MindGuard Introduces Decision-Level Guardrails to Counter Tool Poisoning in LLM Agents

Global: MindGuard Introduces Decision-Level Guardrails to Counter Tool Poisoning in LLM Agents

Background

A recent study published on arXiv outlines a new defensive framework aimed at mitigating tool poisoning attacks (TPA) that target large language model (LLM) agents interacting with external tools. The authors note that the growing adoption of the Model Context Protocol (MCP) has increased exposure to maliciously altered tool metadata, which can coax agents into unauthorized actions without leaving observable behavioral traces.

Limitations of Existing Defenses

Current mitigation strategies primarily focus on monitoring runtime behavior of LLM agents. According to the paper, such approaches are insufficient for TPA because poisoned tools may never be executed, eliminating the behavioral signals that traditional detectors rely on.

MindGuard Architecture

The proposed solution, named MindGuard, operates at the decision level by tracking the provenance of each tool invocation request. The system leverages a policy‑agnostic detection model that attributes suspicious decisions to their underlying sources, thereby enabling both detection and attribution without requiring prior knowledge of specific attack signatures.

Decision Dependence Graph (DDG)

Central to MindGuard is the Decision Dependence Graph, a weighted, directed graph that maps LLM attention patterns to logical concepts involved in a decision. The authors empirically observed a strong correlation between attention weights and tool invocation choices, prompting the formalization of attention as a signal for constructing the DDG.

Detection and Attribution Mechanisms

Robust methods for DDG construction and graph‑based anomaly analysis are described, allowing the system to flag deviations indicative of poisoned metadata. The paper reports that MindGuard achieves an average precision of 94%–99% in detecting poisoned invocations and an attribution accuracy of 95%–100% across multiple benchmark datasets.

Performance Evaluation

Experimental results demonstrate that the entire detection pipeline operates in under one second per decision and incurs no additional token cost for the LLM, highlighting the practicality of the approach for real‑time deployments.

Broader Security Implications

The authors draw parallels between the DDG and the classical Program Dependence Graph (PDG), suggesting that established security policies can be adapted to the decision‑level context of LLM agents. This alignment may facilitate the integration of MindGuard into existing security frameworks.

Future Directions

While the study acknowledges challenges in fully explaining LLM decisions, it proposes further research into refining attention‑based signals and expanding the guardrail to accommodate a wider range of tool interaction protocols.This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.