ML Security PapersSpider-Sense: Intrinsic Risk Sensing for Efficient Agent Defense with Hierarchical Adaptive Screening
Zhenxiong Yu 1, Zhi Yang 1, Zhiheng Jin 1, Shuhe Wang 2, Heng Zhang 3, Yanlin Fei 4, Lingfeng Zeng 1, Fangqi Lou 1, Shuo Zhang 3, Tu Hu 3, Jingping Liu 5, Rongze Chen 3, Xingyu Zhu 6, Kunyi Wang 3, Chaofa Yuan 3, Xin Guo 1, Zhaowei Liu 1, Feipeng Zhang 7, Jie Huang 1, Huacan Wang 3, Ronghao Chen 3, Liwen Zhang 1
Published on arXiv
2602.05386
Prompt Injection
OWASP LLM Top 10 — LLM01
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Achieves the lowest Attack Success Rate and False Positive Rate among compared defenses with only 8.3% latency overhead over undefended baseline
Spider-Sense (Intrinsic Risk Sensing)
Novel technique introduced
As large language models (LLMs) evolve into autonomous agents, their real-world applicability has expanded significantly, accompanied by new security challenges. Most existing agent defense mechanisms adopt a mandatory checking paradigm, in which security validation is forcibly triggered at predefined stages of the agent lifecycle. In this work, we argue that effective agent security should be intrinsic and selective rather than architecturally decoupled and mandatory. We propose Spider-Sense framework, an event-driven defense framework based on Intrinsic Risk Sensing (IRS), which allows agents to maintain latent vigilance and trigger defenses only upon risk perception. Once triggered, the Spider-Sense invokes a hierarchical defence mechanism that trades off efficiency and precision: it resolves known patterns via lightweight similarity matching while escalating ambiguous cases to deep internal reasoning, thereby eliminating reliance on external models. To facilitate rigorous evaluation, we introduce S$^2$Bench, a lifecycle-aware benchmark featuring realistic tool execution and multi-stage attacks. Extensive experiments demonstrate that Spider-Sense achieves competitive or superior defense performance, attaining the lowest Attack Success Rate (ASR) and False Positive Rate (FPR), with only a marginal latency overhead of 8.3\%.
Key Contributions
- Spider-Sense framework using Intrinsic Risk Sensing (IRS) for event-driven, selective defense — agents trigger security checks only upon perceiving risk rather than at fixed mandatory checkpoints
- Hierarchical defense mechanism combining lightweight similarity matching for known attack patterns with deep internal reasoning for ambiguous cases, eliminating reliance on external guard models
- S²Bench: a lifecycle-aware benchmark with realistic tool execution and multi-stage attack scenarios for rigorous evaluation of LLM agent defenses