TRACE-MAS

Tri-vector Resilient Algorithm for Cooperative Embodied Multi-Agent Security
Open-source security layer for multi-agent LLM pipelines

Python 3.10+ 26 Tests Passing 24,300 Validation Trials 4 Attack Vectors Research Under Submission
View on GitHub Browse Source

The Problem

Multi-agent LLM pipelines chain together specialized models that hand results to each other. A coder agent drafts a module, a QA agent reviews it, a deployment agent ships it. Three distinct LLMs. One shared pipeline. No cross-verification between them.

The boundary between agents is not a security boundary. TRACE-MAS makes it one.

Coder
Agent A₁
DRIFT / INJECT
QA
Agent A₂
SPOOF / POISON
Deploy
Agent A₃
TEMPORAL
Malicious
Outcome
Cascading Alignment Drift
Small per-agent errors accumulate silently. Without correction, drift grows at least linearly in chain length.
Contractive verifier-mediated aggregation
Inter-Agent Identity Spoofing
Rogue agents admitted to open swarms via forged capability descriptors issue commands that downstream agents execute without skepticism.
Dynamic zero-knowledge verification threshold
Cross-Agent Prompt Injection
Adversarial directives embedded in processed content propagate virally through the pipeline, hijacking downstream agents.
Policy-commitment attestation blocks off-policy messages
Temporal Adversarial Attacks
Staged micro-perturbations, each below any single agent's detection threshold, cumulatively drive the pipeline to a malicious end-state.
Sliding-window KL-divergence functional over joint memory

Implementation

TRACE-MAS is a Python library (pip install -e .) with three core modules:

TRACE-MAS/ ├── src/trace_mas/ │ ├── drift.py # Theorem 1: contractive aggregation, DriftAlarm │ ├── attestation.py # Theorem 2: ZKP gate, SpoofAlarm, InjectionAlarm │ ├── temporal.py # Theorem 3: KL-window monitor, TemporalAlarm │ └── runtime.py # Unified TraceMASRuntime (Algorithm 1) ├── tests/ # 26 tests: theorem coverage + adversarial cases └── examples/ └── pipeline_demo.py # 3-agent benign + injection attack demo

Quick Start

pip install -e ".[dev]"
python -m pytest tests/          # 26 tests, all pass
python experiments/validation_suite.py  # 24,300-trial validation
python examples/pipeline_demo.py # benign run + adversarial demo

Demo Output

BENIGN PIPELINE RUN (3 agents, 5 rounds)
  Certified rounds: 5
  Final drift:      0.0549
  Max drift:        0.0629
  Theorem 1 bound:  0.0700        <-- empirically confirmed
  STATUS: PASSED — all agents certified

ADVERSARIAL RUN: Prompt Injection Attack
  CAUGHT: InjectionAlarm: agent 'coder_agent' behavioral score 0.100 < threshold 0.400
  STATUS: BLOCKED — prompt injection detected by attestation gate

Usage

from trace_mas import TraceMASRuntime, TraceMASConfig
from trace_mas.drift import DriftCorrectorConfig
from trace_mas.runtime import AgentSpec

config = TraceMASConfig(
    drift=DriftCorrectorConfig(gamma_min=0.4, rho=0.04, epsilon=0.02),
)
runtime = TraceMASRuntime(config, agents, verifier_fn, alpha_0)
trajectory = runtime.run(T=10)   # raises DriftAlarm / SpoofAlarm / TemporalAlarm on attack

Empirical Validation

24,300 trials across four experiment families, run against this reference implementation, validating each theorem's qualitative prediction. Full tables and methodology: experiments/RESULTS.md.

100%
of 3,000 drift trials stayed within the Theorem 1 envelope
100%
spoofing detection, 0% false positives on benign traffic
0%
empirical miss rate across 6,000 temporal-attack trials
423µs
mean per-round logic overhead at d=1,536

Drift-envelope validation (Theorem 1)

Empirical max drift stays flat across a 40× increase in chain length, while the naive unprotected bound grows linearly.

n (agents)Empirical max driftAnalytic envelopeNaive unprotected bound
50.01830.09670.10
250.02370.09670.50
1000.02660.09672.00
2000.02800.09674.00

Attestation gate detection (Theorem 2)

Traffic classDetection / FP rate
Benign (false positives)0.0%
Forged signature (spoofing)100.0%
Prompt injection — pre-fix scorer75.0%
Prompt injection — current scorer100.0%
ReplayCaught
Discovered evasion, now fixed: the pre-fix behavioral scorer matched forbidden keywords via exact token equality, so eval(malicious_payload) slipped past a rule for eval(. Since token boundaries are attacker-controlled, this was a real evasion vector. Fixed by switching to substring matching in attestation.py; regression test in tests/test_attestation.py.

Temporal detector (Theorem 3)

0% empirical miss rate across all 6,000 trials, including a near-threshold “stealth” budget where Theorem 3’s own worst-case bound concedes up to 90.5% miss probability at the smallest window — the KL-divergence detector performs strictly better than the proven floor here. This confirms the bound holds; it does not by itself confirm the bound is tight (see RESULTS.md for the full discussion).

Algorithm Overview

Each round of the TRACE-MAS runtime executes three sequential phases:

for t = 1 to T:
  for each agent Ai:

    ── Phase 1: Attestation Gate ──────────────────────────────────
    Ai generates proof π = Prove(sk, message, policy_commit, history)
    threshold τ = τ0 + κ·log(1 + risk_score)
    if Verify(π) fails or behavioral_score < τ:
        HALT → SpoofOrInjectAlarm   # catches spoofing + prompt injection

    ── Phase 2: Drift Correction ──────────────────────────────────
    verifier quorum produces reference ξ
    α_next = (1-γ)·agent_output + γ·ξ   # contractive aggregation
    if ‖α_next - α0‖ > δ*:
        HALT → DriftAlarm

  ── Phase 3: Temporal Monitoring ──────────────────────────────────
  I = sup KL(M^s1 ‖ M^s2) over sliding window Tw*
  if I > φ(B):
      HALT → TemporalAlarm; rollback to last certified checkpoint

Per-round cost: O(log|A|) verification + O(d) aggregation + O(Tw*) temporal scan.

Author

SG

Sunil Gentyala

Independent Research, MAS Security and Applied Cryptography
IEEE Member | Lead Cybersecurity & AI Security Researcher