cs.CRcs.SE
ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection
May 5, 2026
The paper introduces ARGUS, a defense mechanism that uses provenance-aware decision auditing to protect LLM agents from sophisticated, context-aware prompt injection attacks, significantly reducing the attack success rate.
The rise of Large Language Model (LLM) agents, augmented with tool use, skills, and external knowledge, has introduced new security risks. Among them, prompt injection attacks, where adversaries embed malicious instructions into the agent workflow, have emerged as the primary threat. However, existing benchmarks and defenses are fundamentally limited as they assume context-insensitive settings in which the agent works under a fully specified user instruction, and the attacks are straightforward and context-independent. As a result, they fail to capture real-world deployments where agent behavior usually depends on dynamic context, not just the user prompt, and adversaries can adapt their attacks to different context. Similarly, existing defenses built on this narrow threat model overlook the nature of real-world agent delegation. In this paper, we present AgentLure, a benchmark that captures context-dependent tasks and context-aware prompt injection attacks. AgentLure spans four agentic domains and eight attack vectors across diverse attack surfaces. Our evaluation shows that existing defenses often struggle in this setting, yielding poor performance against such attacks in agentic systems. To address this limitation, we propose ARGUS, a defense mechanism that enforces provenance-aware decision auditing for LLM agents. ARGUS constructs an influence provenance graph to track how untrusted context propagates into agent decisions and verify whether a decision is justified by trustworthy evidence before execution. Our evaluation shows ARGUS reduces attack success rate to 3.8% while preserving 87.5% task utility, significantly outperforming existing defenses and remaining robust against adaptive white-box adversaries.
Argus: Reorchestrating Static Analysis via a Multi-Agent Ensemble for Full-Chain Security Vulnerabil…
The paper introduces Argus, a novel multi-agent framework that reorchestrates St…
Architecting Secure AI Agents: Perspectives on System-Level Defenses Against Indirect Prompt Injecti…
The paper proposes a vision for system-level defenses against indirect prompt in…
ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Inject…
ClawGuard is a novel runtime security framework that deterministically enforces…
A Framework for Formalizing LLM Agent Security
The paper introduces a contextual security framework for LLM agents, defining se…
WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents
The paper introduces WebAgentGuard, a novel reasoning-driven, multimodal guard m…
Prompt Control-Flow Integrity: A Priority-Aware Runtime Defense Against Prompt Injection in LLM Syst…
The paper introduces Prompt Control-Flow Integrity (PCFI), a priority-aware runt…
PlanGuard: Defending Agents against Indirect Prompt Injection via Planning-based Consistency Verific…
PlanGuard is a training-free defense framework that uses an isolated Planner and…
AttackEval: A Systematic Empirical Study of Prompt Injection Attack Effectiveness Against Large Lang…
AttackEval systematically evaluates the effectiveness of 250 prompt injection pr…