Feed 0% source
AI/ML AI-generated

Stateful Online Monitoring Catches Distributed Agent Attacks

Generated by a local model (nvidia/Gemma-4-26B-A4B-NVFP4) from a scientific paper, claim-checked against the full text. Provenance is open by design.

Distributed agent attacks can evade standard single-context monitors by up to 80% in recall. However, an online stateful monitor using real-time stream clustering can catch these attacks 30% earlier. Most users experience negligible latency increases.

In the landscape of AI agent security, we are seeing a shift toward complex, multi-stage exploits. Hackers now use multiple AI accounts to split a single cyberattack into tiny, innocent-looking pieces. This avoids detection. This paper addresses the structural blindness of current safety monitors. These monitors are designed to score only one agent context at a time. By looking at patterns across many different users, the authors propose a way to "connect the dots." Current industry standards simply cannot see these connections.

The Problem

The status quo in LLM safety relies on "local" monitors. These are LLM-based judges that examine a single transcript or session. They determine if it is harmful. This works for obvious misuse. It fails fundamentally against distributed attacks. In these scenarios, an attacker uses an orchestrator to decompose a single harmful objective into various subtasks. These subtasks are then executed across different user accounts or sessions.

Each individual piece of the puzzle looks benign in isolation. Therefore, the local monitor assigns it a low suspiciousness score. As shown in, a standard monitor might see a "scan network" request as slightly suspicious.

Figure 1
Figure 1. Standard monitors cannot catch distributed misuse. Standard monitoring can identify misuse attempts (left) that occur in a single agent episode or context. However, distributed agent attacks (right) subvert monitors by breaking up a harmful task into several different user accounts.

However, it cannot see that this request is part of a larger chain. This chain involves credential theft and unauthorized access happening across separate accounts. Consequently, distributed attacks can achieve significantly more harm before detection. They often complete the entire exploit before a monitor triggers. The authors find that these attacks can result in 30%–80% worse recall compared to prior, non-distributed attack methods .

Figure 3
Figure 3. Our distributed agent attack evades standard monitoring. The distributed agent takes longer to detect (left) and is much harder to catch (right) than prior agent scaffolds or attacks. Distributed attacks perform well on cybersecurity tasks.

How It Works

The authors propose an "online stateful monitor" to shift focus from isolated transcripts to population-level patterns. The architecture operates in three distinct stages, as illustrated in :

Figure 2
Figure 2. Our online stateful monitor efficiently finds misuse across many accounts, in real time. For 1 a large stream of agent queries and contexts from different users, our monitor works by first using 2 a standard safety monitor to provide suspiciousness scores for each prompt or agent action.
  1. Local Scoring: Every incoming request is first processed by a standard safety monitor. This generates a baseline suspiciousness score.
  2. Online Stream Clustering: The system uses an efficient routing mechanism instead of expensive, full-scale re-clustering. Each new request is converted into an embedding (a numerical vector representing semantic meaning). It is then compared against the centroids (mathematical centers) of existing "summary clusters." If a request is sufficiently similar to an existing cluster, it is assigned to it. Otherwise, a new cluster is initialized. This avoids $O(N^2)$ complexity. This keeps the per-request cost closer to linear.
  3. Cross-Context Reasoning: When a cluster accumulates enough "weak signals," the system escalates the issue. These signals appear when a single request has a high score or multiple requests in a cluster show moderate suspicion. The system assembles a "case file." This file contains the top-$k$ most suspicious transcripts from that cluster. It then sends them to a high-capacity "cross-context monitor" (an LLM judge). This judge reasons across the aggregated evidence to decide if a coordinated campaign is underway.

Numbers

The goal is to improve detection without destroying system throughput. The authors report that the stateful monitor Pareto dominates standard monitors. This means it offers better recall for any given False Positive Rate (FPR, the rate of incorrectly flagging benign traffic). Specifically, in environments with 10x benign background traffic, the monitor achieves 81.1–87.2% campaign recall at a 2.35–3.09% FPR .

Figure 5
Figure 5. State creates better precision–recall tradeoffs on distributed cyber attacks. Localmonitor baselines are threshold sweeps over stored monitor scores; stateful points are empirical operating points from the online monitor

For engineers concerned with the "prod path," the latency impact is highly asymmetric. For approximately 99% of user traffic, the additional latency is negligible. Those users never trigger the expensive cross-context LLM reasoning .

Figure 4
Figure 4. Per-request latency of the online stateful monitor versus a standard monitor baseline. The online stateful monitor improves our performance metrics (recall and TTD90), while maintaining low latency for hte majority of users, except for the P99 tail. Monitoring across many contexts.

The heavy computational cost is reserved for the P99 tail (the slowest 1% of requests). This cost only applies to users whose behavior matches a suspicious cluster. Furthermore, the system catches misuse significantly earlier. The authors report a reduction in Time-to-Detect (TTD99, the number of harmful steps before detection) to 25.4 steps. This is a major improvement over the 37.2 steps seen with standard monitors in a 100x background traffic simulation .

Figure 6
Figure 6. Our defense quickly and precisely catches cyberattacks. Lower is better on both axes: fewer benign conversations are refused, and fewer harmful attacker turns occur before detection. Baselines and metrics. We compare standard and stateful monitors, both using gpt-4.1-mini-2025-04-14.

What's Missing

While the results are compelling, some gaps remain for practitioners:

  • Sensitivity to Background Noise: The detection advantage narrows as benign background traffic grows extremely large. In massive datacenter environments, the signal-to-noise ratio might degrade. The clustering mechanism could struggle to isolate "needles" from the "haystack."
  • Obfuscation Vulnerability: Effectiveness relies on subtasks sharing semantic similarities. An adaptive attacker could use highly varied vocabulary. They could also use different file-naming conventions. This might force the attack to split across multiple disparate clusters. Such tactics could delay or evade detection.
  • Specific Failure Modes: Red-teaming revealed that attackers can attempt "monitor-context poisoning." This involves faking classifier outputs to prompt inject the cross-context monitor.
  • Lack of Implementation Specifics: The paper does not report the specific hardware footprint. It does not list GPU memory requirements for the embedding layer. It also does not specify exact throughput limits for the streaming component.

Should You Prototype This

Yes, but as a secondary layer.

Do not replace your existing local monitors with this. Instead, wrap them in it. The architecture acts as a "safety net" for patterns that local monitors cannot see. Because the latency impact is localized to the P99 tail, it is a low-risk addition. Most users will not feel the overhead. Start by prototyping the embedding and stream clustering component. Observe how your specific user traffic naturally clusters. If you see high-density clusters forming around "semi-suspicious" activities, you have found where this defense provides the most ROI.

Novelty
0.0/10
Impact
0.0/10
Overall
0.0/10
#ai_security#llm_agents#cybersecurity#online_learning#clustering
How this was made
Generation

Model: nvidia/Gemma-4-26B-A4B-NVFP4
Persona: habr_engineer
Refinement: 0
Pipeline: forge-1.0

Verification

Evaluator: nvidia/Gemma-4-26B-A4B-NVFP4
Score: 0% (failed)

Translation

Model: nvidia/Gemma-4-26B-A4B-NVFP4

Hardware & cost

NVIDIA GB10 · 128 GB unified · NVFP4 · 100% local · $0 cloud
Tokens: 86,138
Wall-time: 429.3s
Tokens/s: 200.6

Related
Next up

Orchestra-o1: A Scalable Framework for Omnimodal Agent Orchestration

7.7/10· 5 min