a vision-LLM fine-tuned to produce safe, analytical outputs, leveraging the visual encoder to ground security triggers and rewrite thought representations using structured reasoning templates: Hard Refusal, Stop & Ask, Privacy Block, and Handover.

4. Training Methodology, Loss Functions, and Cross-Modal Transfer

MirrorGuard trains its reasoning corrector using supervised fine-tuning (SFT) on 24,383 step pairs from MirrorWorld trajectories:

• Secure samples: Steps where $th_t$ is already secure.
• Insecure samples: Steps requiring rectification to $th'_t$.

A Security Judge LLM annotates each sample; if insecure, a Security Instructor LLM crafts an aligned, safe thought according to a structured reasoning prompt. The objective function is cross-entropy over the rectified thoughts:

$$\mathcal{L}_\mathrm{SFT}(\theta) = -\sum_{i=1}^N \log P_\theta(th'_i \mid \text{context}_i)$$

Regularization via $\ell_2$ weight decay and a cosine learning-rate schedule ensures robust convergence. Notably, text-only fine-tuning leverages pre-aligned visual–textual embeddings within modern VLMs, enabling immediate cross-modal transfer of safety logic to real-world GUI scenarios at deployment (Zhang et al., 19 Jan 2026).

5. Robust Provenance Intrusion Detection via Logic-Aware Augmentation

The MirGuard framework (Sang et al., 14 Aug 2025) advances robustness for graph-based Provenance-based Intrusion Detection Systems (PIDSes) against evasion via graph manipulation:

• Input: Streaming audit logs are transformed into directed provenance graphs $G = (V, E, A)$, where $V$ are entities, $E$ are causal edges, and $A$ denotes attribute mappings.
• Logic-Aware Noise Injection (LNI): Constructs augmented graph views $\hat{G}_i$ by composable edge, node, and feature augmentations subject to domain-specific rules (e.g., causal constraints on edge types).
• Contrastive Learning: Employs a Graph Attention Network (GAT) encoder, graph-level pooling, and a projection head to learn representations invariant to benign transformations but sensitive to adversarial manipulations. The InfoNCE-based contrastive loss is:

$$\mathcal{L}_{i} = -\log \frac{\exp(\mathrm{sim}(\hat p_i, \hat p_i^+)/\tau)}{\sum_{k=1}^{2N} \mathbf{1}_{[k\neq i]}\;\exp(\mathrm{sim}(\hat p_i, \hat p_k)/\tau)}$$

where positive pairs originate from logic-preserving augmentations of the same graph and negatives from other graphs.

6. Quantitative Security Evaluation and Comparative Analysis

MirrorGuard’s efficacy is validated across multiple CUAs and intrusion detection datasets:

Defense	Unsafe Rate (UR)	False Refusal Rate (FRR)
Vanilla UI-TARS	66.5%	N/A
GuardAgent	53.9%	≈20.5%
MirrorGuard	13.0%	5.13%

On ByteDance UI-TARS, MirrorGuard achieves UR reduction from 66.5% to 13.0% with FRR of 5.13%, outperforming GuardAgent on both axes (Zhang et al., 19 Jan 2026). Across six agent architectures, MirrorGuard exhibits an average UR of 6.3% and FRR of 5.13%, yielding a 4.3x utility improvement over GuardAgent’s 22.2% FRR. In robust graph IDS, MirGuard attains F1 = 0.887 under severe structure pollution (GSPA, 50% perturbation), compared to 0.489–0.657 for SOTA baselines. On clean data, MirGuard reaches F1 ≈ 0.99 and FPR < 0.01%. Under 20% attack, the average F1 drop is <0.06, while competitors experience >0.2 loss (Sang et al., 14 Aug 2025).

7. Limitations and Implications for Future Security Systems

MirrorGuard’s sim-to-real defense is bounded by several factors:

• Visual adversarial perturbations (e.g., PGD attacks): Not addressed, suggesting integration with robust vision defenses is a prospective research direction.
• Evaluation protocols: Existing benchmarks can penalize benign introspection as over-defensive; richer metrics are necessary to distinguish harmless reads from genuine security violations.
• Integration challenges: Black-box agent products lacking accessible Thought representations require alternative interception methods.
• Adaptive risk: Continuous emergence of new threats necessitates incremental simulator updates, potentially via active red-teaming or learning from real exploitation logs.

For MirGuard in provenance detection, the optimal augmentation ratio $\gamma \approx 0.5$ balances invariance against over-perturbation; ablation studies confirm that removing any LNI component substantially degrades robustness. By training exclusively on domain-valid augmentations, the learned representations become highly resilient to sophisticated manipulation attacks (Sang et al., 14 Aug 2025). A plausible implication is that logic-aware simulation and reasoning-correction methods will be pivotal for the next generation of autonomous agent security and provenance-based intrusion detection.

• "MirrorGuard: Toward Secure Computer-Use Agents via Simulation-to-Real Reasoning Correction" (Zhang et al., 19 Jan 2026)
• "MirGuard: Towards a Robust Provenance-based Intrusion Detection System Against Graph Manipulation Attacks" (Sang et al., 14 Aug 2025)