defense 2026

Ghost in the Agent: Redefining Information Flow Tracking for LLM Agents

Yuandao Cai 1, Wensheng Tang 1, Cheng Wen 2, Shengchao Qin 2

1 The Hong Kong University of Science and Technology

2 Xidian University

0 citations
α

Published on arXiv

2604.23374

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Blue-Team Agents

LLMs for Security — LS07

Key Finding

Substantially outperforms FIDES baseline in source-sink propagation detection across 400 scenarios while operating offline with modest auditing cost

NeuroTaint

Novel technique introduced

Autonomous Large Language Model (LLM) agents are increasingly deployed to conduct complex tasks by interacting with external tools, APIs, and memory stores. However, processing untrusted external data exposes these agents to severe security threats, such as indirect prompt injection and unauthorized tool execution. Securing these systems requires effective information flow tracking. Yet, traditional taint analysis that is designed for program memory states fundamentally fails when applied to LLMs, where data propagation is governed by probabilistic natural language reasoning. In this paper, we present NeuroTaint, the first comprehensive taint tracking framework tailored for the unique information flow characteristics of LLM agents. Our key insight is that taint propagation in LLM agents must be understood not only as explicit content transfer, but also as semantic transformation, causal influence on decisions, and cross-session persistence through memory. NeuroTaint therefore audits execution traces offline to reconstruct provenance from untrusted sources to privileged sinks using semantic evidence, causal reasoning, and persistent context tracking, rather than relying on exact string matches or pre-defined source-sink paths alone. Extensive evaluation using TaintBench, our 400-scenario benchmark spanning 20 real-world agent frameworks, shows that NeuroTaint substantially outperforms FIDES, an information-flow-control (IFC)-style baseline for LLM agents, in source-sink propagation detection. We further show that NeuroTaint remains effective on established agent-security benchmarks, including InjecAgent and ToolEmu, while operating offline with modest additional auditing cost.

Key Contributions

  • NeuroTaint: first comprehensive taint tracking framework for LLM agents using semantic reasoning and causal influence tracking instead of exact string matching
  • TaintBench: 400-scenario benchmark spanning 20 real-world agent frameworks for evaluating information flow tracking
  • Offline provenance reconstruction that tracks taint propagation through semantic transformation, tool calls, and cross-session memory persistence

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Datasets
TaintBenchInjecAgentToolEmu
Applications
llm agentsautonomous ai systemstool-using llms
Read PDF arXiv

Similar Papers

defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
100%
defense

ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection

2026 0 cit.
100%
defense

CASCADE: A Cascaded Hybrid Defense Architecture for Prompt Injection Detection in MCP-Based Systems

2026 0 cit.
100%
defense

Introducing the Generative Application Firewall (GAF)

2026 0 cit.
100%
defense

ToolSafe: Enhancing Tool Invocation Safety of LLM-based agents via Proactive Step-level Guardrail and Feedback

2026 2 cit.
100%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
100%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
100%
defense

Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks

2025 5 cit.
100%