REVIEW 3 major objections 7 minor 79 references
Internal neural activations expose stealthy attacks in multi-agent LLM systems and let compromised agents be restored instead of removed.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-10 20:53 UTC pith:DHW7ZVTT
load-bearing objection Solid systems paper: activation prototypes beat graph detectors on stealthy async MAS attacks, and steering beats isolation on task completion. the 3 major comments →
When Agents Go Rogue: Activation-Based Detection of Malicious Behaviors in Multi-Agent Systems
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Compromised agents in LLM multi-agent systems produce systematic deviations in final-layer activation space that are detectable without semantic supervision or synchronized rounds. Modeling normal reasoning as a unit-normalized centroid of benign activations, and flagging agents whose cosine divergence exceeds a calibrated threshold, yields high F1 under stealthy prompt injection, tool manipulation, and memory poisoning in both synchronous and asynchronous settings. The same activation signal then drives adaptive steering that restores agent functionality instead of isolating agents, preserving task completion near the clean baseline while driving attack success near zero.
What carries the argument
The normal activation prototype µ_normal (the mean of unit-normalized final-layer hidden states of the last generated token from benign traces) and the per-agent divergence δ_i = 1 − cosine similarity to that prototype. Detection is a threshold test on δ_i; mitigation is the adaptive steering update h̃ = h + λ(µ_normal − h), with λ scaled by how far the agent has drifted past the detection threshold.
Load-bearing premise
Compromised reasoning must leave a detectable mark in final-layer activations relative to a prototype built from a modest set of clean runs; if malicious logic can stay inside that normal cloud while still harming the task, detection fails.
What would settle it
Construct or obtain a stealthy multi-agent attack that systematically produces wrong or harmful outcomes while keeping every compromised agent’s final-layer activation cosine distance to the clean prototype below the paper’s calibrated threshold (around 0.12) across the five reported attack scenarios; if such attacks succeed at scale under AcMAS with low attack-success reduction, the central claim fails.
If this is right
- Graph-based detectors that need globally synchronized rounds will degrade sharply on modern asynchronous multi-agent deployments; activation-level monitoring does not.
- Isolation need not be the default response: agents with specialized roles can be corrected in place, preserving task completion near the clean baseline.
- Defense can sit locally on each open-weight agent, matching cost- and privacy-driven pipelines that already keep sensitive work on local models.
- A small set of clean traces (tens, not thousands) is enough to build the prototype, so recalibration under domain shift is cheap and training-free.
- Final-layer activations of the last generated token carry enough of the reasoning trajectory for both detection and correction across diverse open-source backbones and system scales.
Where Pith is reading between the lines
- The same prototype-and-steer pattern could be applied inside single-agent tool-using loops, not only multi-agent systems.
- If closed-model providers ever expose limited activation summaries, the method could extend beyond open-weight backbones without full weight access.
- Attackers who can stay inside the normal activation manifold while still corrupting task outcomes would defeat the detector; measuring how hard that is under realistic communication constraints is a natural next stress test.
- Combining activation divergence with light message-level checks might cut residual false negatives when attacks only partially succeed.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes AcMAS, an activation-based framework for detecting and mitigating malicious agent behavior in LLM multi-agent systems. It argues that existing defenses rest on two brittle assumptions—semantically explicit attacks and synchronized, graph-modelable interaction rounds—and instead detects compromise via cosine divergence of each agent’s final-layer activation from a normal prototype built from benign traces (Eqs. 10–12), without interaction graphs or temporal alignment. Upon detection it applies adaptive activation steering (Eqs. 14–15) to restore reasoning rather than isolate agents. Evaluation across five stealthy attack settings (S-PI on CSQA/GSM8K, tool manipulation on InjecAgent, memory poisoning on PoisonRAG/HotPotQA), synchronous and asynchronous execution, four open-source backbones, MAS scales 8–80, and attack intensities up to 40%+ reports large F1 gains over graph baselines (especially async) and high task completion with low attack success under correction.
Significance. If the results hold, the work is a clear advance for MAS security: it replaces topology- and output-level detectors with a local, synchronization-agnostic signal and, more importantly, replaces isolation with restorative intervention that preserves collaborative structure (avg TCR ≈ 0.98 vs. isolation baselines ≈ 0.78–0.83). The empirical package is unusually thorough for the area—sync/async, multiple attack families, backbone and scale sweeps, ablations on adaptive update/normalization/correction/layer choice, threshold and prototype-size sensitivity, efficiency breakdown, and honest domain-shift and adaptive-attack discussion. The open-weight activation requirement is scoped to a realistic class of cost- and privacy-aware deployments rather than overclaimed. These strengths make the paper a useful reference point even if some threat-model edges remain open.
major comments (3)
- §4.1–4.2 and Table 1: The large async F1 gap (+0.55 vs. G-Safeguard) is a central claim, but the graph baselines (G-Safeguard, BlindGuard, PERM, TAM) are designed for round-aligned interaction graphs. The manuscript does not state whether any async adaptation was attempted (e.g., event-stream or dependency-graph construction) or whether the comparison is strictly against the published sync formulations. Please either document a best-effort async adaptation of at least one graph baseline or explicitly frame the async result as superiority over methods that assume lock-step rounds, so the claim is not over-read as “activation beats any graph approach.”
- §1, §3.2–3.3, Appendix A (S-PI constructions): The motivation that modern attacks are “semantically stealthy” and thus defeat output-level semantic analysis is load-bearing for preferring activations over surface text, yet the main tables compare only to graph/GAD methods. Please add a simple output-level semantic or LLM-as-judge detector baseline on the same S-PI instances (or report that such detectors fail at high FPR/FNR) so the claim that surface semantics are insufficient is measured rather than only illustrated by construction.
- §5 and the separability premise (Eqs. 10–12): Adaptive attacks that gradually stay inside the normal activation manifold are correctly flagged as open, and the paper’s own evidence is for non-adaptive stealthy constructions. Because separability is the weakest load-bearing assumption, either (i) include a minimal adaptive/gradual-injection stress test with the anomaly-gated update rule sketched in §5, or (ii) tighten abstract and contribution language to scope claims to the evaluated non-adaptive stealthy attacks, so readers do not over-generalize robustness.
minor comments (7)
- Abstract vs. §1: reported F1 pairs for sync/async baselines are inconsistent across places (e.g., 0.94 vs. 0.72 / 0.93 vs. 0.38 vs. earlier 0.95 vs. 0.74 / 0.94 vs. 0.46). Align all summary numbers with Table 1 averages.
- §3.3 Eq. (13): state how α = 0.7 was chosen (grid search, validation, or default) and whether results are sensitive to α in the same style as the τdetect analysis in §4.5.
- Figure 2: the left “Attacked MAS” panel and the right detection/mitigation flow are dense; a short caption walk-through of one agent’s path (extract → δi → λi → steered regeneration) would help.
- §4.4 Table 3: “w/o Correction” isolates agents; clarify whether isolation uses the same detection threshold and whether isolated agents are removed for the remainder of the episode or only the current step.
- Appendix F.2 domain-shift tables: FPR = 1.0 at ntarget = 0 is expected but stark; a one-sentence practical recommendation in the main §5 (recompute μnormal from 50–100 target traces when domain change is known) would make the limitation actionable.
- Notation: H(t) is used both for the activation matrix and, earlier, for sets of normal activations; disambiguate (e.g., Hnormal vs. H(t)).
- Related work: A-Trust (attention-based trust) is close in spirit to internal-signal defenses; a sentence contrasting activation prototypes vs. attention-based message trust would sharpen positioning.
Circularity Check
No significant circularity: AcMAS is a standard prototype-based anomaly detector with empirical evaluation against labeled attacks and external baselines; thresholds and prototypes are calibrated on held-out benign/validation data without tautological reduction of reported F1/TCR/ASR.
full rationale
The derivation chain is methodological rather than predictive-from-first-principles. Normal prototype μ_normal is the mean of unit-normalized activations from known-benign traces (Eq. 10); per-agent divergence is ordinary cosine distance (Eq. 11); detection is a threshold test au_detect calibrated on a validation set to balance FPR/FNR (Eq. 12 and Appendix D); correction strength λ_i is a clipped linear function of that same divergence (Eqs. 14–15). Performance numbers (F1 0.92–0.95, TCR ≈0.98, ASR ≈0.04) are measured on held-out attack scenarios against independent graph baselines (G-Safeguard, BlindGuard, PERM, TAM) and ablations; none of the reported metrics is forced by construction from the prototype or threshold. Self-citations (e.g., Tan et al. 2024a for representation anomaly detection, Zhang et al. 2025b for steering) supply prior technique, not uniqueness theorems that forbid alternatives or smuggle the result. Domain-shift and sample-efficiency experiments further treat the prototype as an empirical estimate that can be recalibrated, confirming the method is falsifiable rather than definitional. No equation reduces a claimed prediction to its fitted input.
Axiom & Free-Parameter Ledger
free parameters (4)
- τdetect (detection threshold) =
0.12 (avg; range ~0.10–0.14)
- τmax (max divergence for correction scaling) =
0.35
- α (prototype momentum in sync mode) =
0.7
- number of benign traces for μnormal =
~50–100 traces
axioms (5)
- domain assumption Final-layer last-token hidden state is a sufficient summary of the agent's full reasoning trajectory for anomaly detection.
- domain assumption Compromised agents exhibit systematic activation deviations and mutual clustering relative to benign agents (Eq. 8).
- domain assumption High-level reasoning activation patterns remain consistent enough across diverse async task contexts that a fixed benign prototype works without temporal alignment.
- domain assumption Adversary can compromise agents and propagate via communication edges, but defender has white-box activation access to local open-weight backbones.
- ad hoc to paper Cosine distance in unit-normalized activation space is an appropriate divergence for flagging malicious reasoning.
invented entities (2)
-
Normal activation prototype μnormal
independent evidence
-
AcMAS adaptive activation-level correction (λ-steering)
no independent evidence
read the original abstract
While enabling effective collaboration on complex tasks, LLM-based Multi-Agent Systems (MAS) face critical security challenges due to vulnerabilities at the agent and interaction levels. Most existing MAS security defenses are built upon two core assumptions: semantically-explicit malicious attacks and explicit graph-based modeling of the MAS topology and agent-level interactions. In practice, real-world attacks are becoming more semantically stealthy, while MAS execution is typically asynchronous without the temporal alignment assumed by graph-based propagation models. To address these limitations, we propose AcMAS, an activation-based framework for malicious-behavior detection in MAS. By analyzing internal reasoning states in the activation space of local agents, AcMAS detects even stealthy attacks in a synchronization-robust fashion, without relying on explicit interaction graphs. Moreover, our activation analysis provides critical signals to guide AcMAS in restoring the functionality of compromised agents, rather than the disruptive agent isolation commonly used by the state-of-the-art methods. Comprehensive evaluation demonstrates that AcMAS significantly outperforms graph-based baselines against stealthy attacks, by +0.22 F1 in synchronous settings (0.94 vs. 0.72) and by +0.55 F1 in asynchronous settings (0.93 vs. 0.38), with generalization across diverse open-source LLM backbones, attack intensity, and MAS scale.
Figures
Reference graph
Works this paper leans on
-
[1]
Gemini: A Family of Highly Capable Multimodal Models
Gemini: a family of highly capable multimodal models , author=. arXiv preprint arXiv:2312.11805 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[2]
Qwen technical report , author=. arXiv preprint arXiv:2309.16609 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[3]
Deepseek-v3 technical report , author=. arXiv preprint arXiv:2412.19437 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[4]
Frontiers of Computer Science , volume=
A survey on large language model based autonomous agents , author=. Frontiers of Computer Science , volume=. 2024 , publisher=
work page 2024
-
[5]
Proceedings of the AAAI Conference on Artificial Intelligence , volume=
Memorybank: Enhancing large language models with long-term memory , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=
-
[6]
Advances in Neural Information Processing Systems , volume=
Hugginggpt: Solving ai tasks with chatgpt and its friends in hugging face , author=. Advances in Neural Information Processing Systems , volume=
-
[7]
Forty-first International Conference on Machine Learning , year=
Gptswarm: Language agents as optimizable graphs , author=. Forty-first International Conference on Machine Learning , year=
-
[8]
Scaling Large Language Model-based Multi-Agent Collaboration
Scaling large language model-based multi-agent collaboration , author=. arXiv preprint arXiv:2406.07155 , year=
work page internal anchor Pith review Pith/arXiv arXiv
- [9]
-
[10]
Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V
A survey on trustworthy llm agents: Threats and countermeasures , author=. Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V. 2 , pages=
-
[11]
2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , pages=
Get my drift? catching llm task drift with activation deltas , author=. 2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , pages=. 2025 , organization=
work page 2025
-
[12]
DeepInception: Hypnotize Large Language Model to Be Jailbreaker
Deepinception: Hypnotize large language model to be jailbreaker , author=. arXiv preprint arXiv:2311.03191 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[13]
Proceedings of the AAAI Conference on Artificial Intelligence , volume=
Controlling large language models through concept activation vectors , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=
-
[14]
RevPRAG: Revealing Poisoning Attacks in Retrieval-Augmented Generation through LLM Activation Analysis , author=. arXiv preprint arXiv:2411.18948 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[15]
Findings of the Association for Computational Linguistics ACL 2024 , pages=
LLM Factoscope: Uncovering LLMs’ Factual Discernment through Measuring Inner States , author=. Findings of the Association for Computational Linguistics ACL 2024 , pages=
work page 2024
-
[16]
Advances in Neural Information Processing Systems , volume=
Uncovering safety risks of large language models through concept activation vector , author=. Advances in Neural Information Processing Systems , volume=
-
[17]
Get my drift? Catching LLM Task Drift with Activation Deltas
Are you still on track!? Catching LLM Task Drift with Activations , author=. arXiv preprint arXiv:2406.00799 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[18]
Unveiling privacy risks in llm agent memory , author=. Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
-
[19]
Jbshield: Defending large language models from jailbreak attacks through activated concept analysis and manipulation , author=. arXiv preprint arXiv:2502.07557 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[20]
Commonsenseqa: A question answering challenge targeting commonsense knowledge , author=. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers) , pages=
work page 2019
-
[21]
Training Verifiers to Solve Math Word Problems
Training verifiers to solve math word problems , author=. arXiv preprint arXiv:2110.14168 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[22]
arXiv preprint arXiv:2503.07675 , year=
DynTaskMAS: A Dynamic Task Graph-driven Framework for Asynchronous and Parallel LLM-based Multi-Agent Systems , author=. arXiv preprint arXiv:2503.07675 , year=
-
[23]
Proceedings of the 2018 conference on empirical methods in natural language processing , pages=
HotpotQA: A dataset for diverse, explainable multi-hop question answering , author=. Proceedings of the 2018 conference on empirical methods in natural language processing , pages=
work page 2018
-
[24]
Scaling Monosemanticity: Extracting Interpretable Features from Claude 3 Sonnet , author=. 2024 , howpublished=
work page 2024
-
[25]
International Conference on Learning Representations , volume=
Scaling and evaluating sparse autoencoders , author=. International Conference on Learning Representations , volume=
-
[26]
Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=
A Middle Path for On-Premises LLM Deployment: Preserving Privacy Without Sacrificing Model Confidentiality , author=. Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=
work page 2025
-
[27]
Dynamic Model Routing and Cascading for Efficient LLM Inference: A Survey
Dynamic model routing and cascading for efficient LLM inference: A survey , author=. arXiv preprint arXiv:2603.04445 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[28]
RouteLLM: Learning to Route LLMs with Preference Data
Routellm: Learning to route llms with preference data , author=. arXiv preprint arXiv:2406.18665 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[29]
FrugalGPT: How to Use Large Language Models While Reducing Cost and Improving Performance
Frugalgpt: How to use large language models while reducing cost and improving performance , author=. arXiv preprint arXiv:2305.05176 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[30]
Adversarial concept drift detection under poisoning attacks for robust data stream mining , author=. Machine learning , volume=. 2023 , publisher=
work page 2023
-
[31]
Computers & Security , volume=
Practical evaluation of poisoning attacks on online anomaly detectors in industrial control systems , author=. Computers & Security , volume=. 2022 , publisher=
work page 2022
-
[32]
European Conference on Information Retrieval , pages=
Poison-rag: Adversarial data poisoning attacks on retrieval-augmented generation in recommender systems , author=. European Conference on Information Retrieval , pages=. 2025 , organization=
work page 2025
-
[33]
Qwen3 technical report , author=. arXiv preprint arXiv:2505.09388 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[34]
LLaMA: Open and Efficient Foundation Language Models
Llama: Open and efficient foundation language models , author=. arXiv preprint arXiv:2302.13971 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[35]
gpt-oss-120b & gpt-oss-20b Model Card
gpt-oss-120b & gpt-oss-20b model card , author=. arXiv preprint arXiv:2508.10925 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[36]
International conference on machine learning , pages=
Interpretability beyond feature attribution: Quantitative testing with concept activation vectors (tcav) , author=. International conference on machine learning , pages=. 2018 , organization=
work page 2018
-
[37]
arXiv preprint arXiv:2503.03704 , year=
A practical memory injection attack against llm agents , author=. arXiv preprint arXiv:2503.03704 , year=
-
[38]
Internal value alignment in large language models through controlled value vector activation , author=. Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
-
[39]
Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks
Sentence-bert: Sentence embeddings using siamese bert-networks , author=. arXiv preprint arXiv:1908.10084 , year=
work page internal anchor Pith review Pith/arXiv arXiv 1908
-
[40]
G-Safeguard: A Topology-Guided Security Lens and Treatment on LLM-based Multi-agent Systems , author=. CoRR , year=
-
[41]
BlindGuard: Safeguarding LLM-based Multi-Agent Systems under Unknown Attacks
Blindguard: Safeguarding llm-based multi-agent systems under unknown attacks , author=. arXiv preprint arXiv:2508.08127 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[42]
Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems
Prompt infection: Llm-to-llm prompt injection within multi-agent systems , author=. arXiv preprint arXiv:2410.07283 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[43]
Stepwise reasoning disruption attack of LLMs , author=. Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
-
[44]
ShadowCoT: Cognitive Hijacking for Stealthy Reasoning Backdoors in LLMs
Shadowcot: Cognitive hijacking for stealthy reasoning backdoors in llms , author=. arXiv preprint arXiv:2504.05605 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[45]
NetSafe: Exploring the Topological Safety of Multi-agent Networks
Netsafe: Exploring the topological safety of multi-agent networks , author=. arXiv preprint arXiv:2410.15686 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[46]
Agentsafe: Safeguarding large language model-based multi-agent systems via hierarchical data management , author=. arXiv preprint arXiv:2503.04392 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[47]
To trust or not to trust: Attention-based Trust Management for LLM Multi-Agent Systems
Attention Knows Whom to Trust: Attention-based Trust Management for LLM Multi-Agent Systems , author=. arXiv preprint arXiv:2506.02546 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[48]
InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents
Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents , author=. arXiv preprint arXiv:2403.02691 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[49]
Proceedings of the 41st International Conference on Machine Learning , pages=
Agent Smith: a single image can jailbreak one million multimodal LLM agents exponentially fast , author=. Proceedings of the 41st International Conference on Machine Learning , pages=
-
[50]
Psysafe: A comprehensive framework for psychological-based attack, defense, and evaluation of multi-agent system safety , author=. Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
-
[51]
The Wolf Within: Covert Injection of Malice into MLLM Societies via an MLLM Operative
The wolf within: Covert injection of malice into mllm societies via an mllm operative , author=. arXiv preprint arXiv:2402.14859 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[52]
Findings of the Association for Computational Linguistics: ACL 2025 , pages=
Red-teaming llm multi-agent systems via communication attacks , author=. Findings of the Association for Computational Linguistics: ACL 2025 , pages=
work page 2025
-
[53]
MASTER: Multi-Agent Security Through Exploration of Roles and Topological Structures--A Comprehensive Framework , author=. arXiv preprint arXiv:2505.18572 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[54]
CORBA: Contagious Recursive Blocking Attacks on Multi-Agent Systems Based on Large Language Models
Corba: Contagious recursive blocking attacks on multi-agent systems based on large language models , author=. arXiv preprint arXiv:2502.14529 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[55]
arXiv preprint arXiv:2504.00218 , year=
Agents Under Siege: Breaking Pragmatic Multi-Agent LLM Systems with Optimized Prompt Attacks , author=. arXiv preprint arXiv:2504.00218 , year=
-
[56]
Evil Geniuses: Delving into the Safety of LLM-based Agents
Evil geniuses: Delving into the safety of llm-based agents , author=. arXiv preprint arXiv:2311.11855 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[57]
Prompt Injection attack against LLM-integrated Applications
Prompt injection attack against llm-integrated applications , author=. arXiv preprint arXiv:2306.05499 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[58]
First Conference on Language Modeling , year=
Autogen: Enabling next-gen LLM applications via multi-agent conversations , author=. First Conference on Language Modeling , year=
-
[59]
Multi-Agent Collaboration: Harnessing the Power of Intelligent LLM Agents
Multi-agent collaboration: Harnessing the power of intelligent llm agents , author=. arXiv preprint arXiv:2306.03314 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[60]
Proceedings of the AAAI Conference on Artificial Intelligence , volume=
Ai-driven virtual teacher for enhanced educational efficiency: Leveraging large pretrain models for autonomous error analysis and correction , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=
-
[61]
Memory Injection Attacks on LLM Agents via Query-Only Interaction , author=
-
[62]
Graph Neural Networks Gone Hogwild , author=
-
[63]
Large Language Model for Participatory Urban Planning
Large language model for participatory urban planning , author=. arXiv preprint arXiv:2402.17161 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[64]
Forty-first International Conference on Machine Learning , year=
Improving factuality and reasoning in language models through multiagent debate , author=. Forty-first International Conference on Machine Learning , year=
-
[65]
Proceedings of the 2024 conference on empirical methods in natural language processing , pages=
Encouraging divergent thinking in large language models through multi-agent debate , author=. Proceedings of the 2024 conference on empirical methods in natural language processing , pages=
work page 2024
-
[66]
Advances in Neural Information Processing Systems , volume=
Camel: Communicative agents for" mind" exploration of large language model society , author=. Advances in Neural Information Processing Systems , volume=
-
[67]
International Conference on Learning Representations , volume=
MetaGPT: Meta programming for a multi-agent collaborative framework , author=. International Conference on Learning Representations , volume=
-
[68]
Advances in Neural Information Processing Systems , volume=
Truncated affinity maximization: One-class homophily modeling for graph anomaly detection , author=. Advances in Neural Information Processing Systems , volume=
-
[69]
2023 IEEE International Conference on Data Mining (ICDM) , year=
PREM: A Simple Yet Effective Approach for Node-Level Graph Anomaly Detection , author=. 2023 IEEE International Conference on Data Mining (ICDM) , year=
work page 2023
-
[70]
Zhuge, Mingchen and Liu, Haozhe and Faccio, Francesco and Ashley, Dylan R. and Csordás, Róbert and Gopalakrishnan, Anand and Hamdi, Abdullah and Hammoud, Hasan Abed Al Kader and Herrmann, Vincent and Irie, Kazuki and Kirsch, Louis and Li, Bing and Li, Guohao and Liu, Shuming and Mai, Jinjie and Piekos, Piotr and Ramesh, Aditya A. and Schlag, Imanol and Sh...
- [71]
-
[72]
Researchagent: Iterative research idea generation over scientific literature with large language models , author=. Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers) , pages=
work page 2025
-
[73]
MetaAgent: Automatically Constructing Multi-Agent Systems Based on Finite State Machines
MetaAgent: Automatically Constructing Multi-Agent Systems Based on Finite State Machines , author=. arXiv preprint arXiv:2507.22606 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[74]
Multi-agent Architecture Search via Agentic Supernet
Multi-agent architecture search via agentic supernet , author=. arXiv preprint arXiv:2502.04180 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[75]
AFlow: Automating Agentic Workflow Generation
Aflow: Automating agentic workflow generation , author=. arXiv preprint arXiv:2410.10762 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[76]
Siamese network features for image matching , author=. ICPR , pages=. 2016 , organization=
work page 2016
-
[77]
Online siamese network for visual object tracking , author=. Sensors , volume=. 2019 , publisher=
work page 2019
-
[78]
Proceedings of the IEEE conference on computer vision and pattern recognition , pages=
Deep residual learning for image recognition , author=. Proceedings of the IEEE conference on computer vision and pattern recognition , pages=
-
[79]
Attack the Messages, Not the Agents: A Multi-round Adaptive Stealthy Tampering Framework for LLM-MAS
Attack the messages, not the agents: A multi-round adaptive stealthy tampering framework for llm-mas , author=. arXiv preprint arXiv:2508.03125 , year=
work page internal anchor Pith review Pith/arXiv arXiv
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.