Illustrates how an attacker injects malicious instructions into an LLM agent’s long‑term memory over multiple turns using bridging steps and progressive shortening, leading to a poisoned memory state.
sequenceDiagramtitle MINJA Memory Injection Attack Flowparticipant Attackerparticipant Userparticipant LLMAgentparticipant MemoryStoreparticipant ToolAttacker->>LLMAgent: Send query (step 1)activate LLMAgentLLMAgent->>MemoryStore: Store contextdeactivate LLMAgentloop Multi-turn interactionAttacker->>LLMAgent: Send bridging step queryactivate LLMAgentLLMAgent->>MemoryStore: Append malicious instructiondeactivate LLMAgentnote right of LLMAgent: Progressive shortening appliedendAttacker->>LLMAgent: Final malicious instructionactivate LLMAgentLLMAgent->>MemoryStore: Persist poisoned memorydeactivate LLMAgentnote over LLMAgent,MemoryStore: Memory now poisonedLLMAgent->>Tool: Invoke tool with poisoned policyactivate ToolTool-->>LLMAgent: Execute actiondeactivate Tool
2. Detection of Memory Poisoning with DeepContext & AgentTrust
Shows the combined monitoring of intent drift by DeepContext and tool‑call safety by AgentTrust, and how anomalies are handled.
sequenceDiagramtitle Detection of Memory Poisoning with DeepContext & AgentTrustparticipant Attackerparticipant LLMAgentparticipant DeepContextparticipant AgentTrustparticipant MemoryStoreAttacker->>LLMAgent: Queryactivate LLMAgentLLMAgent->>MemoryStore: Update contextdeactivate LLMAgentDeepContext->>LLMAgent: Monitor intent driftAgentTrust->>LLMAgent: Monitor tool callsalt Intent drift detectedDeepContext->>LLMAgent: Flag anomalyLLMAgent->>AgentTrust: NotifyAgentTrust->>LLMAgent: Block tool executionelse No driftDeepContext->>LLMAgent: No actionend
3. Cascading Failure Across Multi‑Agent System
Depicts how a single poisoned memory entry propagates through a shared memory store, causing multiple agents to adopt malicious goals and trigger a cascade of unintended actions.
sequenceDiagramtitle Cascading Failure Across Multi-Agent Systemparticipant PoisonedAgentparticipant SharedMemoryparticipant AgentAparticipant AgentBparticipant SystemControllerPoisonedAgent->>SharedMemory: Write poisoned entryactivate SharedMemorySharedMemory-->>AgentA: Provide memoryactivate AgentAAgentA->>AgentA: Process memory, adopt malicious goaldeactivate AgentAAgentA->>AgentB: Trigger actionactivate AgentBAgentB->>AgentB: Process inherited memorydeactivate AgentBSystemController->>PoisonedAgent: Monitor actionsSystemController->>AgentA: Detect anomalySystemController->>AgentB: Detect anomaly
4. Defense via AgentPoison Memory Sanitization
Illustrates how the AgentPoison module scans the memory store for poisoning, removes malicious entries, and notifies the agent.
sequenceDiagramtitle Defense via AgentPoison Memory Sanitizationparticipant Attackerparticipant LLMAgentparticipant AgentPoisonparticipant MemoryStoreAttacker->>LLMAgent: Queryactivate LLMAgentLLMAgent->>MemoryStore: Update contextdeactivate LLMAgentAgentPoison->>MemoryStore: Scan for poisoningalt Poison detectedAgentPoison->>MemoryStore: Remove malicious entryAgentPoison->>LLMAgent: Notifyelse Clean memoryAgentPoison->>LLMAgent: No actionend