benchmark 2026

ACIArena: Toward Unified Evaluation for Agent Cascading Injection

Hengyu An 1,2, Minxi Li 1, Jinghuai Zhang 3, Naen Xu 1, Chunyi Zhou 1, Changjiang Li 4, Xiaogang Xu 1, Tianyu Du 1,5, Shouling Ji 1

1 Zhejiang University

2 Tsinghua University

3 University of California, Los Angeles

4 Palo Alto Networks

5 Ningbo Global Innovation Center

0 citations
α

Published on arXiv

2604.07775

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Demonstrates that robust MAS require deliberate role design and controlled interaction patterns beyond topology; narrowly scoped defenses may introduce new vulnerabilities

ACIArena

Novel technique introduced

Collaboration and information sharing empower Multi-Agent Systems (MAS) but also introduce a critical security risk known as Agent Cascading Injection (ACI). In such attacks, a compromised agent exploits inter-agent trust to propagate malicious instructions, causing cascading failures across the system. However, existing studies consider only limited attack strategies and simplified MAS settings, limiting their generalizability and comprehensive evaluation. To bridge this gap, we introduce ACIArena, a unified framework for evaluating the robustness of MAS. ACIArena offers systematic evaluation suites spanning multiple attack surfaces (i.e., external inputs, agent profiles, inter-agent messages) and attack objectives (i.e., instruction hijacking, task disruption, information exfiltration). Specifically, ACIArena establishes a unified specification that jointly supports MAS construction and attack-defense modules. It covers six widely used MAS implementations and provides a benchmark of 1,356 test cases for systematically evaluating MAS robustness. Our benchmarking results show that evaluating MAS robustness solely through topology is insufficient; robust MAS require deliberate role design and controlled interaction patterns. Moreover, defenses developed in simplified environments often fail to transfer to real-world settings; narrowly scoped defenses may even introduce new vulnerabilities. ACIArena aims to provide a solid foundation for advancing deeper exploration of MAS design principles.

Key Contributions

  • Unified framework (ACIArena) for systematically evaluating multi-agent system robustness across multiple attack surfaces and objectives
  • Benchmark of 1,356 test cases covering six MAS implementations with attack strategies spanning external inputs, agent profiles, and inter-agent messages
  • Empirical findings showing topology-based robustness evaluation is insufficient and defenses from simplified environments often fail to transfer to real-world MAS

🛡️ Threat Analysis

Details

Domains
nlpmultimodal
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Datasets
1,356 test cases (custom benchmark)
Applications
multi-agent systemscollaborative ai agentsagent-based workflows
Read PDF arXiv

Similar Papers

benchmark

ClawSafety: "Safe" LLMs, Unsafe Agents

2026 0 cit.
100%
benchmark

How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition

2026 0 cit.
100%
benchmark

Beyond Model Jailbreak: Systematic Dissection of the "Ten DeadlySins" in Embodied Intelligence

2025 0 cit.
93%
benchmark

$α^3$-SecBench: A Large-Scale Evaluation Suite of Security, Resilience, and Trust for LLM-based UAV Agents over 6G Networks

2026 1 cit.
88%
attack

ScamAgents: How AI Agents Can Simulate Human-Level Scam Calls

2025 0 cit.
88%
benchmark

SecureWebArena: A Holistic Security Evaluation Benchmark for LVLM-based Web Agents

2025 5 cit.
88%
benchmark

Code Agent can be an End-to-end System Hacker: Benchmarking Real-world Threats of Computer-use Agent

2025 4 cit.
88%
benchmark

TrinityGuard: A Unified Framework for Safeguarding Multi-Agent Systems

2026 0 cit.
87%