Validation: Communication Graph Vulnerability to Malicious Agents

ValidatedEL 5/8TF 5/8

Innovation Maturity

Evidence Level:5/8Partially Described / Inferred
Timeframe:5/8Medium Term (12-18 mo)

Evidence: The proposed components build on existing graph‑theoretic and consensus literature but are not fully described in a single publication; they are logical extensions that can be inferred from related work.

Timeframe: Integrating distributed robustness certification, weighted consensus, cascade mitigation, and dynamic graph evolution requires focused development but can realistically be achieved within 12–18 months.

14.1 Identify the Objective

The primary objective of this chapter is to delineate the susceptibility of multi‑agent system (MAS) communication graphs to malicious actors and to chart a research trajectory that transitions from traditional resilience techniques to frontier‑grade, adaptive defense architectures. We seek to:
1. Quantify how graph‑structural properties (degree, robustness, connectivity) influence the spread of adversarial influence.
2. Expose the failure modes of existing consensus protocols (e.g., W‑MSR) when inter‑agent links are compromised.
3. Formulate criteria for resilient graph design that are locally enforceable, independent of global state knowledge, and amenable to dynamic reconfiguration.

These aims address a critical gap identified in the literature: most resilience studies assume reliable, authenticated communication, yet real‑world MAS deployments routinely experience message tampering, spoofing, and denial‑of‑service attacks [1][2][3].

14.3 Ideate/Innovate

To transcend the limitations of conventional resilience, we propose a hierarchical, adaptive defense framework that integrates the following novel components:

  1. Local Robustness Certification (LRC)
  2. Each agent periodically computes a local robustness score based on its immediate neighborhood (degree, clustering coefficient, and observed message integrity).
  3. LRC operates without requiring global state; agents exchange concise certificates (e.g., 2‑bit vectors) that encode their local robustness and recent integrity checks [7] .

  4. Agents trigger local reconfiguration (edge addition/removal) when their LRC falls below a predefined threshold, ensuring the minimum degree condition for resilient consensus is maintained locally [1][2].

  5. Secure Graph‑Aware Consensus (SGC)

  6. Replace W‑MSR with a consensus protocol that weights neighbor contributions according to their integrity trust score (derived from LRC certificates and cryptographic attestations).
  7. Integrate zero‑trust identity verification for every message (e.g., signed MQTT payloads, as suggested in the MQTT‑based edge deployment study [8] to prevent spoofed or poisoned exchanges.

  8. Employ graph‑adaptive filtering that dynamically adjusts the influence radius based on observed attack patterns, inspired by EIB‑LEARNER’s adaptive GNN approach [9] .

  9. Cascading Attack Mitigation Layer (CAML)

  10. Detect and isolate infection cascades by monitoring anomalous message propagation patterns (e.g., sudden bursts of identical payloads).
  11. Upon detection, trigger a topology re‑segmentation that temporarily isolates suspect sub‑graphs, akin to the centralized controller’s removal of malicious agents [10] .

  12. Use cryptographic sandboxes (e.g., per‑agent MACs) to contain potential code injection, aligning with the lessons from the SSH agent vulnerability [11] and the concept of message authentication in secure IoT protocols [12] .

  13. Resilience‑Oriented Graph Evolution (ROGE)

  14. Model the communication graph as a dynamic graph wherein edges can be added or removed autonomously based on local observations, without central coordination.
  15. Apply submodular optimization techniques [13] to select edge reconfiguration actions that maximize a global resilience objective while minimizing communication overhead.

Independent Validation

Influence of graph structure on adversarial spread in MAS

MAS communication graph degree robustness connectivity adversarial spreadgraph structural properties influence malicious influence propagation MASdegree clustering coefficient resilience adversarial spread MASconnectivity robustness impact attack propagation multi-agent systems
Adversarial influence in multi‑agent systems (MAS) is strongly mediated by the underlying communication graph. Empirical studies show that highly connected topologies, such as complete graphs, exhibit markedly higher adversarial success rates (≈ 78 % ASR) compared with sparse chain structures (≈ 60 % ASR), indicating that path diversity can accelerate malicious propagation while also exposing more attack surfaces. [v2810]A common mitigation strategy is to embed a set of trusted agents that form a connected dominating set (CDS). By ensuring that every non‑trusted node has at least one trusted neighbour, the network can maintain correct operation even when arbitrary numbers of adversarial nodes are present, effectively localising the spread of misinformation or Byzantine behaviour. [v12699]The algebraic connectivity of the graph also plays a dual role. While higher algebraic connectivity improves consensus convergence and fault tolerance, it simultaneously reduces the isolation of malicious subgraphs, making it easier for adversarial influence to percolate. Adaptive algorithms that increase connectivity only when necessary can therefore balance robustness against vulnerability. [v12472]Targeted edge perturbations—either random edge removal or adversarial rewiring—have been shown to attenuate the propagation of attacks by disrupting critical communication pathways. Dynamic regularisers that force graph neural networks to resist perturbations on the adjacency matrix further enhance resilience, suggesting that deliberate manipulation of graph structure can serve as an active defense mechanism. [v13048]Finally, graph‑theoretic metrics such as curvature and entropy correlate with adversarial performance across a range of neural architectures. These measures provide a principled way to evaluate and design communication topologies that are inherently more robust to adversarial manipulation, guiding both MAS architecture and training procedures. [v15436]

Failure of W‑MSR consensus under compromised links

W-MSR consensus failure compromised communication linksW-MSR vulnerability message tampering MASW-MSR robustness failure under link attacksW-MSR consensus breakdown malicious link interference
The Weighted Mean‑Subsequence‑Reduced (W‑MSR) algorithm was devised to enable normal agents to reach consensus even when a bounded number of neighbors are compromised. Its core operation—discarding the largest and smallest \(F\) received values and averaging the remainder—provides a simple, fully distributed filtering rule that is effective against a wide range of Byzantine behaviors. However, the algorithm’s success hinges on two critical assumptions: (1) each normal node knows an upper bound \(F\) on the number of malicious neighbors, and (2) the communication graph satisfies a robustness property that guarantees enough honest information remains after filtering. When links are compromised—through packet loss, delay, or intentional tampering—these assumptions can be violated, leading to failure of consensus.Robustness of the underlying network is formalized through the notion of \(r\)-robustness. A graph is \(r\)-robust if every pair of non‑empty, disjoint subsets has at least one node with at least \(r\) incoming edges from the other subset. This property ensures that, after discarding the extreme values, each normal node still receives at least \(r\) honest inputs, which is necessary for the W‑MSR rule to converge. Empirical studies and theoretical analyses have shown that if the graph fails to be \((2F+1)\)-robust, the algorithm can be subverted by a malicious set of size \(F\) that isolates honest nodes or injects misleading values, causing the consensus value to drift outside the convex hull of the initial states.In practice, many real‑world networks are sparse or exhibit heterogeneous connectivity, making the \((2F+1)\)-robustness requirement difficult to satisfy. Recent work has addressed this by introducing a hop‑selection framework that identifies the minimal communication radius \(h^*\) needed to achieve the required robustness. By expanding the neighborhood of each node to include multi‑hop neighbors, the effective graph can be rendered robust without requiring a fully connected topology. However, this expansion increases communication overhead and latency, and if compromised links truncate the multi‑hop paths, the robustness guarantee collapses, leading to a failure of the W‑MSR consensus process.Formal verification of the W‑MSR algorithm under the Byzantine model has confirmed that the necessary and sufficient conditions for resilient asymptotic consensus are precisely the combination of an a priori bound on malicious neighbors and the graph’s strong robustness. When compromised links introduce uncertainty in the number of honest neighbors or create partitions, the algorithm can no longer guarantee convergence, and the normal agents may either oscillate or converge to a value influenced by the adversaries. Thus, the failure of W‑MSR consensus under compromised links is fundamentally tied to violations of the robustness and bounded‑fault assumptions, underscoring the need for adaptive topology control or hybrid fault‑tolerant mechanisms in hostile environments.

Local Robustness Certification (LRC) feasibility

local robustness certification MAS local neighborhood degree clusteringLRC local robustness score computation embedded agentslocal robustness metric degree clustering coefficient message integrityLRC lightweight certificate 2-bit vector MAS
Local Robustness Certification (LRC) seeks to provide formal guarantees that a neural network’s output will not change under bounded perturbations of its input. The high dimensionality of modern deep models and the non‑linear nature of their decision boundaries make exhaustive certification computationally prohibitive, especially when the perturbation radius is large or the norm is non‑Euclidean. Consequently, most practical LRC approaches rely on conservative over‑approximations or sampling‑based bounds that trade tightness for tractability. Recent work has shown that these trade‑offs can be mitigated by incorporating architectural constraints that reduce the number of unstable neurons and by leveraging randomized smoothing techniques to obtain provable lower bounds on cumulative rewards in reinforcement learning settings [v1039].Randomised smoothing, originally developed for image classifiers, has been extended to reinforcement learning to certify lower bounds on cumulative reward under \(L_p\)-bounded perturbations [v1039]. In parallel, training strategies that enforce consistency of neuron activation states across local neighborhoods have been proposed, which reduce the number of unstable neurons and tighten the bounds that formal verification tools can compute . These advances demonstrate that, with careful network design and training, LRC can be made computationally feasible for networks of moderate depth and width, and that the certification process can be integrated into the training pipeline.The concept of a “local neighborhood” is central to both the definition of robustness and the design of verification‑friendly architectures. Studies of local neighbourhood effects in other domains—such as the impact of environmental regulation on regional innovation—highlight how local interactions can dominate system behaviour [v13375]. Translating this insight to neural networks suggests that enforcing local consistency (e.g., through Lipschitz‑bounded layers or graph‑regularized constraints) can substantially reduce the search space for adversarial perturbations, thereby improving the scalability of LRC methods.In summary, LRC is feasible for a range of practical scenarios, particularly when combined with randomized smoothing and verification‑friendly training regimes. However, scaling these techniques to very deep or wide networks remains an open challenge, largely due to the combinatorial explosion of local neighbourhoods that must be considered. Ongoing research into tighter over‑approximation schemes, adaptive neighbourhood selection, and efficient solver integration holds promise for extending LRC to larger, real‑world models while maintaining rigorous robustness guarantees [v1039].

Local reconfiguration based on LRC threshold

local reconfiguration edge addition removal LRC threshold MASadaptive topology change local robustness score thresholdminimum degree maintenance local reconfiguration MASedge reconfiguration based on local robustness metric
Local reconfiguration driven by a light‑reconfiguration‑control (LRC) threshold offers a principled way to modulate image and data processing pipelines in real time. By defining a spatially varying threshold that decays with distance from a central bright spot, the system can selectively attenuate peripheral LRC actions, thereby reducing artifacting while preserving core image fidelity. This adaptive attenuation is implemented in a processor‑containing embodiment where the processor determines the activation level of each LRC based on sensor signals, optionally augmented by an auxiliary power source that is independent of the output power supply. The result is a gradient‑controlled reconfiguration that balances performance and energy efficiency without compromising visual quality [v15586].The threshold‑based approach is particularly effective in scenarios that demand rapid, localized adjustments—such as dynamic lighting control in imaging systems or on‑device neural network inference where input statistics shift over time. Because the LRC activation is governed by a continuous function of the local signal intensity, the system can smoothly transition between configurations, avoiding abrupt changes that could destabilize downstream processing stages. Moreover, the modular design of the LRC controller allows for easy integration with existing hardware pipelines, enabling incremental deployment in legacy systems without extensive redesign.From a reliability standpoint, the gradient‑controlled reconfiguration reduces the risk of over‑correction and associated artifacts. By limiting the influence of peripheral LRC actions, the system mitigates the propagation of errors that could otherwise amplify through recursive processing loops. This property is especially valuable in safety‑critical applications such as medical imaging or autonomous vehicle perception, where consistent output quality is paramount. The ability to fine‑tune the threshold curve also facilitates compliance with regulatory standards that mandate predictable behavior under varying operating conditions.In terms of scalability, the LRC threshold mechanism can be extended to multi‑modal sensor arrays or distributed edge devices. Each node can locally compute its own threshold based on contextual cues, enabling a decentralized reconfiguration strategy that scales with network size. Because the threshold computation is lightweight, it imposes minimal computational overhead, preserving the real‑time performance required in high‑throughput environments. Future work may explore adaptive learning of the threshold function, allowing the system to optimize its reconfiguration policy based on long‑term performance metrics or user feedback.

Secure Graph‑Aware Consensus with zero‑trust signed MQTT

secure graph-aware consensus weighted neighbor trust scorezero-trust identity verification signed MQTT MASSGC consensus protocol integrity trust score weightingsigned MQTT payload secure consensus multi-agent
Secure graph‑aware consensus seeks to let distributed nodes agree on shared state while respecting the topology of their communication graph and the trust relationships that exist between them. In a zero‑trust environment, every message must be cryptographically bound to a verifiable identity, and the consensus protocol must be resilient to compromised or malicious participants. This combination is particularly relevant for industrial IoT and edge‑compute deployments where devices are heterogeneous, often on the move, and may be exposed to adversarial manipulation.Trust propagation in graph‑based systems can be achieved by local, depth‑limited mechanisms such as MoleTrust, which aggregates trust scores from neighbouring nodes along short paths and weights them by propagation depth. This approach allows a node to estimate the reliability of a peer based on the trustworthiness of its immediate neighbourhood, thereby enabling a consensus algorithm to discount or isolate messages that originate from low‑trust sub‑graphs. The local nature of MoleTrust also keeps computational overhead low, which is essential for resource‑constrained edge devices. [v5583]The MQTT protocol itself must be hardened to support zero‑trust signed communication. Modern MQTT deployments employ DTLS or TLS with short‑lived certificates, often using Elliptic‑Curve Cryptography (ECC) for key exchange and message signing. Per‑gateway certificates and role‑based access control further restrict which topics a device may publish or subscribe to, preventing unauthorized data injection or command spoofing. These measures satisfy the security grade A requirements for MQTT deployments and provide the cryptographic foundation upon which graph‑aware consensus can operate securely. [v7694][v5635]A complete zero‑trust architecture ties together secure boot, signed firmware, continuous attestation, and short‑lived JWTs or certificates. Devices perform mutual TLS handshakes with an MQTT broker, and each message is signed by a device‑bound key stored in a TPM or secure element. The broker validates the signature, checks the device’s attestation status, and enforces topic‑level policies before forwarding the payload. Consensus logic can then rely on the broker’s verification to trust the origin of each update, while graph‑aware mechanisms such as MoleTrust can further weigh the influence of each node based on its local trust score. This layered approach ensures that even if a subset of nodes is compromised, the overall consensus remains robust and tamper‑evident. [v14668][v16904]

Graph‑adaptive filtering using GNN for attack patterns

graph adaptive filtering dynamic influence radius GNNEIB-LEARNER adaptive GNN attack pattern detectionadaptive influence radius graph filtering adversarial patternsGNN based adaptive filtering multi-agent security
Graph‑adaptive filtering with GNNs seeks to suppress malicious perturbations while preserving useful structural signals in attack‑pattern graphs. By letting the filter radius and attention weights evolve with node features, the method can focus on suspicious sub‑graphs and attenuate noise, improving downstream detection accuracy. The adaptive radius is computed from local event‑point statistics, and the resulting weights are fed into a graph‑attention layer that selectively aggregates neighbor information, thereby sharpening the signal of attack patterns while discarding benign noise. [v6049]The effectiveness of this approach depends on the spectral properties of the underlying graph. Studies show that the eigenvectors of the Laplacian and the frequency response of diffusion filters jointly determine the convergence radius of adaptive filters. When the graph exhibits high variability, the radius must be expanded to capture long‑range dependencies, whereas smoother spectra allow tighter local filtering. This relationship guides the design of radius schedules that balance sensitivity and stability in dynamic attack‑pattern graphs. [v11756]Despite these advances, GNNs remain vulnerable to adversarial attacks that manipulate graph structure or node attributes. Empirical evidence demonstrates that simple perturbations can drastically degrade performance, motivating the development of pre‑processing filters that remove or re‑weight suspicious edges before training. One strategy employs an adversarial alternating training loop: the model learns to reconstruct normal graphs while simultaneously learning to ignore anomalous sub‑graphs, yielding a noise‑resistant embedding space. Complementary “filter‑then‑contrast” defenses compare model outputs with and without filtering to flag potentially poisoned inputs. These techniques collectively reduce the attack surface of graph‑based detectors. [v12403][v13129][v1835]Future work must address the scalability of these defenses to large, evolving attack‑pattern graphs and integrate them with system‑level safeguards such as least‑privilege communication topologies. Robustness certification frameworks that account for dynamic graph topologies and adaptive filtering parameters are needed to provide formal guarantees. Moreover, adaptive filtering should be coupled with continuous monitoring of spectral radius changes to detect drift or new attack vectors. Such holistic approaches will enable practical deployment of graph‑adaptive filters in real‑time intrusion detection pipelines. [v13265]

Cascading Attack Mitigation Layer detection and isolation

cascading attack mitigation layer anomaly message propagationinfection cascade detection topology re-segmentation MAScryptographic sandbox per-agent MAC isolation malicious agentsCAML anomaly burst identical payload detection
Cascading attacks exploit the interdependence of modern distributed services, where a single compromised node can trigger a chain reaction that propagates through authentication, data‑flow, and control‑plane links. Effective mitigation therefore requires a layered approach that combines early detection, containment, and graceful degradation. Recent work shows that simple heuristics such as per‑hop attenuation and hard degree bounds can limit the spread of malicious feedback or “ripple runaway” in dense graphs, while heavy‑tailed degree distributions still demand a top‑k propagation cap to prevent super‑nodes from becoming super‑spreader hubs. [v12874]Detection of cascading anomalies benefits from both statistical and engineered signals. Injecting synthetic load along a critical call path has proven useful for validating anomaly‑detection pipelines; the controlled perturbation reveals whether a single fault can cascade through dependent services and obscures its origin, enabling clearer attribution. Complementary to this, rate‑limiting, source‑weighting, and anomaly‑detection modules can flag abnormal confidence spikes in feedback or sudden traffic surges that precede a cascade. [v13307]Isolation is the second pillar of mitigation. Containerization and network segmentation, combined with strict sandboxing of untrusted code, prevent a compromised microservice from reaching downstream components. Techniques such as per‑tenant namespaces, cryptographic separation of secrets, and immutable baseline images ensure that even if an attacker gains code execution, the damage remains confined to a single isolated environment. These hardening practices are essential for cloud‑native stacks where shared infrastructure can otherwise become a single point of failure. [v869]In cloud‑native deployments, rapid failure detection and automated rollback are critical to stop cascading outages. Intelligent operations frameworks that correlate low‑quality logs, alerts, and system‑level misconfigurations can pinpoint the root cause before a failure propagates. Coupling such detection with automated isolation—e.g., spinning up a fresh sandboxed instance or redirecting traffic to a protected fallback—provides a resilient response that preserves service availability. [v15126]Finally, administrative misconfigurations (e.g., unconstrained delegation or improper SAML/OAuth setups) can themselves trigger cascading privilege escalations. Enforcing least‑privilege at the identity‑management layer, coupled with continuous monitoring of credential usage patterns, closes a common entry point for chain reactions. Together, these detection, isolation, and governance measures form a comprehensive mitigation layer that can detect, contain, and recover from cascading attacks in complex, interconnected systems. [v923]

Resilience‑Oriented Graph Evolution with submodular optimization

resilience oriented graph evolution dynamic graph edge reconfigurationsubmodular optimization resilient consensus MASdynamic graph autonomous edge addition removal resiliencesubmodular edge selection maximize resilience objective MAS
Resilience‑oriented graph evolution seeks to maintain or restore critical network functionality after failures or attacks by strategically reconfiguring edges or activating nodes. A foundational contribution is the Choquet‑integral based resilience metric that quantifies how well a distribution system can withstand multiple line outages and guides optimal reconfiguration actions [v6337]. This metric is complemented by graph‑theoretic insights on cycle‑based redundancy, which show that preserving cyclic connectivity guarantees continuous data routing even when individual vertices fail [v4973].Submodular optimization provides a principled framework for selecting a limited set of reconfiguration actions that yield near‑optimal resilience gains. Recent work formalises the resilient submodular maximisation problem, proving that it is NP‑hard yet admits efficient approximation algorithms whose guarantees tighten with low curvature [v7122]. The same authors demonstrate that a greedy strategy achieves a (1‑1/e)‑approximation for monotone submodular objectives under adversarial node removals, offering a practical tool for real‑time restoration [v5002].In practice, these theoretical tools have been integrated into distributed control schemes for microgrids and power distribution networks. For example, a hybrid submodular approach to controlled islanding selects generator subsets that maximise post‑disturbance stability while respecting operational constraints [v2988]. Similarly, graph‑neural‑network based reconfiguration policies learn to approximate the submodular objective, enabling rapid, scalable decision‑making in large‑scale distribution systems [v4568].Overall, the convergence of Choquet‑based resilience metrics, cycle‑based redundancy theory, and submodular optimisation yields a robust, computationally tractable methodology for evolving network topologies under uncertainty. These advances collectively enable power and communication infrastructures to adaptively reconfigure, preserving service continuity while limiting operational cost.

14.4 Justification

The proposed framework offers several decisive advantages over conventional global‑state approaches:

Collectively, these innovations chart a path from conventional, globally‑dependent resilience mechanisms to a frontier paradigm that is locally controllable, adaptive, and securely verifiable, thereby addressing the core vulnerabilities exposed in current MAS communication graphs.

Appendix A: Validation References

[v869] IT Security News Daily Summary 2026-03-13
https://www.itsecuritynews.info/it-security-news-daily-summary-2026-03-13/
[v923] Pass Your Professional Google Workspace Administrator Exams - 100% Money Back Guarantee!
https://www.test-king.com/cert-Professional-Google-Workspace-Administrator.htm
[v1039]Prior to Liverpool, I worked at the University of Oxford, the University of New South Wales, and the Chinese Academy of Sciences.
https://cgi.csc.liv.ac.uk/~xiaowei/
[v1835]Structure and position-aware graph neural network for airway labeling - NewsBreak
https://www.newsbreak.com/news/2484286429231/structure-and-position-aware-graph-neural-network-for-airway-labeling
[v2810]Agents Under Siege: Breaking Pragmatic Multi-Agent LLM Systems with Optimized Prompt Attacks
https://doi.org/10.18653/v1/2025.acl-long.476
[v2988]Federated Learning Paper in Conferences
https://github.com/weimingwill/awesome-federated-learning/blob/master/conferences.md
[v4568]Medium Voltage Direct Current Shipboard Power Network Reconfiguration Using Graph-Based Reinforcement Learning
https://doi.org/10.1115/1.4069035
[v4973]System And Method For Website Analysis Using Computer Vision
https://ppubs.uspto.gov/pubwebapp/external.html?q=(20260120500).pn
[v5002]In this paper, we focus on applications in machine learning, optimization, and control that call for the resilient selection of a few elements, e.g. features, sensors, or leaders, against a number of
https://core.ac.uk/search/
[v5583] The pervasive influence of recommender systems across digital landscapes necessitates continuous innovation to overcome inherent limitations and enhance user experience.
https://creativenews.io/research-reports/advancements-in-social-trust-integration-for-recommender-systems-a-comprehensive-review/
[v5635]SCI-IoT: A Quantitative Framework for Trust Scoring and Certification of IoT Devices
https://arxiv.org/abs/2511.18045
[v6049]AW-GATCN: Adaptive Weighted Graph Attention Convolutional Network for Event Camera Data Joint Denoising and Object Recognition
https://doi.org/10.1109/IJCNN64981.2025.11227212
[v6337]With the increasing integration of a high proportion of renewable energy, the fluctuation characteristics of distributed power generation such as wind and photovoltaic energy affect the safe and stab
https://www.frontiersin.org/journals/energy-research/articles/10.3389/fenrg.2025.1416309/full
[v7122]Complex networks in Air Force-relevant applications, including multi-vehicle control, energy systems, and neuronal networks, are expected to guarantee performance, stability, and availability.
https://hydra.ece.uw.edu/index.html
[v7694]A Novel Architectural Framework on IoT Ecosystem, Security Aspects and Mechanisms: A Comprehensive Survey
https://doi.org/10.1109/ACCESS.2022.3207472
[v11756]Online Topology Inference from Streaming Stationary Graph Signals with Partial Connectivity Information
https://doi.org/10.3390/a13090228
[v12403]Graph Defense Diffusion Model
https://doi.org/10.1145/3770854.3780207
[v12472]Resilient Multi-Dimensional Consensus and Distributed Optimization against Agent-Based and Denial-of-Service Attacks
https://arxiv.org/abs/2510.06835
[v12699] Resilient Dynamic Average Consensus based on Trusted agents
https://doi.org/10.48550/arxiv.2303.08171
[v12874]Self-Aware Vector Embeddings for Retrieval-Augmented Generation: A Neuroscience-Inspired Framework for Temporal, Confidence-Weighted, and Relational Knowledge
https://arxiv.org/abs/2604.20598
[v13048]Unifying Adversarial Perturbation for Graph Neural Networks
https://doi.org/10.48550/arXiv.2509.00387
[v13129]Towards East Asian Facial Expression Recognition in the Real World: A New Database and Deep Recognition Baseline
https://www.mdpi.com/1424-8220/22/21/8089
[v13265]Efficient Low-Rank GNN Defense Against Structural Attacks
https://doi.org/10.1109/ickg59574.2023.00006
[v13307]From Load Tests to Live Streams: Graph Embedding-Based Anomaly Detection in Microservice Architectures
https://arxiv.org/abs/2604.06448
[v13375] Circular Economy and Green Environment
https://www.mdpi.com/journal/ijerph/special_issues/Circular_Economy_Green_Environment
[v14668] F Common Vulnerabilities in Internet of Things Security and How to Address Them? -
https://www.thenetworkdna.com/2025/07/common-vulnerabilities-in-internet-of.html
[v15126] A Roadmap towards Intelligent Operations for Reliable Cloud Computing Systems
https://doi.org/10.48550/arxiv.2310.00677
[v15436]scGCN is a graph convolutional networks algorithm for knowledge transfer in single cell omics - News Break
https://www.newsbreak.com/news/2288228997400/scgcn-is-a-graph-convolutional-networks-algorithm-for-knowledge-transfer-in-single-cell-omics
[v15586]Light management for image and data control
https://patents.google.com/?oq=17555507
[v16904]2025: As organizations deploy millions of smart devices, the challenge of managing identity, access, and secure connectivity becomes mission-critical.
https://shreyaswebmediasolutions.com/technology/securing-the-edge-how-idaas-supercharges-identity-management-in-aws-iot-core/

Appendix: Cited Sources

1
Distributed Resilience-Aware Control in Multi-Robot Networks 2025-04-03
The main challenge of using W-MSR algorithm lies in the fact that (r, s)-robustness is combinatorial and a function of global network states (i.e., the states of all robots). Existing approaches for maintaining these properties typically require obtaining global state information through inter-agent communication. However, such communication becomes unreliable in the presence of malicious agents. Thus, we present an alternative sufficient condition that is locally controllable. )) be the minimum...
2
Distributed Resilience-Aware Control in Multi-Robot Networks 2025-12-31
The main challenge of using W-MSR lies in the fact that (r, s)robustness is combinatorial and a function of global network states.Existing approaches for maintaining these properties typically require global state knowledge, which depends on inter-agent communication.However, such communication becomes unreliable in the presence of malicious agents.Thus, we present an alternative sufficient condition that is locally controllable. Problem 1.Given a network G(t) = (V, E(t)) under an Ftotal attack ...
3
Home / Insights / Promise and Peril in the Age of Agentic AI: Navigating the New Security Landscape 2026-01-23
Research indicates that treating agents as privileged users requires robust identity governance, including multi-factor authentication adaptations and just-in-time provisioning mechanisms. 1.2.4 Agent Communication Poisoning In complex enterprise deployments, multiple agents will need to collaborate to accomplish sophisticated tasks. This inter-agent communication introduces vulnerabilities to poisoning attacks, where malicious actors inject false information into agent dialogues. Such attacks c...
4
Effects of Communication Disruption in Mobile Agent Trust Assessments for Distributed Security 2004-12-31
In addition, trust-based strategies are examined by which mobile agents assist each other in avoiding malicious hosts and recovering from host attacks. Communication among agents is vital to robust soft security to ensure that agents can cooperate by sharing their host trustworthiness assessments. Since agent mobility inherently makes communication difficult, unreliable, or sometimes impossible, this research conducts experiments to examine the affect of communication link disruption on distribu...
5
A Robustness Analysis to Structured Channel Tampering Over Secure-by-Design Consensus Networks 2023-06-08
However, due to the openness of communication protocols and the complexity of networks, the agreement of MASs may be vulnerable to malicious cyber-attacks . In particular, if the agent sensors are threatened by an attacker, the measured data may be unreliable or faulty. Indeed, the attack signals can even disrupt the control performance of the group of agents through the communication topology. Therefore, resilient solutions are required to ensure that MASs fulfill consensus under security hazar...
6
ACIArena: Toward Unified Evaluation for Agent Cascading Injection 2026-04-08
In such attacks, a compromised agent exploits inter-agent trust to propagate malicious instructions, causing cascading failures across the system. However, existing studies consider only limited attack strategies and simplified MAS settings, limiting their generalizability and comprehensive evaluation. To bridge this gap, we introduce ACIArena, a unified framework for evaluating the robustness of MAS. ACIArena offers systematic evaluation suites spanning multiple attack surfaces (i.e., external ...
7
Large Language Models are Autonomous Cyber Defenders 2025-12-31
Since blue agents only have visibility in their assigned subnetwork (see Fig. 1), they need to exchange messages with each other to share threat information.CAGE 4 allows each agent to broadcast a 1-byte vector per step called Communication Vector, yet its format is undefined.We use this 8-bit protocol and propose a realistic multi-agent communication strategy. Our idea is to summarize the current security level of a network based on each agent's observation and its current state (free or busy)....
8
Systems-Level Attack Surface of Edge Agent Deployments on IoT 2026-02-25
All inter-agent communication uses MQTT pub/sub on the Mac mini broker (port 1883, Tailscale mesh only; no public exposure).Agents publish to topic-structured channels using a JSON envelope carrying sender ID, message type, microsecond timestamp, correlation ID, and payload.The NUC bridges MQTT to Home Assistant's REST API for IoT device control.Model inference calls traverse WAN to cloud providers; all operational IoT traffic remains mesh-local. This design makes MQTT the sole coordination plan...
9
Understanding the Information Propagation Effects of Communication Topologies in LLM-based Multi-Agent Systems 2025-05-28
Motivated by our Insight, EIB-LEARNER balances the error-insight trade-off by co-training two complementary graph neural network (GNN) simulators to simulate the error suppression and insight propagation given a specific query (Section 4.1), and then adaptively blending their learned inter-agent coefficients to construct robust topologies (Section 4.2).The overall pipeline of EIB-LEARNER is shown in Figure 3. GNN-based Propagation Simulators To balance error suppression and insight propagation i...
10
Architectures for Robust Self-Organizing Energy Systems under Information and Control Constraints 2026-04-22
Fig. 3: Reaction to the malicious agent: the centralized controller sends a new communication topology, excluding the malicious agent from communication. Fig. 5 : 5 Fig. 5: Reaction to the malicious agent: multi-leveled controller. Fig. 7 : 7 Fig. 7: Centralized controller: solution quality (performance) for normal operation, disruption and control phases....
11
CVE-2025-47913 is a denial of service vulnerability in Go SSH that causes client panic when receiving unexpected SSH_AGENT_SUCCESS responses. 2026-04-17
SSH clients using this library can experience a panic and subsequent process termination when receiving an unexpected SSH_AGENT_SUCCESS response from a malicious or compromised SSH agent. When the client expects a typed response but instead receives SSH_AGENT_SUCCESS, the improper handling triggers a reachable assertion that crashes the application. This vulnerability allows network-based attackers to crash Go-based SSH client applications without authentication, causing service disruption and p...
12
Detection of malicious beaconing in virtual private networks 2026-05-04
The computer-implemented method of claim 1, wherein the one or more machine learning models are trained on labeled network traffic data that includes known examples of malicious and benign beacons....