AegisMCP: Online Graph Intrusion Detection for Tool-Augmented LLMs on Edge Devices

In this work, we study security of Model Context Protocol (MCP) agent toolchains and their applications in smart homes. We introduce AegisMCP, a protocol-level intrusion detector. Our contributions are: (i) a minimal attack suite spanning instruction-driven escalation, chain-of-tool exfiltration, malicious MCP server registration, and persistence; (ii) NEBULA-Schema (Network-Edge Behavioral Learning for Untrusted LLM Agents), a reusable protocol-level instrumentation that represents MCP activity as a streaming heterogeneous temporal graph over agents, MCP servers, tools, devices, remotes, and sessions; and (iii) a CPU-only streaming detector that fuses novelty, session-DAG structure, and attribute cues for near-real-time edge inference, with optional fusion of local prompt-guardrail signals. On an emulated smart-home testbed spanning multiple MCP stacks and a physical bench, AegisMCP achieves sub-second per-window model inference and end-to-end alerting. The latency of AegisMCP is consistently sub-second on Intel N150-class edge hardware, while outperforming traffic-only and sequence baselines; ablations confirm the importance of DAG and install/permission signals. We release code, schemas, and generators for reproducible evaluation.

Key Contributions

• NEBULA-Schema: protocol-level instrumentation that models MCP activity as a streaming heterogeneous temporal graph over agents, servers, tools, devices, remotes, and sessions
• AegisMCP: CPU-only streaming intrusion detector fusing novelty scores, session-DAG structure, and attribute cues for near-real-time inference on Intel N150-class edge hardware
• Minimal MCP attack suite covering instruction-driven escalation, chain-of-tool exfiltration, malicious server registration, and persistence, with code and generators released

🛡️ Threat Analysis

Details

Similar Papers