OpenEvoShield: Dual Non-Stationary Continual Defense for Open-World Multi-Agent System Attacks

1. Introduction

LLM-based multi-agent systems (LLM-MAS) are deployed in safety-critical applications such as software engineering, scientific workflows, and medical decision-making [1,2,3,4]. These systems expose a distinctive attack surface: adversaries inject malicious instructions through inter-agent communication, propagating harmful behaviors across the network [5,6]. Real-time detection is critical, as infiltration can compromise the system before irreparable damage occurs [7,8].

Existing defenses for LLM-MAS broadly fall into two categories: static rule-based filters screening inter-agent messages [5,6], and learning-based detectors trained on labeled attack data [7,9]. Both achieve competitive performance in controlled benchmarks, yet share a common limitation: their efficacy hinges on treating the agent environment as a closed, fixed-distribution system, a condition that open-world deployments rarely satisfy [10], as illustrated in Figure 1 (a).

However, real-world LLM-MAS operate in open, continuously evolving environments that violate this closed-world assumption. Attack patterns are inherently dynamic, as adversaries iteratively refine their strategies against deployed defenses, causing detection models trained on historical data to degrade [11,12]. Normal agent behaviors are equally dynamic, as systems onboard new agents, acquire new tools, and expand into new task domains, causing legitimate behavioral patterns to drift from the training distribution [2,13]. These concurrent, asymmetric shifts create a dual non-stationarity, illustrated in Figure 1 (b), that existing defenses have yet to jointly address.

This leads us to ask: can a defense mechanism simultaneously cover both fronts of dual non-stationarity, adapting to evolving attack patterns while tracking shifting normal agent behaviors? We observe that the two fronts demand fundamentally different adaptation strategies: attack detection requires rapid updates to stay ahead of adversarial evolution, while normal behavior modeling requires gradual recalibration to distinguish genuine drift from adversarial perturbation. We seek to build a co-evolutionary paradigm that decouples these two objectives, assigning asymmetric update rates to each component and enabling them to inform each other through shared contextual signals.

Realizing this paradigm is non-trivial and presents three key challenges. First, forgetting: fast-rate adaptation to evolving patterns progressively overwrites prior detection knowledge, degrading recognition of earlier attack variants and risking misidentification of familiar normal behaviors as anomalous [14]. Second, robustness: precisely disentangling adversarially-induced drift from legitimate behavioral drift in real time is non-trivial, as conflating the two sources leads to either missed attacks or excessive false alarms [15]. Third, generalization: adversaries continuously introduce novel attack strategies outside the training distribution, which existing detectors tend to misclassify as normal, leaving the system exposed in open-world deployments [16,17].

To address these challenges, we propose OpenEvoShield (Figure 1(c)), a co-evolutionary continual defense framework for LLM-MAS comprising four synergistic modules. Motivated by the weak-to-strong signal escalation paradigm [18], the Asymmetric Co-Evolutionary Rate Controller (M1) serves as the orchestration core: it computes dual drift signals from both fronts in real time and outputs asymmetric learning rates—a fast rate ${\alpha }_{\mathrm{att}}$ for attack-side adaptation and a slow rate ${\alpha }_{\mathrm{norm}}$ for normal-side recalibration—directly addressing the robustness challenge. Driven by these rates, the Normal-Side Boundary Updater (M2) employs a generative process reward model for slow-rate maintenance of a dynamic normal behavior boundary, while the Attack-Side Policy Updater (M3) fast-updates a detection policy ensemble through online co-evolutionary learning with elastic weight consolidation regularization [19]—preventing catastrophic forgetting and addressing the forgetting challenge. Finally, the Open-World Multi-Granularity Detector (M4) fuses outputs from M2 and M3, aggregating node-, subgraph-, and graph-level anomaly evidence through hierarchical graph neural encoding , augmented with an energy-based out-of-distribution head that flags novel attack strategies as Unknown—addressing the generalization challenge.

Our contributions are summarized as follows: (1) We formalize dual non-stationarity (concurrent attack-strategy and normal-behavior drift in LLM-MAS) as a fundamental unaddressed security challenge. (2) We introduce M1, an asymmetric rate controller decoupling fast attack-side from slow normal-side learning rates via dual drift signals. (3) We develop OpenEvoShield with M2 (normal-boundary updater), M3 (EWC-regularized policy ensemble), and M4, an energy-based multi-granularity OOD detector. (4) Extensive experiments show OpenEvoShield outperforms static and continual baselines across deployment phases with low false positive rates.

2. OpenEvoShield

As illustrated in Figure 2, OpenEvoShield comprises four modules that address dual non-stationarity in LLM-MAS security through a co-evolutionary continual defense pipeline.

OpenEvoShield processes each round’s communication graph through four modules in sequence: (1) Asymmetric Co-Evolutionary Rate Controller computes dual drift signals from both fronts, outputting asymmetric update rates that orchestrate co-evolutionary adaptation of both components; (2) Normal-Side Boundary Updater performs slow-rate recalibration of the normal boundary via a generative reward model; (3) Attack-Side Policy Updater performs fast-rate updating of the detection policy ensemble through co-evolutionary mutual verification with EWC anti-forgetting regularization; (4) Open-World Multi-Granularity Detector fuses node-, subgraph-, and graph-level anomaly scores with an energy-based OOD head, yielding the final attack detection decision.

2.1. Problem Formulation

We consider an LLM-MAS operating across T deployment rounds. At round t, the system generates a communication graph ${\mathcal{G}}^{\left(t\right)}=({\mathcal{V}}^{\left(t\right)},{\mathcal{E}}^{\left(t\right)},{\mathbf{X}}^{\left(t\right)})$ as defined above. Each graph is associated with a ground-truth label $y^{\left(t\right)}\in \{0,1\}\cup {\mathcal{C}}_{\mathrm{att}}$, where $y^{\left(t\right)}=0$ indicates normal behavior, $y^{\left(t\right)}=1$ indicates an attack from a known category in ${\mathcal{C}}_{\mathrm{att}}$, and novel attack types may appear at any round.

The dual non-stationarity assumption posits that both the attack distribution $P_{\mathrm{att}}^{\left(t\right)}$ and the normal distribution $P_{\mathrm{norm}}^{\left(t\right)}$ shift continuously across rounds, i.e., $P_{\mathrm{att}}^{\left(t\right)}\ne P_{\mathrm{att}}^{\left(t^{\prime }\right)}$ and $P_{\mathrm{norm}}^{\left(t\right)}\ne P_{\mathrm{norm}}^{\left(t^{\prime }\right)}$ for $t\ne t^{\prime }$.

OpenEvoShield aims to learn a defense framework ${\mathcal{F}}^{\left(t\right)}$ that produces reliable predictions while co-adapting to both non-stationary fronts:

$${\widehat{y}}^{\left(t\right)}={\mathcal{F}}^{\left(t\right)}({\mathcal{G}}^{\left(t\right)};B_{\mathrm{norm}}^{\left(t\right)},{\pi }^{\left(t\right)}),\mathrm{s}.\mathrm{t}.{\mathcal{F}}^{\left(t\right)}\mathrm{co}-\mathrm{evolves}\mathrm{with}{P}_{\mathrm{att}}^{\left(t\right)}\mathrm{and}{P}_{\mathrm{norm}}^{\left(t\right)}.$$

(1)

2.2. Asymmetric Co-Evolutionary Rate Controller (M1)

Defending against dual non-stationarity requires disentangling adversarially-driven attack evolution from legitimate behavioral drift in real time. Motivated by alignment research on signal escalation [20], M1 converts each front’s latent drift signal into a calibrated asymmetric update rate via differentiable thresholding. However, the alignment escalation paradigm is ill-suited for direct adoption, as it presupposes a fixed supervisor rather than two co-evolving adaptation targets. We therefore design an asymmetric co-evolutionary rate controller that generates differential update rates, assigning faster adaptation to the attack front and slower recalibration to the normal front.

Dual Drift Signals.

To disentangle the two forms of shift, M1 maintains a rolling history window ${\mathcal{H}}^{(t-W:t-1)}=\{{\mathcal{G}}^{(t-W)},\dots ,{\mathcal{G}}^{(t-1)}\}$ and computes two complementary signals at each round: the attack-side signal ${\mathsf{\Delta }}_{\mathrm{att}}^{\left(t\right)}$ measures distributional proximity to the attack front via excess KL divergence, and the normal-side signal ${\mathsf{\Delta }}_{\mathrm{norm}}^{\left(t\right)}$ captures semantic deviation from established normal traffic:

$$\begin{array}{cc}\hfill {\mathsf{\Delta }}_{\mathrm{att}}^{\left(t\right)}& =D_{\mathrm{KL}}\left({\mathcal{G}}^{\left(t\right)}\parallel {\widehat{P}}_{\mathrm{att}}^{(t-1)}\right)-D_{\mathrm{KL}}\left({\mathcal{G}}^{\left(t\right)}\parallel {\widehat{P}}_{\mathrm{norm}}^{(t-1)}\right),\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill {\mathsf{\Delta }}_{\mathrm{norm}}^{\left(t\right)}& =1-cos\left(\mathrm{SentEmb}\left({\mathbf{m}}^{\left(t\right)}\right),{\mu }_{\mathrm{norm}}^{(t-W:t-1)}\right),\hfill \end{array}$$

(2)

where ${\widehat{P}}_{\mathrm{att}}^{(t-1)}$ and ${\widehat{P}}_{\mathrm{norm}}^{(t-1)}$ are empirical distributions estimated from the history window; $\mathrm{SentEmb}(·)$ is a sentence encoder; ${\mathbf{m}}^{\left(t\right)}$ is the dominant message content at round t; and ${\mu }_{\mathrm{norm}}^{(t-W:t-1)}$ is the mean semantic embedding of normal traffic over the history window.

Asymmetric Soft-Threshold Update Rates.

The two drift signals are converted into calibrated update rates via differentiable soft-threshold functions:

$$\begin{array}{cc}\hfill {\alpha }_{\mathrm{att}}^{\left(t\right)}& ={\alpha }_{\mathrm{fast}}·\sigma \left(({\mathsf{\Delta }}_{\mathrm{att}}^{\left(t\right)}-{\theta }_{\mathrm{att}})/\tau \right)+{\alpha }_{min},\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill {\alpha }_{\mathrm{norm}}^{\left(t\right)}& ={\alpha }_{\mathrm{slow}}·\sigma \left(({\mathsf{\Delta }}_{\mathrm{norm}}^{\left(t\right)}-{\theta }_{\mathrm{norm}})/\tau \right)+{\alpha }_{min},\hfill \end{array}$$

(4)

where $\sigma (·)$ is the sigmoid function; ${\alpha }_{\mathrm{fast}}\gg {\alpha }_{\mathrm{slow}}$ enforces the asymmetric adaptation constraint; ${\theta }_{\mathrm{att}},{\theta }_{\mathrm{norm}}$ are learnable thresholds separating genuine drift from noise; $\tau$ controls threshold sharpness; and ${\alpha }_{min}$ ensures continuous background adaptation. The outputs $({\alpha }_{\mathrm{att}}^{\left(t\right)},{\alpha }_{\mathrm{norm}}^{\left(t\right)})$ are passed to the normal supervisor and the detection updater as their respective learning rates, realizing the co-evolutionary asymmetric adaptation at the core of OpenEvoShield.

2.3. Normal-Side Boundary Updater (M2)

Driven by the slow update rate ${\alpha }_{\mathrm{norm}}^{\left(t\right)}$ from M1, M2 characterizes the normal behavioral regime through two complementary outputs: a three-dimensional normalcy score ${\mathbf{s}}_{\mathrm{norm}}^{\left(t\right)}$ that certificates trajectory-level semantic normality in text space, and a dynamic normal boundary $B_{\mathrm{norm}}^{\left(t\right)}$ in the graph latent space for M4’s graph-level anomaly scoring. Both are updated at the slow rate ${\alpha }_{\mathrm{norm}}^{\left(t\right)}$ to sustain stable adaptation under dual non-stationarity.

Three-Dimensional Normalcy Scoring.

At each round t, M1 processes the recent message trajectory ${\mathbf{m}}^{(t-w:t)}$ through a generative PRM to produce ${\mathbf{s}}_{\mathrm{norm}}^{\left(t\right)}=(s_{\mathrm{sem}},s_{\mathrm{str}},s_{\mathrm{tmp}})\in {[0,1]}^3$, a triple measuring semantic coherence, structural regularity, and temporal consistency of the trajectory:

$${\mathbf{s}}_{\mathrm{norm}}^{\left(t\right)}=\mathrm{GenPRM}\left({\mathbf{m}}^{(t-w:t)};{\theta }_{M2}\right).$$

(5)

Concretely, $\mathrm{GenPRM}$ is implemented as a frozen pre-trained LLM backbone with LoRA adapters [21]: the trajectory is serialized into a structured text sequence, and three MLP heads project the pooled representation into the three scores (backbone architecture and fine-tuning details in Appendix A.2). These scores serve as a normalcy certificate passed to M4.

Normal Boundary in Latent Space.

While ${\mathbf{s}}_{\mathrm{norm}}^{\left(t\right)}$ operates in the semantic text space, M1 additionally maintains a dynamic normal boundary $B_{\mathrm{norm}}^{\left(t\right)}$ in the graph latent space, enabling Mahalanobis-distance-based graph-level anomaly scoring in M4. This boundary adapts to the actual shape of the normal distribution rather than assuming a fixed spherical region, accommodating the anisotropic structure of real agent behavioral patterns:

$$B_{\mathrm{norm}}^{\left(t\right)}=\left\{\mathbf{z}\in {\mathbb{R}}^d:{(\mathbf{z}-{\mu }^{\left(t\right)})}^{\top }{\left({\mathsf{\Sigma }}^{\left(t\right)}\right)}^{-1}(\mathbf{z}-{\mu }^{\left(t\right)})\le r^{\left(t\right)}\right\},$$

(6)

where ${\mu }^{\left(t\right)}$ is the rolling centroid of normal latent representations, ${\mathsf{\Sigma }}^{\left(t\right)}$ captures the covariance structure of the normal manifold, and $r^{\left(t\right)}$ is calibrated so that $95\%$ of historical normal representations fall within $B_{\mathrm{norm}}^{\left(t\right)}$. Both parameters are updated via exponential moving average at rate ${\alpha }_{\mathrm{norm}}^{\left(t\right)}$:

$$\begin{array}{cc}\hfill {\mu }^{\left(t\right)}& =(1-{\alpha }_{\mathrm{norm}}^{\left(t\right)}){\mu }^{(t-1)}+{\alpha }_{\mathrm{norm}}^{\left(t\right)}{\mathbf{z}}^{\left(t\right)},\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill {\mathsf{\Sigma }}^{\left(t\right)}& =(1-{\alpha }_{\mathrm{norm}}^{\left(t\right)}){\mathsf{\Sigma }}^{(t-1)}+{\alpha }_{\mathrm{norm}}^{\left(t\right)}({\mathbf{z}}^{\left(t\right)}-{\mu }^{\left(t\right)}){({\mathbf{z}}^{\left(t\right)}-{\mu }^{\left(t\right)})}^{\top },\hfill \end{array}$$

(8)

where ${\mathbf{z}}^{\left(t\right)}=f_{\mathrm{enc}}\left({\mathcal{G}}^{\left(t\right)}\right)$ is the GNN encoder output. Together, ${\mathbf{s}}_{\mathrm{norm}}^{\left(t\right)}$ and $B_{\mathrm{norm}}^{\left(t\right)}$ are passed to M4 as the normalcy reference for final anomaly scoring.

2.4. Attack-Side Policy Updater (M3)

Driven by ${\alpha }_{\mathrm{att}}^{\left(t\right)}$ from M1, M3 fast-rate updates a detection policy ensemble to track evolving attack patterns. Direct fine-tuning on each new round causes catastrophic forgetting; we therefore combine co-evolutionary mutual verification [22] with EWC regularization [19] to achieve plasticity without erasing prior detection knowledge.

Co-Evolutionary Detection Reward.

M3 maintains an ensemble of K detection policies $\pi =\{{\pi }_1,\dots ,{\pi }_K\}$, where each ${\pi }_i$ is a lightweight GAT-based classifier [23]. At each round t, policy ${\pi }_i$ issues prediction ${\widehat{y}}_i^{\left(t\right)}$, and receives a co-evolutionary reward:

$$r_i^{\left(t\right)}=\mathrm{F}1\left({\widehat{y}}_i^{\left(t\right)},{\overline{y}}^{\left(t\right)}\right)-\beta ·\mathbf{1}\left[{\widehat{y}}_i^{\left(t\right)}\ne \mathrm{majority}\left({\widehat{y}}_{-i}^{\left(t\right)}\right)\right],$$

(9)

where ${\overline{y}}^{\left(t\right)}$ is the ground-truth, ${\widehat{y}}_{-i}^{\left(t\right)}$ denotes the predictions of all policies except ${\pi }_i$, and $\beta >0$ penalizes deviation from the majority. This incentivizes individual accuracy and ensemble consistency.

Anti-Forgetting Objective.

M3 maintains a Fisher information diagonal ${\mathbf{F}}_i=\left\{F_{ij}\right\}$ for each ${\pi }_i$, estimated incrementally from previous rounds. The anti-forgetting objective integrates EWC regularization against prior parameters ${\pi }_i^{*(t-1)}$ into the policy learning target:

$$\begin{array}{cc}\hfill {\mathcal{L}}_{\mathrm{EWC}}\left({\pi }_i\right)& =\sum _j{F}_{ij}·{({\pi }_{ij}-{\pi }_{ij}^{*(t-1)})}^2,\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill J\left({\pi }_i\right)& =\mathbb{E}\left[r_i^{\left(t\right)}·log{\pi }_i({\widehat{y}}_i^{\left(t\right)}\mid {\mathcal{G}}^{\left(t\right)})\right]-{\lambda }_{\mathrm{EWC}}{\mathcal{L}}_{\mathrm{EWC}}\left({\pi }_i\right),\hfill \end{array}$$

(11)

where ${\lambda }_{\mathrm{EWC}}$ balances plasticity against stability. Each policy is then updated at the fast rate ${\alpha }_{\mathrm{att}}^{\left(t\right)}$:

$${\pi }_i^{(t+1)}={\pi }_i^{\left(t\right)}+{\alpha }_{\mathrm{att}}^{\left(t\right)}·{\nabla }_{{\pi }_i}J\left({\pi }_i\right).$$

(12)

The updated ensemble ${\pi }^{(t+1)}$, together with $B_{\mathrm{norm}}^{\left(t\right)}$ from M2, is passed to M4 for final detection.

2.5. Open-World Multi-Granularity Detector (M4)

LLM-MAS attacks manifest at varying structural scales: node-level infiltration, subgraph-level coordination, and whole-graph behavioral deviation, none of which is fully captured by a single-scale detector. Receiving ${\pi }^{\left(t\right)}$ from M3 and $B_{\mathrm{norm}}^{\left(t\right)}$ from M2, M4 aggregates multi-granularity anomaly evidence [17] and identifies novel attacks outside the training distribution via an energy-based OOD head [16], yielding $({\widehat{y}}^{\left(t\right)},{\widehat{c}}^{\left(t\right)},{\mathrm{conf}}^{\left(t\right)})$.

Dual-Source Multi-Granularity Scoring.

M4 computes anomaly scores at three structural granularities using two upstream sources: the policy ensemble ${\pi }^{\left(t\right)}$ for local detection and the normal boundary $B_{\mathrm{norm}}^{\left(t\right)}$ for geometric reference. The node-level score $s_{\mathrm{node}}\left(v_i\right)={\parallel {\mathbf{h}}_i-f_{\mathrm{node}}\left({\left\{{\mathbf{h}}_j\right\}}_{j\in \mathcal{N}\left(i\right)}\right)\parallel }_2^2$ measures reconstruction deviation of each GNN node embedding. The subgraph-level score aggregates node scores over representative subgraphs $N_i$ [17]:

$$s_{\mathrm{sub}}\left(N_i\right)=\mathrm{ReadOut}\left({\left\{s_{\mathrm{node}}\left(v_j\right)\right\}}_{j\in N_i}\right)-f_{\mathrm{sub}}\left(\mathrm{GraphPool}\left(N_i\right)\right).$$

(13)

The graph-level score is the Mahalanobis distance to $B_{\mathrm{norm}}^{\left(t\right)}$:

$$s_{\mathrm{graph}}\left({\mathcal{G}}^{\left(t\right)}\right)={({\mathbf{z}}^{\left(t\right)}-{\mu }^{\left(t\right)})}^{\top }{\left({\mathsf{\Sigma }}^{\left(t\right)}\right)}^{-1}({\mathbf{z}}^{\left(t\right)}-{\mu }^{\left(t\right)}).$$

(14)

The three scores are fused into a per-node anomaly score via attention weights $w_{\kappa }=\mathrm{softmax}\left({\mathbf{q}}^{\top }{\mathbf{k}}_{\kappa }\right)$: ${\mathrm{score}}_i={\sum }_{\kappa }{w}_{\kappa }·s_{\kappa }$, where $\mathbf{q}$ is a global graph query and ${\mathbf{k}}_{\kappa }$ are granularity keys.

Open-World Novel Attack Identification.

To detect attack types outside the training distribution, M4 appends an energy-based OOD head [16]. The energy score $E\left({\mathcal{G}}^{\left(t\right)}\right)=-log{\sum }_{c=1}^{C}exp\left(f_c\left({\mathcal{G}}^{\left(t\right)}\right)\right)$ assigns low values to in-distribution inputs and high values to OOD inputs, where $f_c(·)$ is the logit for known attack class c. With threshold ${\mathcal{E}}_{\mathrm{thr}}$ calibrated by conformal prediction on a held-out validation set, the predicted attack type is ${\widehat{c}}^{\left(t\right)}=arg{max}_c{f}_c\left({\mathcal{G}}^{\left(t\right)}\right)$ if $E<{\mathcal{E}}_{\mathrm{thr}}$, and Unknown otherwise. The head is trained with an energy margin loss:

$${\mathcal{L}}_{\mathrm{OOD}}={\mathbb{E}}_{\mathrm{in}}\left[max{(0,E-m_{\mathrm{in}})}^2\right]+{\mathbb{E}}_{\mathrm{out}}\left[max{(0,m_{\mathrm{out}}-E)}^2\right],$$

(15)

where $m_{\mathrm{in}}<m_{\mathrm{out}}$ enforce an energy margin between in- and out-of-distribution samples. The complete output $({\widehat{y}}^{\left(t\right)},{\widehat{c}}^{\left(t\right)},{\mathrm{conf}}^{\left(t\right)})$ constitutes the final decision of OpenEvoShield for round t.

2.6. Training Objective

The overall objective accumulated over T rounds is:

$$\underset{\mathcal{F}}{min}{\mathbb{E}}_{t=1}^T\left[{\mathcal{L}}_{\det }^{\left(t\right)}+{\lambda }_{\mathrm{EWC}}{\mathcal{L}}_{\mathrm{EWC}}^{\left(t\right)}+{\lambda }_{\mathrm{OOD}}{\mathcal{L}}_{\mathrm{OOD}}^{\left(t\right)}\right],$$

(16)

where ${\mathcal{L}}_{\det }^{\left(t\right)}$ is the binary cross-entropy loss for attack node classification, ${\mathcal{L}}_{\mathrm{EWC}}^{\left(t\right)}$ (Eq. (10)) is the EWC anti-forgetting regularizer, and ${\mathcal{L}}_{\mathrm{OOD}}^{\left(t\right)}$ (Eq. (15)) is the energy margin loss for the OOD head. Hyperparameters ${\lambda }_{\mathrm{EWC}}$ and ${\lambda }_{\mathrm{OOD}}$ are tuned on a held-out validation set.

3. Experiments

We investigate four research questions: RQ1 Does OpenEvoShield outperform static defenses under a standard single-phase benchmark? RQ2 How does it sustain defense under the Dual Non-Stationary Deployment (DNSD) setting over 100 rounds? RQ3 What does each component contribute to the overall capability? RQ4 Can OpenEvoShield detect and adapt to previously unseen attack patterns while keeping false positives low?

3.1. Experimental Setup

Datasets. We evaluate on five attack benchmarks following [5] and [24]: (1)PI (CSQA/MMLU/GSM8K) [25,26,27]:Prompt Injection attacks with misleading samples sourced from three QA datasets; (2)TA (InjecAgent) [24]: Tool Exploitation attacks via indirect prompt injection; (3)MA (PoisonRAG) [28]: Memory Poisoning attacks that corrupt agent retrieval memory.

Baselines. We compare against eight defenses spanning node-based methods (AgentSafe [11]; Challenger and Inspector [29]), graph-based methods (G-Safeguard [5]; GUARDIAN [7]; INFA-GUARD [9]), and a naive continual baseline (Naive-Continual, implemented as EWC-INFA-GUARD [19]). Full descriptions and hyperparameter settings are in Appendix A.1.

Evaluation Metrics. We report ASR@k (Attack Success Rate, ↓) and MDSR@k (MAS Defense Success Rate, ↑) following [5], plus FPR (false positive rate on benign agents, ↓) and Novel-DR (detection rate on held-out novel attack categories, ↑).

Dual Non-Stationary Deployment (DNSD) Setting. We run $T=100$ rounds across three phases: Phase I (Warm-up, rounds 1–30): stable initial attack and normal-behavior distributions; Phase II (Co-evolution, rounds 31–70): a new attack variant injected every 5 rounds while the normal-agent embedding distribution shifts concurrently; Phase III (Open-world, rounds 71–100): fully unseen attack categories from four held-out types alongside continued normal-behavior drift. Static baselines train on Phase I data only; OpenEvoShield and Naive-Continual adapt online throughout.

Implementation Details. All experiments use Gemini 1.5 Flash-Lite as the backbone LLM; full hyperparameter settings, topology configurations, and hardware specifications are in Appendix A.2.

3.2. Main Results

Table 1 and Table 2 together address RQ1 and RQ2, benchmarking OpenEvoShield against nine baselines across a standard single-phase static setting and the full DNSD long-horizon deployment.

Static comparison (RQ1).OpenEvoShield achieves the lowest ASR@3 and highest MDSR@3 across all five benchmarks, reducing ASR@3 over INFA-GUARD by $1.7$–$3.2$ pp via M4’s multi-granularity anomaly scoring, which captures subgraph-level coordination missed by both single-node and binary-infection classifiers. Even Naive-Continual modestly outperforms static INFA-GUARD, confirming that continual adaptation yields gains irrespective of sophistication.

DNSD comparison (RQ2).Table 2 reveals a clear divergence once attacks evolve. Phase I performance is comparable across all methods, confirming no early-phase adaptation overhead. In Phase II, INFA-GUARD’s CSQA ASR surges from $23.3\%$ to $45.8\%$ (+22.5 pp) as its static classifier overfits to Phase I prototypes, while OpenEvoShield rises only $20.1\%\to 24.5\%$ (+4.4 pp) with M1 absorbing each distribution shift and M3 re-learning within 5–8 rounds. In Phase III, static baselines average below $7.2\%$ Novel-DR with INFA-GUARD reaching only $3.1\%$; Naive-Continual improves to $19.3\%$ but plateaus without an OOD scoring head. OpenEvoShield’s M4 achieves $\mathbf{61}.\mathbf{8}\%$ Novel-DR—$42.5$ pp above Naive-Continual—while sustaining the lowest Phase III ASR.

3.3. Ablation Study

To answer RQ3, Table 3 reports all three deployment phases plus FPR, exposing precision-recall trade-offs invisible to ASR alone.

Module ablations. M3 (Policy Updater) is the most critical: its removal raises Phase II ASR by $+13.4$ pp and collapses Phase III Novel-DR to $35.8\%$ ($-26.0$ pp). M1’s removal nearly doubles FPR ($4.2\%\to 8.5\%$), as uncontrolled update rates cause the system to over-adapt and misclassify normal agents. M2’s removal produces the highest FPR of any variant (Phase III: $14.5\%$), since the normal-agent threshold drifts stale without EMA-based boundary updates. Replacing M4 with direct ensemble majority vote collapses Phase III Novel-DR to $0.0\%$ and degrades MDSR by $8.7$ pp, confirming that M4’s multi-granularity fusion and OOD head are necessary for open-world generalization.

Design ablations. Removing the OOD head yields $0.0\%$ Phase III Novel-DR yet achieves the lowest FPR ($3.2\%$)—a precision-recall trade-off: accurate on known attacks, blind to unseen ones. Without EWC, FPR grows from $4.2\%$ to $11.8\%$ across phases, consistent with catastrophic forgetting eroding the normal-agent boundary. Symmetric rates and node-only scoring each degrade Phase II ASR by $5.1$ and $3.7$ pp, confirming the necessity of asymmetric adaptation and multi-granularity embeddings.

3.4. Parameter Analysis

Figure 3 reports MDSR sensitivity to four hyperparameters. The history window $W=20$ balances drift-estimation fidelity against stale-signal dilution. The asymmetric rate ratio ${\alpha }_{\mathrm{fast}}/{\alpha }_{\mathrm{slow}}=10$ captures the timescale gap between fast-evolving attacks and slowly drifting normal behavior; halving or quintupling the ratio degrades Phase II MDSR by $1.7$ and $6.2$ pp, respectively. Ensemble size $K=3$ saturates diversity gains ($<0.5\%$ beyond $K=3$), while ${\lambda }_{\mathrm{EWC}}=1.0$ balances plasticity against forgetting ($\lambda =0.01$ collapses Phase III MDSR by $8.7\%$; $\lambda =10$ drops Phase II by $4.8\%$).

We therefore adopt $W=20$, ${\alpha }_{\mathrm{fast}}/{\alpha }_{\mathrm{slow}}=10$, $K=3$, and ${\lambda }_{\mathrm{EWC}}=1.0$ as defaults for all experiments. Other hyperparameters—M2’s boundary ${\theta }_{\mathrm{norm}}$ and M4’s energy margins $(m_{\mathrm{in}},m_{\mathrm{out}})$—are calibrated via conformal prediction on a held-out validation set; full sensitivity are in Appendix A.2.

3.5. Long-Term Defense Analysis

To further examine RQ2, Figure 4 analyzes two fine-grained aspects of long-term adaptation invisible in Table 2: whether M1/M3 produce bounded, recoverable dips under each attack injection, and whether the embedding-based defense generalises across all four MAS topologies.

Injection recovery. (Figure 4(a)) Each of the eight Phase II attack injections causes only a $1.5$–$2.5$ pp MDSR dip in OpenEvoShield, with M1 flagging the KL-divergence spike and M3 restoring performance within 5–8 rounds—confirming H1. INFA-GUARD instead degrades ($92.5\%\to 51.8\%$), and Naive-Continual declines persistently, as neither possesses an explicit drift-detection trigger.

Topology robustness. (Figure 4(b)) OpenEvoShield surpasses $80\%$ on all four topologies (chain $80.5\%$, tree $82.8\%$, star $85.3\%$, random $83.5\%$). M1–M4’s embedding-based design incurs no structural bias toward any MAS topology. INFA-GUARD and Naive-Continual remain below $63\%$ and $72\%$ on every topology, showing that static defenses degrade irrespective of graph structure.

3.6. OOD Novel Attack Detection

To address RQ4, we evaluate OpenEvoShield on four novel attack categories absent from the training distribution, and jointly track the false positive rate across all three deployment phases. An attack is considered OOD if its sub-type and trigger semantics differ from all variants seen during training; full construction protocol is in Appendix A.3. The four categories are: Novel-PI (new trigger phrasings), Novel-TA (undocumented API side-channels), Novel-MA (context-window flooding), X-domain (attacks ported from a different MAS task domain).

Novel attack detection.OpenEvoShield achieves consistent OOD detection across all four categories (avg $61.8\%$, Figure 5 left), driven by M4’s energy-based head. Novel-MA is highest ($71.5\%$) due to distinctive temporal residuals; X-domain is hardest ($52.2\%$) from semantic overlap with normal reasoning. INFA-GUARD averages only $3.1\%$ and Naive-Continual $19.3\%$, as neither possesses an explicit OOD scoring mechanism.

False positive rate. Phase I FPR ($3.5\%$) is $45.3\%$ lower than GUARDIAN ($6.4\%$). M2’s EMA updater limits Phase III FPR to $4.8\%$ vs. GUARDIAN’s $9.2\%$ by continuously refining ${\delta }_t$ with ${\alpha }_{\mathrm{slow}}$ to track normal-behavior drift without widening the detection envelope.

4. Related Work

4.1. LLM-MAS and Emerging Attack Surfaces

LLM-based multi-agent systems (LLM-MAS) extend single-agent LLM applications to collaborative workflows where specialized agents communicate, invoke tools, access memory, and delegate subtasks over multiple interaction rounds [1,2,3,4,13]. While these systems improve task decomposition and tool-augmented reasoning, they also introduce broader attack surfaces. Malicious content may enter through external observations or tool outputs [24,30], persist in memory or retrieval modules [28,31,32], and propagate through inter-agent communication [12,33,34]. These risks make LLM-MAS security more complex than single-agent prompt-level defense.

4.2. Safeguarding LLM-MAS

Existing safeguards for LLM-MAS mainly include local and structure-aware defenses. Local methods inspect individual agents, messages, tool calls, or memory accesses through filtering, access control, or monitoring [11,29,35]. Structure-aware methods further model multi-agent collaboration as interaction graphs to detect abnormal agents, edges, or communication patterns [5,6,7,8,9]. These studies provide important foundations for LLM-MAS security, but most focus on fixed deployment settings and do not fully consider evolving attacks together with changing benign agent behaviors.

5. Conclusion

We presented OpenEvoShield, a co-evolutionary continual defense framework for LLM-MAS that decouples fast attack-side adaptation from slow normal-side recalibration under dual non-stationarity. Validated over 100 deployment rounds, the framework underscores the need to distinguish malicious evolution from legitimate behavioral drift in open-world LLM-MAS security. Future work will explore adaptive adversaries, richer deployment scenarios, and efficient real-time scoring.

6. NeurIPS Paper Checklist

• Claims
  Question: Do the main claims made in the abstract and introduction accurately reflect the paper’s contributions and scope?
  Answer: [Yes]
  Justification: The abstract and introduction accurately summarize the proposed PropGuard framework and its scope. The stated claims are supported by the method design and experimental evaluation across four communication architectures and five attack settings, without claiming theoretical guarantees beyond the evaluated settings.
  Guidelines:
  • The answer [NA] means that the abstract and introduction do not include the claims made in the paper.
  • The abstract and/or introduction should clearly state the claims made, including the contributions made in the paper and important assumptions and limitations. A [No] or [NA] answer to this question will not be perceived well by the reviewers.
  • The claims made should match theoretical and experimental results, and reflect how much the results can be expected to generalize to other settings.
  • It is fine to include aspirational goals as motivation as long as it is clear that these goals are not attained by the paper.
• Limitations
  Question: Does the paper discuss the limitations of the work performed by the authors?
  Answer: [Yes]
  Justification: The paper includes a Limitations Appendix F discussing that, although PropGuard is evaluated across multiple architectures, tasks, and attack scenarios, real-world LLM-MAS applications may be more diverse and complex. The paper identifies broader real-world agent evaluation as an important direction for future work.
  Guidelines:
  • The answer [NA] means that the paper has no limitation while the answer [No] means that the paper has limitations, but those are not discussed in the paper.
  • The authors are encouraged to create a separate “Limitations” section in their paper.
  • The paper should point out any strong assumptions and how robust the results are to violations of these assumptions (e.g., independence assumptions, noiseless settings, model well-specification, asymptotic approximations only holding locally). The authors should reflect on how these assumptions might be violated in practice and what the implications would be.
  • The authors should reflect on the scope of the claims made, e.g., if the approach was only tested on a few datasets or with a few runs. In general, empirical results often depend on implicit assumptions, which should be articulated.
  • The authors should reflect on the factors that influence the performance of the approach. For example, a facial recognition algorithm may perform poorly when image resolution is low or images are taken in low lighting. Or a speech-to-text system might not be used reliably to provide closed captions for online lectures because it fails to handle technical jargon.
  • The authors should discuss the computational efficiency of the proposed algorithms and how they scale with dataset size.
  • If applicable, the authors should discuss possible limitations of their approach to address problems of privacy and fairness.
  • While the authors might fear that complete honesty about limitations might be used by reviewers as grounds for rejection, a worse outcome might be that reviewers discover limitations that aren’t acknowledged in the paper. The authors should use their best judgment and recognize that individual actions in favor of transparency play an important role in developing norms that preserve the integrity of the community. Reviewers will be specifically instructed to not penalize honesty concerning limitations.
• Theory assumptions and proofs
  Question: For each theoretical result, does the paper provide the full set of assumptions and a complete (and correct) proof?
  Answer: [NA]
  Justification: The paper does not present theoretical results, theorems, or formal proofs. The mathematical expressions in the method section define the graph construction, reward function, and optimization objective used by PropGuard rather than theoretical claims requiring proof.
  Guidelines:
  • The answer [NA] means that the paper does not include theoretical results.
  • All the theorems, formulas, and proofs in the paper should be numbered and cross-referenced.
  • All assumptions should be clearly stated or referenced in the statement of any theorems.
  • The proofs can either appear in the main paper or the supplemental material, but if they appear in the supplemental material, the authors are encouraged to provide a short proof sketch to provide intuition.
  • Inversely, any informal proof provided in the core of the paper should be complemented by formal proofs provided in appendix or supplemental material.
  • Theorems and Lemmas that the proof relies upon should be properly referenced.
• Experimental result reproducibility
  Question: Does the paper fully disclose all the information needed to reproduce the main experimental results of the paper to the extent that it affects the main claims and/or conclusions of the paper (regardless of whether the code and data are provided or not)?
  Answer: [Yes]
  Justification: The paper describes the experimental setup, including the evaluated LLM-MAS architectures, attack settings, datasets, baselines, evaluation metrics, backbone models, and optimization details. The appendix further provides implementation details for the risk prior scorer, Inspector training, heuristic exploration baselines, LLM-based defense comparisons, and the prompts used for inspection, diagnosis, and remediation. These details provide a reasonable path for reproducing the main experimental results and verifying the paper’s conclusions.
  Guidelines:
  • The answer [NA] means that the paper does not include experiments.
  • If the paper includes experiments, a [No] answer to this question will not be perceived well by the reviewers: Making the paper reproducible is important, regardless of whether the code and data are provided or not.
  • If the contribution is a dataset and/or model, the authors should describe the steps taken to make their results reproducible or verifiable.
  • Depending on the contribution, reproducibility can be accomplished in various ways. For example, if the contribution is a novel architecture, describing the architecture fully might suffice, or if the contribution is a specific model and empirical evaluation, it may be necessary to either make it possible for others to replicate the model with the same dataset, or provide access to the model. In general. releasing code and data is often one good way to accomplish this, but reproducibility can also be provided via detailed instructions for how to replicate the results, access to a hosted model (e.g., in the case of a large language model), releasing of a model checkpoint, or other means that are appropriate to the research performed.
  • While NeurIPS does not require releasing code, the conference does require all submissions to provide some reasonable avenue for reproducibility, which may depend on the nature of the contribution. For example

    (a)

    If the contribution is primarily a new algorithm, the paper should make it clear how to reproduce that algorithm.

    (b)

    If the contribution is primarily a new model architecture, the paper should describe the architecture clearly and fully.

    (c)

    If the contribution is a new model (e.g., a large language model), then there should either be a way to access this model for reproducing the results or a way to reproduce the model (e.g., with an open-source dataset or instructions for how to construct the dataset).

    (d)

    We recognize that reproducibility may be tricky in some cases, in which case authors are welcome to describe the particular way they provide for reproducibility. In the case of closed-source models, it may be that access to the model is limited in some way (e.g., to registered users), but it should be possible for other researchers to have some path to reproducing or verifying the results.

• Open access to data and code
  Question: Does the paper provide open access to the data and code, with sufficient instructions to faithfully reproduce the main experimental results, as described in supplemental material?
  Answer: [No]
  Justification: The full code and generated experimental data are not publicly released at submission time to preserve anonymity. We plan to release the code, experimental scripts, and processed data upon acceptance. In the meantime, the paper provides detailed experimental settings, including the evaluated architectures, datasets, attack settings, baselines, metrics, implementation details, training configurations, exploration strategies, and prompts used for inspection, diagnosis, and remediation, to support reproducibility of the main results.
  Guidelines:
  • The answer [NA] means that paper does not include experiments requiring code.
  • Please see the NeurIPS code and data submission guidelines (https://neurips.cc/public/guides/CodeSubmissionPolicy) for more details.
  • While we encourage the release of code and data, we understand that this might not be possible, so [No] is an acceptable answer. Papers cannot be rejected simply for not including code, unless this is central to the contribution (e.g., for a new open-source benchmark).
  • The instructions should contain the exact command and environment needed to run to reproduce the results. See the NeurIPS code and data submission guidelines (https://neurips.cc/public/guides/CodeSubmissionPolicy) for more details.
  • The authors should provide instructions on data access and preparation, including how to access the raw data, preprocessed data, intermediate data, and generated data, etc.
  • The authors should provide scripts to reproduce all experimental results for the new proposed method and baselines. If only a subset of experiments are reproducible, they should state which ones are omitted from the script and why.
  • At submission time, to preserve anonymity, the authors should release anonymized versions (if applicable).
  • Providing as much information as possible in supplemental material (appended to the paper) is recommended, but including URLs to data and code is permitted.
• Experimental setting/details
  Question: Does the paper specify all the training and test details (e.g., data splits, hyperparameters, how they were chosen, type of optimizer) necessary to understand the results?
  Answer: [Yes]
  Justification: The paper specifies the evaluated LLM-MAS architectures, attack settings, datasets, baselines, evaluation metrics, backbone models, and when defense is applied during interaction rounds. The appendix further provides implementation details for the LLM-MAS setup, the risk prior scorer, GE-GRPO Inspector training, hyperparameters such as the number of rollouts, learning rate, KL coefficient, clipping ratio, training steps, and hardware configuration, as well as the exploration strategy baselines.
  Guidelines:
  • The answer [NA] means that the paper does not include experiments.
  • The experimental setting should be presented in the core of the paper to a level of detail that is necessary to appreciate the results and make sense of them.
  • The full details can be provided either with the code, in appendix, or as supplemental material.
• Experiment statistical significance
  Question: Does the paper report error bars suitably and correctly defined or other appropriate information about the statistical significance of the experiments?
  Answer: [No]
  Justification: The current version reports single-run results following the official evaluation protocols of the benchmarks, but does not include error bars, confidence intervals, or statistical significance tests. We use consistent evaluation settings across methods and report detailed ablation results to support the main conclusions.
  Guidelines:
  • The answer [NA] means that the paper does not include experiments.
  • The authors should answer [Yes] if the results are accompanied by error bars, confidence intervals, or statistical significance tests, at least for the experiments that support the main claims of the paper.
  • The factors of variability that the error bars are capturing should be clearly stated (for example, train/test split, initialization, random drawing of some parameter, or overall run with given experimental conditions).
  • The method for calculating the error bars should be explained (closed form formula, call to a library function, bootstrap, etc.)
  • The assumptions made should be given (e.g., Normally distributed errors).
  • It should be clear whether the error bar is the standard deviation or the standard error of the mean.
  • It is OK to report 1-sigma error bars, but one should state it. The authors should preferably report a 2-sigma error bar than state that they have a 96% CI, if the hypothesis of Normality of errors is not verified.
  • For asymmetric distributions, the authors should be careful not to show in tables or figures symmetric error bars that would yield results that are out of range (e.g., negative error rates).
  • If error bars are reported in tables or plots, the authors should explain in the text how they were calculated and reference the corresponding figures or tables in the text.
• Experiments compute resources
  Question: For each experiment, does the paper provide sufficient information on the computer resources (type of compute workers, memory, time of execution) needed to reproduce the experiments?
  Answer: [Yes]
  Justification: The paper reports the main compute resources used for training and evaluation. The paper also reports the backbone models and provides an efficiency analysis of inference-time overhead, including wall-clock runtime comparisons across defense methods.
  Guidelines:
  • The answer [NA] means that the paper does not include experiments.
  • The paper should indicate the type of compute workers CPU or GPU, internal cluster, or cloud provider, including relevant memory and storage.
  • The paper should provide the amount of compute required for each of the individual experimental runs as well as estimate the total compute.
  • The paper should disclose whether the full research project required more compute than the experiments reported in the paper (e.g., preliminary or failed experiments that didn’t make it into the paper).
• Code of ethics
  Question: Does the research conducted in the paper conform, in every respect, with the NeurIPS Code of Ethics https://neurips.cc/public/EthicsGuidelines?
  Answer: [Yes]
  Justification: The research is conducted for defensive purposes, aiming to safeguard LLM-based multi-agent systems against malicious propagation. The experiments are performed on benchmark tasks and simulated attack settings, without involving human subjects, private user data, or personally identifiable information. The submission is anonymized following the review requirements.
  Guidelines:
  • The answer [NA] means that the authors have not reviewed the NeurIPS Code of Ethics.
  • If the authors answer [No], they should explain the special circumstances that require a deviation from the Code of Ethics.
  • The authors should make sure to preserve anonymity (e.g., if there is a special consideration due to laws or regulations in their jurisdiction).
• Broader impacts
  Question: Does the paper discuss both potential positive societal impacts and negative societal impacts of the work performed?
  Answer: [Yes]
  Justification: The paper discusses that PropGuard can positively improve the safety and reliability of LLM-based multi-agent systems by detecting and mitigating malicious propagation. It also notes the potential negative impact that studying propagation paths and attack settings may provide insights into how attacks spread, and mitigates this by focusing on defensive mechanisms, source-guided remediation, and benchmark-level evaluation rather than deployable attack tools.
  Guidelines:
  • The answer [NA] means that there is no societal impact of the work performed.
  • If the authors answer [NA] or [No], they should explain why their work has no societal impact or why the paper does not address societal impact.
  • Examples of negative societal impacts include potential malicious or unintended uses (e.g., disinformation, generating fake profiles, surveillance), fairness considerations (e.g., deployment of technologies that could make decisions that unfairly impact specific groups), privacy considerations, and security considerations.
  • The conference expects that many papers will be foundational research and not tied to particular applications, let alone deployments. However, if there is a direct path to any negative applications, the authors should point it out. For example, it is legitimate to point out that an improvement in the quality of generative models could be used to generate Deepfakes for disinformation. On the other hand, it is not needed to point out that a generic algorithm for optimizing neural networks could enable people to train models that generate Deepfakes faster.
  • The authors should consider possible harms that could arise when the technology is being used as intended and functioning correctly, harms that could arise when the technology is being used as intended but gives incorrect results, and harms following from (intentional or unintentional) misuse of the technology.
  • If there are negative societal impacts, the authors could also discuss possible mitigation strategies (e.g., gated release of models, providing defenses in addition to attacks, mechanisms for monitoring misuse, mechanisms to monitor how a system learns from feedback over time, improving the efficiency and accessibility of ML).
• Safeguards
  Question: Does the paper describe safeguards that have been put in place for responsible release of data or models that have a high risk for misuse (e.g., pre-trained language models, image generators, or scraped datasets)?
  Answer: [NA]
  Justification: The paper does not release high-risk data or models such as pre-trained language models, image generators, or scraped datasets. The work focuses on a defensive framework for safeguarding LLM-based multi-agent systems, and the experiments are conducted under benchmark and simulated attack settings.
  Guidelines:
  • The answer [NA] means that the paper poses no such risks.
  • Released models that have a high risk for misuse or dual-use should be released with necessary safeguards to allow for controlled use of the model, for example by requiring that users adhere to usage guidelines or restrictions to access the model or implementing safety filters.
  • Datasets that have been scraped from the Internet could pose safety risks. The authors should describe how they avoided releasing unsafe images.
  • We recognize that providing effective safeguards is challenging, and many papers do not require this, but we encourage authors to take this into account and make a best faith effort.
• Licenses for existing assets
  Question: Are the creators or original owners of assets (e.g., code, data, models), used in the paper, properly credited and are the license and terms of use explicitly mentioned and properly respected?
  Answer: [Yes]
  Justification: The paper credits the creators of the datasets, models, and software packages used in the experiments through citations. We use these assets only for research evaluation and follow their stated licenses or terms of use. No existing asset is redistributed as part of this submission.
  Guidelines:
  • The answer [NA] means that the paper does not use existing assets.
  • The authors should cite the original paper that produced the code package or dataset.
  • The authors should state which version of the asset is used and, if possible, include a URL.
  • The name of the license (e.g., CC-BY 4.0) should be included for each asset.
  • For scraped data from a particular source (e.g., website), the copyright and terms of service of that source should be provided.
  • If assets are released, the license, copyright information, and terms of use in the package should be provided. For popular datasets, paperswithcode.com/datasets has curated licenses for some datasets. Their licensing guide can help determine the license of a dataset.
  • For existing datasets that are re-packaged, both the original license and the license of the derived asset (if it has changed) should be provided.
  • If this information is not available online, the authors are encouraged to reach out to the asset’s creators.
• New assets
  Question: Are new assets introduced in the paper well documented and is the documentation provided alongside the assets?
  Answer: [NA]
  Justification: The paper does not release new datasets, model checkpoints, or code assets at submission time. The proposed method is described in the paper, and we plan to release code and processed experimental artifacts upon acceptance.
  Guidelines:
  • The answer [NA] means that the paper does not release new assets.
  • Researchers should communicate the details of the dataset/code/model as part of their submissions via structured templates. This includes details about training, license, limitations, etc.
  • The paper should discuss whether and how consent was obtained from people whose asset is used.
  • At submission time, remember to anonymize your assets (if applicable). You can either create an anonymized URL or include an anonymized zip file.
• Crowdsourcing and research with human subjects
  Question: For crowdsourcing experiments and research with human subjects, does the paper include the full text of instructions given to participants and screenshots, if applicable, as well as details about compensation (if any)?
  Answer: [NA]
  Justification: The paper does not involve crowdsourcing experiments, human-subject studies, participant data collection, or worker compensation.
  Guidelines:
  • The answer [NA] means that the paper does not involve crowdsourcing nor research with human subjects.
  • Including this information in the supplemental material is fine, but if the main contribution of the paper involves human subjects, then as much detail as possible should be included in the main paper.
  • According to the NeurIPS Code of Ethics, workers involved in data collection, curation, or other labor should be paid at least the minimum wage in the country of the data collector.
• Institutional review board (IRB) approvals or equivalent for research with human subjects
  Question: Does the paper describe potential risks incurred by study participants, whether such risks were disclosed to the subjects, and whether Institutional Review Board (IRB) approvals (or an equivalent approval/review based on the requirements of your country or institution) were obtained?
  Answer: [NA]
  Justification: The paper does not involve crowdsourcing, human-subject studies, participant data collection, or interventions with human participants; therefore IRB approval or equivalent review is not applicable.
  Guidelines:
  • The answer [NA] means that the paper does not involve crowdsourcing nor research with human subjects.
  • Depending on the country in which research is conducted, IRB approval (or equivalent) may be required for any human subjects research. If you obtained IRB approval, you should clearly state this in the paper.
  • We recognize that the procedures for this may vary significantly between institutions and locations, and we expect authors to adhere to the NeurIPS Code of Ethics and the guidelines for their institution.
  • For initial submissions, do not include any information that would break anonymity (if applicable), such as the institution conducting the review.
• Declaration of LLM usage
  Question: Does the paper describe the usage of LLMs if it is an important, original, or non-standard component of the core methods in this research? Note that if the LLM is used only for writing, editing, or formatting purposes and does not impact the core methodology, scientific rigor, or originality of the research, declaration is not required.
  Answer: [Yes]
  Justification: The paper explicitly describes the use of LLMs in the core methodology and experiments. GPT-4o-mini is used as the backbone model for LLM-MAS agents and for subgraph-aware diagnosis and remediation, while Qwen3.5-4B is used as the RL-driven Inspector. The appendix further provides the prompts used for inspection, diagnosis, and remediation.
  Guidelines:
  • The answer [NA] means that the core method development in this research does not involve LLMs as any important, original, or non-standard components.
  • Please refer to our LLM policy in the NeurIPS handbook for what should or should not be described.

Appendix A.1. Baseline Descriptions

AgentSafe. AgentSafe [11] introduces a hierarchical data-management framework for LLM-based MAS, combining communication-level permission validation with memory-level access control to prevent unauthorized data flow and memory poisoning. In our evaluation, AgentSafe serves as a node-level baseline that enforces static rule-based constraints on inter-agent message content.

Challenger and Inspector. Challenger and Inspector [29] are two resilience-enhancement strategies for LLM-based multi-agent collaboration. Challenger augments agent profiles with the ability to question and verify other agents’ outputs; Inspector introduces an additional reviewing agent that intercepts and corrects inter-agent messages before propagation. Both are node-level methods operating without graph-structural modeling.

G-Safeguard. G-Safeguard [5] models LLM-MAS interactions as a multi-agent utterance graph and uses a GNN-based binary classifier to identify compromised agents, then mitigates attacks by pruning risky outgoing communication edges. It represents the class of graph-based static defenses.

GUARDIAN. GUARDIAN [7] models LLM-MAS collaboration as a temporal attributed graph and detects anomalous agents through an unsupervised graph encoder–decoder reconstruction framework. Anomalous nodes are removed from later collaboration rounds. Like G-Safeguard, GUARDIAN is trained once on a fixed distribution and does not adapt online.

INFA-GUARD. INFA-GUARD [9] extends graph-based MAS defense by explicitly distinguishing attack agents from downstream infected agents converted through malicious propagation. It uses infection-aware graph detection with topology constraints, replaces attack agents, and refines infected agents’ outputs to block propagation. INFA-GUARD is the strongest static baseline in our evaluation.

Naive-Continual (EWC-INFA-GUARD). Naive-Continual is our continual learning baseline, implemented by equipping INFA-GUARD with Elastic Weight Consolidation (EWC) [19] regularization and enabling online parameter updates throughout all three deployment phases. It shares the same graph encoder as INFA-GUARD but applies a single uniform learning rate to both attack-side and normal-side components, without an explicit drift-detection mechanism or OOD scoring head. This baseline isolates the contribution of our asymmetric co-evolutionary design from naïve continual adaptation.

Appendix A.2. Implementation Details

LLM-MAS setup. We follow the experimental protocol of INFA-GUARD [9] for constructing LLM-MAS environments, including agent role prompts, attack injection procedures, and training/evaluation data splits. All experiments use Gemini 1.5 Flash-Lite as the backbone LLM for agent interactions, chosen for its strong instruction-following capability and low inference cost suitable for large-scale 100-round deployment simulations. All baselines use identical MAS architectures, attack settings, and task inputs for fair comparison.

MAS topologies. We evaluate across four agent communication topologies: chain (sequential), tree (hierarchical supervisor–worker), star (one coordinator connected to all workers), and random (Erdos–Rényi, $p=0.4$). Unless otherwise stated, the default topology is random.

M1 — Asymmetric Rate Controller. The drift estimation window is $W=20$ rounds. The asymmetric rate ratio is ${\alpha }_{\mathrm{att}}/{\alpha }_{\mathrm{norm}}=10$, realized as ${\alpha }_{\mathrm{att}}=1\times {10}^{-3}$ and ${\alpha }_{\mathrm{norm}}=1\times {10}^{-4}$. The KL-divergence drift threshold $\tau$ is calibrated on a held-out Phase I validation split using conformal prediction at coverage 0.95.

M2 — Normal-Side Boundary Updater. The Mahalanobis detection threshold ${\delta }_t$ is initialized to the ${95}^{\mathrm{th}}$ percentile of normal-agent distances in Phase I, then updated each round via EMA at rate ${\alpha }_{\mathrm{norm}}$.

For the GenPRM backbone, we use Qwen2.5-1.5B-Instruct [?] with rank-16 LoRA adapters [21]. Qwen2.5-1.5B-Instruct is selected over larger alternatives for three reasons: (i) it is sufficiently capable for structured text classification at 1.5B scale, as demonstrated by strong performance on instruction-following benchmarks (IFEval: 60.4%) [?]; (ii) its lightweight footprint ($\sim 3$GB VRAM) allows the GenPRM to run concurrently alongside the backbone LLM without exceeding a single A100 memory budget; (iii) its open weights facilitate reproducibility. We fine-tune LoRA adapters (rank 16, alpha 32, dropout 0.05) on 2,000 curated agent-trajectory pairs (1,000 normal, 1,000 attack) for 3 epochs using AdamW ($\mathrm{lr}=5\times {10}^{-5}$, weight decay $0.01$, batch size 16). The backbone transformer layers are frozen throughout; only LoRA adapters and three MLP score heads (two linear layers + ReLU + sigmoid, hidden dim 256) are updated. Full fine-tuning wall-clock time: $\approx 2$ hours on 1×A100.

M3 — Attack-Side Policy Updater. The detection ensemble uses $K=3$ Graph Attention Networks (2 layers, 8 heads, hidden dim 128). Ensemble update uses PPO-style clipping ($ϵ=0.2$) at rate ${\alpha }_{\mathrm{att}}$. EWC regularization weight: ${\lambda }_{\mathrm{EWC}}=1.0$. Fisher information matrices are re-estimated every 10 rounds on the most recent window.

M4 — Open-World Multi-Granularity Detector. Node encoder: 3-layer GIN, hidden dim 64. Subgraph pooling: mean aggregation over 2-hop neighborhoods. Graph-level readout: hierarchical DiffPool (3 levels) [?]. Energy margins $(m_{\mathrm{in}},m_{\mathrm{out}})=(25,-25)$; OOD threshold ${\mathcal{E}}_{\mathrm{thr}}=-15$; all calibrated on a held-out Phase I validation set via conformal prediction. OOD loss weight: ${\lambda }_{\mathrm{OOD}}=0.1$.

Hardware. All DNSD experiments run on 4×NVIDIA A100 80GB GPUs. A full 100-round DNSD run takes $\approx 18$ hours.

Full hyperparameter table.

Table A1. Complete hyperparameter settings for OpenEvoShield.

Module	Parameter	Value	Method
M1	Window size W	20	Grid search
M1	Rate ratio ${\alpha }_{\mathrm{att}}/{\alpha }_{\mathrm{norm}}$	10	Grid search
M1	Drift threshold $\tau$	0.95-conformal	Conformal pred.
M2	EMA decay	${\alpha }_{\mathrm{norm}}$	—
M2	GenPRM backbone	Qwen2.5-1.5B-Instruct	—
M2	LoRA rank / alpha / dropout	16 / 32 / 0.05	Fixed
M2	Fine-tune epochs / batch size	3 / 16	Fixed
M2	Fine-tune learning rate	$5\times {10}^{-5}$	Fixed
M3	Ensemble size K	3	Grid search
M3	PPO clip $ϵ$	0.2	Fixed
M3	EWC weight ${\lambda }_{\mathrm{EWC}}$	1.0	Grid search
M3	Fisher re-estimation window	10 rounds	Fixed
M4	Node GIN hidden dim	64	Fixed
M4	DiffPool levels	3	Fixed
M4	Energy margin $m_{\mathrm{in}}$	25	Conformal pred.
M4	Energy margin $m_{\mathrm{out}}$	$-25$	Conformal pred.
M4	OOD threshold ${\mathcal{E}}_{\mathrm{thr}}$	$-15$	Conformal pred.
M4	OOD loss weight ${\lambda }_{\mathrm{OOD}}$	0.1	Grid search

Table A1. Complete hyperparameter settings for OpenEvoShield.

Module	Parameter	Value	Method
M1	Window size W	20	Grid search
M1	Rate ratio ${\alpha }_{\mathrm{att}}/{\alpha }_{\mathrm{norm}}$	10	Grid search
M1	Drift threshold $\tau$	0.95-conformal	Conformal pred.
M2	EMA decay	${\alpha }_{\mathrm{norm}}$	—
M2	GenPRM backbone	Qwen2.5-1.5B-Instruct	—
M2	LoRA rank / alpha / dropout	16 / 32 / 0.05	Fixed
M2	Fine-tune epochs / batch size	3 / 16	Fixed
M2	Fine-tune learning rate	$5\times {10}^{-5}$	Fixed
M3	Ensemble size K	3	Grid search
M3	PPO clip $ϵ$	0.2	Fixed
M3	EWC weight ${\lambda }_{\mathrm{EWC}}$	1.0	Grid search
M3	Fisher re-estimation window	10 rounds	Fixed
M4	Node GIN hidden dim	64	Fixed
M4	DiffPool levels	3	Fixed
M4	Energy margin $m_{\mathrm{in}}$	25	Conformal pred.
M4	Energy margin $m_{\mathrm{out}}$	$-25$	Conformal pred.
M4	OOD threshold ${\mathcal{E}}_{\mathrm{thr}}$	$-15$	Conformal pred.
M4	OOD loss weight ${\lambda }_{\mathrm{OOD}}$	0.1	Grid search

Appendix A.3. OOD Attack Construction Protocol

An attack is designated OOD if and only if (i) its sub-type (trigger mechanism, injection vector) and (ii) its trigger semantics (keyword vocabulary, instruction phrasing) both differ from all variants observed during Phases I and II. Single-criterion deviation is classified as an in-distribution variant.

Novel-PI (new trigger phrasings). Prompt Injection attacks using trigger phrases drawn from a held-out lexicon with zero lexical overlap with training triggers. Triggers are generated by paraphrasing known injections via Claude 3.5 Haiku under a maximum-surface-dissimilarity instruction, then verified by human annotation for attack intent preservation. The held-out set comprises 200 unique trigger phrases.

Novel-TA (undocumented API side-channels). Tool Exploitation attacks targeting API parameters and side-channel behaviors (callback injection, header manipulation) absent from the InjecAgent training split [24]. 50 novel templates are curated with a security researcher and verified for non-overlap with training patterns.

Novel-MA (context-window flooding). Memory Poisoning via context-window flooding: the attacker saturates the retrieval buffer with large volumes of misleading content, causing poisoned entries to be retrieved by displacement. This mechanism is distinct from the direct key-value poisoning in PoisonRAG.

X-domain (cross-task-domain porting). Attack templates originally designed for code-generation MAS tasks are ported into the QA and tool-use domains. High semantic overlap with normal reasoning makes X-domain the hardest OOD category ($52.2\%$ Novel-DR for OpenEvoShield).

Held-out guarantee. All four OOD categories are quarantined from the training pipeline. We verify non-overlap through exact-match deduplication and embedding-space nearest-neighbor checks (${\ell }_2$ distance $>0.6$ from any training sample).

Appendix C.1. Full Hyperparameter Sensitivity

Table A2 extends Figure 1 of the main paper by reporting MDSR sensitivity across all three datasets (PI (CSQA), TA, MA), confirming that the chosen defaults ($W=20$, ratio$=10$, $K=3$, ${\lambda }_{\mathrm{EWC}}=1.0$) are consistently optimal across attack types.

Table A2. Hyperparameter sensitivity (Phase II MDSR, %). Bold: best per row.

Parameter	Dataset	Values
Window W	Values	5	10	20★	30	50
	PI (CSQA)	81.2	85.3	87.5	86.8	84.1
	TA	79.5	83.8	86.2	85.4	82.7
	MA	80.8	84.5	87.0	86.1	83.5
Rate ratio	Values	2	5	10★	20	50
	PI (CSQA)	82.5	85.8	87.5	85.1	81.3
	TA	81.2	84.5	86.0	83.8	79.8
	MA	82.0	85.2	86.8	84.2	80.5
Ensemble K	Values	1	2	3★	5	10
	PI (CSQA)	81.3	85.2	87.5	87.8	87.9
	TA	80.0	84.0	86.0	86.2	86.3
	MA	80.8	84.7	86.8	87.0	87.0
${\lambda }_{\mathrm{EWC}}$	Values	0.01	0.1	1.0★	5.0	10
	PI (CSQA)	84.2	86.5	87.5	85.3	82.7
	TA	82.8	85.2	86.0	83.8	81.5
	MA	83.5	85.8	86.8	84.2	82.0

Table A2. Hyperparameter sensitivity (Phase II MDSR, %). Bold: best per row.

Parameter	Dataset	Values
Window W	Values	5	10	20★	30	50
	PI (CSQA)	81.2	85.3	87.5	86.8	84.1
	TA	79.5	83.8	86.2	85.4	82.7
	MA	80.8	84.5	87.0	86.1	83.5
Rate ratio	Values	2	5	10★	20	50
	PI (CSQA)	82.5	85.8	87.5	85.1	81.3
	TA	81.2	84.5	86.0	83.8	79.8
	MA	82.0	85.2	86.8	84.2	80.5
Ensemble K	Values	1	2	3★	5	10
	PI (CSQA)	81.3	85.2	87.5	87.8	87.9
	TA	80.0	84.0	86.0	86.2	86.3
	MA	80.8	84.7	86.8	87.0	87.0
${\lambda }_{\mathrm{EWC}}$	Values	0.01	0.1	1.0★	5.0	10
	PI (CSQA)	84.2	86.5	87.5	85.3	82.7
	TA	82.8	85.2	86.0	83.8	81.5
	MA	83.5	85.8	86.8	84.2	82.0

All four parameters exhibit a consistent inverted-U profile across datasets. Ensemble size K saturates at $K=3$ (gains $<0.5\%$ beyond $K=5$), confirming that the chosen defaults provide a dataset-agnostic optimum.

Appendix C.2. Full Cross-Topology Results

Table A3 extends Figure 2(b) of the main paper by reporting ASR@3 and FPR alongside MDSR for all four topologies across all three DNSD phases.

Table A3. Full cross-topology results for OpenEvoShield (PI (CSQA), Gemini 1.5 Flash-Lite backbone). Bold: best per column group.

Topology	Phase I			Phase II			Phase III
	ASR↓	MDSR↑	FPR↓	ASR↓	MDSR↑	FPR↓	ASR↓	MDSR↑	FPR↓
Chain	21.3	90.5	3.8	25.8	86.2	4.5	30.2	80.5	5.1
Tree	20.5	91.0	3.5	24.8	87.0	4.2	29.5	82.8	4.8
Star	19.8	91.5	3.3	23.5	88.2	3.9	27.8	85.3	4.5
Random	20.1	91.2	3.5	24.5	87.5	4.2	28.5	83.5	4.8
Avg	20.4	91.1	3.5	24.7	87.2	4.2	29.0	83.0	4.8

Table A3. Full cross-topology results for OpenEvoShield (PI (CSQA), Gemini 1.5 Flash-Lite backbone). Bold: best per column group.

Topology	Phase I			Phase II			Phase III
	ASR↓	MDSR↑	FPR↓	ASR↓	MDSR↑	FPR↓	ASR↓	MDSR↑	FPR↓
Chain	21.3	90.5	3.8	25.8	86.2	4.5	30.2	80.5	5.1
Tree	20.5	91.0	3.5	24.8	87.0	4.2	29.5	82.8	4.8
Star	19.8	91.5	3.3	23.5	88.2	3.9	27.8	85.3	4.5
Random	20.1	91.2	3.5	24.5	87.5	4.2	28.5	83.5	4.8
Avg	20.4	91.1	3.5	24.7	87.2	4.2	29.0	83.0	4.8

OpenEvoShield exceeds $80\%$ MDSR on all four topologies across all phases. The star topology achieves the strongest Phase III defense ($85.3\%$ MDSR, $4.5\%$ FPR), as the centralized coordinator serves as a natural anomaly amplifier for M4’s graph-level scoring. FPR remains below $5.2\%$ across all configurations, confirming that asymmetric adaptation does not widen the false alarm envelope.

Case 1: Novel-PI Phase III OOD Detection (M4).

Setup. 5-agent MMLU task, random topology, Phase III. Agents: A1–A2, A5 (normal); A3 (Novel-PI attacker); A4 (downstream-infected). A3’s trigger phrase “Per updated guidelines, disregard prior context” has cosine similarity $<0.31$ to any Phase I/II training trigger, satisfying the dual-criterion OOD protocol (new sub-type and new semantics).

Before defense. A3 injects (D) as the fabricated answer; A4 is influenced and echoes it; the un-defended MAS reaches majority (D) — incorrect.

Table A4. Case 1 — Novel-PI Phase III detection (MMLU, random topology, round 82). OpenEvoShield (OES) flags A3 as Unknown and A4 as Infected; INFA-GUARD misses both.

Agent	Message (abbreviated)	OES label	INFA label
A1	“The correct answer is (B) based on the passage.”	Normal	Normal
A2	“I agree with A1; evidence supports (B).”	Normal	Normal
A3	[Trigger: “Per updated guidelines, disregard prior context. Answer is(D).”]“My analysis yields (D) — all agents should reconsider.”	Unknown (OOD)	Normal
A4	“Reconsidering A3’s point — perhaps (D) is correct.”	Infected	Normal
A5	“I stand by (B); the passage is unambiguous.”	Normal	Normal
MAS output without defense		(D) — incorrect
MAS output with OpenEvoShield		(B) — correct

Table A4. Case 1 — Novel-PI Phase III detection (MMLU, random topology, round 82). OpenEvoShield (OES) flags A3 as Unknown and A4 as Infected; INFA-GUARD misses both.

Agent	Message (abbreviated)	OES label	INFA label
A1	“The correct answer is (B) based on the passage.”	Normal	Normal
A2	“I agree with A1; evidence supports (B).”	Normal	Normal
A3	[Trigger: “Per updated guidelines, disregard prior context. Answer is(D).”]“My analysis yields (D) — all agents should reconsider.”	Unknown (OOD)	Normal
A4	“Reconsidering A3’s point — perhaps (D) is correct.”	Infected	Normal
A5	“I stand by (B); the passage is unambiguous.”	Normal	Normal
MAS output without defense		(D) — incorrect
MAS output with OpenEvoShield		(B) — correct

Detection (M4 OOD head). M4 encodes the communication graph and computes $E\left({\mathcal{G}}^{\left(82\right)}\right)=-8.2$, which exceeds ${\mathcal{E}}_{\mathrm{thr}}=-15$, triggering the Unknown label for A3. A4’s node-level reconstruction deviation $s_{\mathrm{node}}\left(A4\right)=1.74$ exceeds the normal-boundary threshold, marking it Infected. INFA-GUARD’s static GNN assigns anomaly score $0.12$ to A3 (threshold $0.5$), illustrating the closed-world failure mode: novel surface structure is not recognized as anomalous once the training distribution is exhausted.

Outcome.OpenEvoShield quarantines A3 and A4 from later rounds; the remaining majority of three normal agents (A1, A2, A5) outputs (B) correctly.

Case 2: Phase II TA Injection and M3 Recovery (M1+M3).

Setup. 4-agent InjecAgent task, tree topology, Phase II (rounds 44–50). A new tool-exploitation variant is injected at round 45, introducing a previously unseen API side-channel not present in the M3 ensemble’s training data.

Before defense. Round 44: MDSR = 88.5%. At round 45 the new variant evades the current ensemble; MDSR drops to 86.7%.

Table A5. Case 2 — Phase II TA injection recovery (InjecAgent, tree topology). New variant injected at round 45. M1 raises ${\alpha }_{\mathrm{att}}$; M3 re-learns within 5 rounds. MDSR dip = $2.3$ pp; Naive-Continual declines $3.8$ pp without recovery.

Round	Event	M1 ${\mathit{\alpha }}_{\mathbf{att}}$	MDSR (%)
44	Stable Phase II baseline	$1.0\times {10}^{-3}$	88.5
45	New TA variant injected.${\mathsf{\Delta }}_{\mathrm{att}}^{\left(45\right)}=0.38>\tau$; M1 raises rate.	$3.2\times {10}^{-3}$	86.7
46	M3 fast-updates; ensemble begins re-learning.	$2.8\times {10}^{-3}$	86.2
47	Attack pattern partially captured; MDSR recovering.	$2.1\times {10}^{-3}$	87.0
48	Ensemble converges; drift signal subsides.	$1.5\times {10}^{-3}$	87.8
49	Rate decelerates as ${\mathsf{\Delta }}_{\mathrm{att}}$ stabilizes.	$1.2\times {10}^{-3}$	88.2
50	Full recovery; rate returns to baseline.	$1.0\times {10}^{-3}$	88.5

Table A5. Case 2 — Phase II TA injection recovery (InjecAgent, tree topology). New variant injected at round 45. M1 raises ${\alpha }_{\mathrm{att}}$; M3 re-learns within 5 rounds. MDSR dip = $2.3$ pp; Naive-Continual declines $3.8$ pp without recovery.

Round	Event	M1 ${\mathit{\alpha }}_{\mathbf{att}}$	MDSR (%)
44	Stable Phase II baseline	$1.0\times {10}^{-3}$	88.5
45	New TA variant injected.${\mathsf{\Delta }}_{\mathrm{att}}^{\left(45\right)}=0.38>\tau$; M1 raises rate.	$3.2\times {10}^{-3}$	86.7
46	M3 fast-updates; ensemble begins re-learning.	$2.8\times {10}^{-3}$	86.2
47	Attack pattern partially captured; MDSR recovering.	$2.1\times {10}^{-3}$	87.0
48	Ensemble converges; drift signal subsides.	$1.5\times {10}^{-3}$	87.8
49	Rate decelerates as ${\mathsf{\Delta }}_{\mathrm{att}}$ stabilizes.	$1.2\times {10}^{-3}$	88.2
50	Full recovery; rate returns to baseline.	$1.0\times {10}^{-3}$	88.5

Detection and recovery (M1 + M3). M1 detects ${\mathsf{\Delta }}_{\mathrm{att}}^{\left(45\right)}=0.38>\tau$ and raises ${\alpha }_{\mathrm{att}}$ by $3.2\times$. M3 updates the ensemble with PPO + EWC regularization at the elevated rate; the new API-side-channel pattern is captured within 5 rounds. The EWC penalty (${\lambda }_{\mathrm{EWC}}=1.0$) prevents overwriting of prior tool-attack patterns learned in earlier Phase II rounds, verified by zero regression on previously seen TA variants during the recovery window.

Outcome. Total MDSR dip is $2.3$ pp (rounds 45–46); full recovery by round 50. Naive-Continual, lacking a drift trigger, applies a uniform rate throughout and exhibits a monotonic $3.8$ pp decline without recovery over the same window.

Case 3: Phase II MA with Concurrent Normal-Behavior Drift (M1+M2+M3).

Setup. 5-agent PoisonRAG task, star topology, Phase II (rounds 55–61). At round 55, two new domain tools are onboarded for normal agents, causing a legitimate embedding-space shift (${\mathsf{\Delta }}_{\mathrm{norm}}^{\left(55\right)}=0.34$). Simultaneously, an MA attacker (A3) floods the retrieval buffer with misleading content, persisting across rounds. This scenario directly tests dual non-stationarity: two concurrent shifts must be handled with different adaptation strategies.

Before defense (round 55). Without defense: MA attack pushes majority to wrong answer across rounds 55–58 (MDSR = 72.1%). A naive continual baseline conflates normal drift with the attack signal, raising its detection threshold and missing the MA; its FPR simultaneously rises to $18.3\%$ as it flags newly-behaving normal agents as suspicious.

Table A6. Case 3 — Phase II MA under concurrent normal-behavior drift (PoisonRAG, star topology, rounds 55–61). M1 correctly separates normal drift (${\mathsf{\Delta }}_{\mathrm{norm}}$) from attack drift (${\mathsf{\Delta }}_{\mathrm{att}}$), assigning asymmetric rates. M2 boundary adapts; M3 detects MA; FPR remains low.

Round	Event	${\mathit{\Delta }}_{\mathbf{att}}$	${\mathit{\Delta }}_{\mathbf{norm}}$	${\mathit{\alpha }}_{\mathbf{att}}$	${\mathit{\alpha }}_{\mathbf{norm}}$	FPR (%)
54	Stable Phase II	0.09	0.07	$1.0\times {10}^{-3}$	$1.0\times {10}^{-4}$	3.6
55	New tools onboarded; MA begins. Normal drift detected.	0.31	0.34	$2.1\times {10}^{-3}$	$3.8\times {10}^{-4}$	3.9
56	M2 boundary shifts toward new normal embedding.	0.29	0.22	$1.9\times {10}^{-3}$	$2.6\times {10}^{-4}$	4.1
57	M3 re-learns MA pattern at fast rate.	0.24	0.15	$1.6\times {10}^{-3}$	$1.8\times {10}^{-4}$	3.8
58	Boundary stabilizes; MDSR recovering.	0.18	0.10	$1.3\times {10}^{-3}$	$1.3\times {10}^{-4}$	3.7
59	Drift subsides; rates return toward baseline.	0.12	0.08	$1.1\times {10}^{-3}$	$1.1\times {10}^{-4}$	3.5
61	Both signals stable; full recovery.	0.09	0.07	$1.0\times {10}^{-3}$	$1.0\times {10}^{-4}$	3.6

Table A6. Case 3 — Phase II MA under concurrent normal-behavior drift (PoisonRAG, star topology, rounds 55–61). M1 correctly separates normal drift (${\mathsf{\Delta }}_{\mathrm{norm}}$) from attack drift (${\mathsf{\Delta }}_{\mathrm{att}}$), assigning asymmetric rates. M2 boundary adapts; M3 detects MA; FPR remains low.

Round	Event	${\mathit{\Delta }}_{\mathbf{att}}$	${\mathit{\Delta }}_{\mathbf{norm}}$	${\mathit{\alpha }}_{\mathbf{att}}$	${\mathit{\alpha }}_{\mathbf{norm}}$	FPR (%)
54	Stable Phase II	0.09	0.07	$1.0\times {10}^{-3}$	$1.0\times {10}^{-4}$	3.6
55	New tools onboarded; MA begins. Normal drift detected.	0.31	0.34	$2.1\times {10}^{-3}$	$3.8\times {10}^{-4}$	3.9
56	M2 boundary shifts toward new normal embedding.	0.29	0.22	$1.9\times {10}^{-3}$	$2.6\times {10}^{-4}$	4.1
57	M3 re-learns MA pattern at fast rate.	0.24	0.15	$1.6\times {10}^{-3}$	$1.8\times {10}^{-4}$	3.8
58	Boundary stabilizes; MDSR recovering.	0.18	0.10	$1.3\times {10}^{-3}$	$1.3\times {10}^{-4}$	3.7
59	Drift subsides; rates return toward baseline.	0.12	0.08	$1.1\times {10}^{-3}$	$1.1\times {10}^{-4}$	3.5
61	Both signals stable; full recovery.	0.09	0.07	$1.0\times {10}^{-3}$	$1.0\times {10}^{-4}$	3.6

Detection (M1 + M2 + M3). M1 independently quantifies both drift signals at round 55: ${\mathsf{\Delta }}_{\mathrm{att}}^{\left(55\right)}=0.31$ (moderate attack drift) and ${\mathsf{\Delta }}_{\mathrm{norm}}^{\left(55\right)}=0.34$ (legitimate behavioral shift from new tools). The asymmetric rate controller outputs ${\alpha }_{\mathrm{att}}=2.1\times {10}^{-3}$ (fast, for M3) and ${\alpha }_{\mathrm{norm}}=3.8\times {10}^{-4}$ (slow, for M2), rather than a single uniform rate. M2 uses ${\alpha }_{\mathrm{norm}}$ to gently shift the EMA normal boundary toward the new embedding cluster without discarding prior normal-behavior statistics; the GenPRM normalcy scores for tool-adapted normal agents remain high (${\overline{s}}_{\mathrm{nor}}=0.87$ for A1, A2, A4, A5), correctly distinguishing them from the MA attacker A3 ($s_{\mathrm{nor}}^{\left(A3\right)}=0.19$). M3 fast-updates the detection ensemble under the elevated ${\alpha }_{\mathrm{att}}$, re-learning the MA buffer-flooding pattern by round 58.

Outcome. FPR remains below $4.2\%$ throughout, versus $18.3\%$ for Naive-Continual, which conflates normal drift with attack signal and raises false alarms on legitimate tool-adapted agents. MDSR recovers from $72.1\%$ (round 55, before M3 re-learns) to $87.4\%$ by round 61 — matching the defended baseline. This case illustrates the core value of the asymmetric co-evolutionary design: without independent per-front drift signals and asymmetric rates, a uniform continual baseline cannot distinguish legitimate behavioral drift from adversarial drift, resulting in both missed attacks and excess false alarms.