benchmark 2025

Topology Matters: Measuring Memory Leakage in Multi-Agent LLMs

Jinbo Liu 1, Defu Cao 1, Yifei Wei 1, Tianyao Su 1, Yuan Liang 1, Yushun Dong 2, Yan Liu 1, Yue Zhao 1, Xiyang Hu 3

1 University of Southern California

2 Florida State University

3 Arizona State University

1 citations · 1 influential · 16 references · arXiv
α

Published on arXiv

2512.04668

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

Fully connected topologies leak the most PII and chain topologies the least; topology ordering is stable across base models, and spatiotemporal/location attributes leak more readily than identity credentials or regulated identifiers

MAMA (Multi-Agent Memory Attack)

Novel technique introduced

Graph topology is a fundamental determinant of memory leakage in multi-agent LLM systems, yet its effects remain poorly quantified. We introduce MAMA (Multi-Agent Memory Attack), a framework that measures how network structure shapes leakage. MAMA operates on synthetic documents containing labeled Personally Identifiable Information (PII) entities, from which we generate sanitized task instructions. We execute a two-phase protocol: Engram (seeding private information into a target agent's memory) and Resonance (multi-round interaction where an attacker attempts extraction). Over 10 rounds, we measure leakage as exact-match recovery of ground-truth PII from attacker outputs. We evaluate six canonical topologies (complete, ring, chain, tree, star, star-ring) across $n\in\{4,5,6\}$, attacker-target placements, and base models. Results are consistent: denser connectivity, shorter attacker-target distance, and higher target centrality increase leakage; most leakage occurs in early rounds and then plateaus; model choice shifts absolute rates but preserves topology ordering; spatiotemporal/location attributes leak more readily than identity credentials or regulated identifiers. We distill practical guidance for system design: favor sparse or hierarchical connectivity, maximize attacker-target separation, and restrict hub/shortcut pathways via topology-aware access control.

Key Contributions

  • MAMA framework: a two-phase protocol (Engram for seeding PII into agent memory; Resonance for multi-round adversarial extraction) enabling reproducible measurement of topology-driven PII leakage
  • Empirical analysis across six canonical topologies showing denser connectivity, shorter attacker-target path length, and higher target centrality consistently increase leakage rates across agent counts and base models
  • Actionable design guidance: prefer sparse or hierarchical topologies, maximize attacker-target graph distance, and restrict hub/shortcut pathways via topology-aware access control

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timetargetedblack_box
Datasets
synthetic PII documents (generated)
Applications
multi-agent llm systemsconversational ai agent networks
Read PDF arXiv DOI

Similar Papers

benchmark

The Unlearning Mirage: A Dynamic Framework for Evaluating LLM Unlearning

2026 0 cit.
90%
benchmark

Understanding the Dilemma of Unlearning for Large Language Models

2025 3 cit.
90%
benchmark

CanaryBench: Stress Testing Privacy Leakage in Cluster-Level Conversation Summaries

2026 0 cit.
90%
benchmark

Benchmarking Knowledge-Extraction Attack and Defense on Retrieval-Augmented Generation

2026 0 cit.
82%
benchmark

Exploiting Web Search Tools of AI Agents for Data Exfiltration

2025 0 cit.
77%
benchmark

In AI Sweet Harmony: Sociopragmatic Guardrail Bypasses and Evaluation-Awareness in OpenAI gpt-oss-20b

2025 0 cit.
77%
attack

OptiLeak: Efficient Prompt Reconstruction via Reinforcement Learning in Multi-tenant LLM Services

2026 0 cit.
75%
attack

Stronger Re-identification Attacks through Reasoning and Aggregation

2025 0 cit.
75%