We'd like to appreciate your praise on the completeness of the paper and the design of our method. Hope our response can solve your concerns.

1. About the LLM-based inspector

We agree that the inspector is important to our method. We give the details of the performance of the inspector used in the paper below:

• Settings: The evaluation is conducted on a combination of malicious outputs from Advbench and normal(benign) outputs from the ordinary chat history of our agents. We test the inspector in 1-turn and 3-turn settings. For the multi-turn test, a sample is labeled as harmful if it is classified as harmful in ANY turn.
• Analysis: Overall, although not able to achieve 100% accurate detection, our inspector is effective enough for Cowpox. This is because:
  • Only very few benign samples will be misclassified. Cowpox agents account for only a very small portion of the total, so less than 2% of benign samples will be misclassified.
  • Misclassifying benign samples has little impact on the system. The cure crafted based on misclassified benign samples still perfectly contains its original information. So there will be almost no effects.
  • FNR approaches 0 when the test round increases. The system only needs the virus to be detected in any chat round once to achieve effective defense. Cowpox does not require a very strong inspector.

2. The generalizability of the proposed defense mechanism may be questionable.

The generalizability can be demonstrated by the following two experiments. We modify the original system to simulate diverse systems.

• Effective in the system of different structured communication settings.

  • Settings: We assume that the system is hierarchical. The agents are divided into 8 groups, and can only do the pair-wise chat with their group members. In each group, there are 3 manager agents, which communicate with manager agents of other groups every 4 rounds. Such hierarchical structures are often adopted in works like AutoGen [1].
  • Results: link.
  • Analysis: We can see that the virus infects agents more slowly, and so does the Cowpox cure the agent. This is because the hierarchical structure can temporarily isolate the infected agents.

• Effective across diverse underlying base models and RAG systems

  • Settings: We adopt 2 VLM models (LlaVA-1.5, InstructBLIP) and 2 RAG encoders (CLIP, DINO V2) in the experiment. The agent chooses its base model and RAG encoder randomly initially to form a multi-agent that consists of heterogeneous agents.
  • Results: link.
  • Analysis: From the figure, The virus in this system performs worse, while Cowpox is almost equally effective. This is because the cure only targets the RAG system, therefore fewer models are involved in crafting it, making the optimization easier.

---

Reference

1. Wu, Qingyun, et al. "Autogen: Enabling next-gen llm applications via multi-agent conversation." arXiv preprint arXiv:2308.08155 (2023).

Thank you for your valuable feedback, which we believe will improve the paper. We appreciate that you liked the structure of our paper and our method’s effectiveness. Please find our responses below.

1. The practicality of the targeting scenarios

We agree with your comments that currently, the user has full access to all the agents is a common setting in many well-known multi-agent systems. However, this setting does not apply to all of the multi-agent systems. Our scenario is practical, especially in the following scenarios.

• Multi-embodied-agent system. Pioneering works like Co-LLM-Agent create systems with multiple embodied agents operating in the physical world. In this scenario, an attacker can introduce the attack agent by simply putting it somewhere close to the benign agents to infect the system.
• Multi-agent system on edge devices. There are works [2-3] investigating distributive multi-agent systems. In these systems, the agents are implemented on different edge devices like mobile phones or vehicles, where it is hard for the user to access all of the agents, making it possible for a malicious agent to get involved.
• Blockchain-based decentralized multi-agent systems. Systems like SingularityNET, Fetch.AI, and HyperCycle allow the agents owned by different users to collaborate, share data, and learn from each other anonymously, which further realizes the attack surface. An attack started by a malicious agent can be easily conducted in these scenarios, and distributive countermeasures like Cowpox seem to be the only solution.
• Finally, The threat of the infectious attack could come NOT from the agents, but from the working environment of the system. Even in a situation where the user has full access, A virus in the environment can always turn an originally benign agent into an attack agent by infecting it in the wild. For example, multi-agent systems like Camel and BabyAGI allow the agents in the system to access the Internet, where the virus sample might be accidentally obtained by the agent and infect it, turning this unlucky agent into an attacker. The attack can also be achieved by other approaches such as poisoning the RAG database of certain agents.

2. The proposed defense method is too specific

We fully understand your concerns about the generalizability of Cowpox. We'd like to claim that our method is a general defense strategy against infectious attacks.

• Our method is designed to deal with an attack paradigm instead of a specific attack. The core idea of Cowpox is to isolate the suspicious sample from the agent by preventing it from being retrieved. This indicates that our method is able to interrupt the transmission process of the infectious attack in ANY multi-agent system with RAG.
• The alignment in the tested system helps us better evaluate our defense. The attack performance of Gu et. al. is perfectly demonstrated in their paper. We mainly test our defense on their system to fairly show its effectiveness.

To further demonstrate the generalizability, we investigate two different multi-agent systems to show that Cowpox can work in diverse settings:

• Effective in the system of different structured communication settings.

  • Settings: We assume that the system is hierarchical. The agents are divided into 8 groups, and can only do the pair-wise chat with their group members. In each group, there are 3 manager agents, which communicate with manager agents of other groups every 4 rounds. Such hierarchical structures are often adopted in works like AutoGen [1].
  • Results: link.
  • Analysis: We can see that the virus infects agents more slowly, and so does the Cowpox cure the agent. This is because the hierarchical structure can temporarily isolate the infected agents.

• Effective across diverse underlying base models and RAG systems

  • Settings: We adopt 2 VLM models (LlaVA-1.5, InstructBLIP) and 2 RAG encoders (CLIP, DINO V2) in the experiment. The agent chooses its base model and RAG encoder randomly initially to form a multi-agent that consists of heterogeneous agents.
  • Results: link.
  • Analysis: From the figure, The virus in this system performs worse, while Cowpox is almost equally effective. This is because the cure only targets the RAG system, therefore fewer models are involved in crafting it, making the optimization easier.

References

2. Zhang, Chi, et al. "Appagent: Multimodal agents as smartphone users." arXiv preprint arXiv:2312.13771 (2023).

3. Wang, Junyang, et al. "Mobile-agent: Autonomous multi-modal mobile device agent with visual perception." arXiv preprint arXiv:2401.16158 (2024).

We appreciate that you liked the novelty of our paper and all the other strengths stated. Please find our responses below.

1. Scalability Concerns

The computational overhead of the LLM-based inspector is linearly related to the chat rounds, and the numbers of the cowpox agent, and is not related to the length of the chat history, as it only examines the output in the current chat round in our design. A more capable inspector that also goes through the chat history can be implemented though in case of a more sophisticated attack. We will discuss this issue in the revised paper.

2. Adaptive Attack Complexity

The adaptive attack discussed in the paper might seem simple, but it is exclusively designed for Cowpox. Below we rationale our claim:

• The fundamental mechanism of Cowpox. The cure samples crafted by Cowpox eliminate the virus sample by gaining a higher RAG score. This means the virus cannot be retrieved from the database of the agent so as to interrupt the transmission.

• The adaptive attack targets the fundamental mechanism of Cowpox. To target this mechanism, the adaptive attack tries to craft a sample that could score even higher than the cure sample. This is guaranteed by comparing the average RAG score of the cure sample and that of the virus, and stopping the optimization until the RAG score of the adaptive virus exceeds that of the cure sample.

We considered a more sophisticated version of the adaptive attack, in conclusion, Cowpox in this case is still effective.

• Settings: we adopted meta-learning to make the jailbreak target more resilient to the recovery process of Strategy ① discussed in the paper. The adaptive virus is crafted by a dual optimization process:

  • The inner loop simulates the process of Strategy ①.
  • The outer loop maximizes the RAG score and minimizes the loss between the VLM output and the target outputs.

• Results: link

• Analysis: We find that the so-crafted adaptive virus tends to be less effective, as demonstrated in the provided link. On the other hand, it takes more rounds for the cure sample to recover all the agents, indicating the effectiveness of the meta-learning.

Lastly, it is always possible that more sophisticated, adaptive attacks will be developed in the future that circumvents our defense and would be interesting to study as a follow-up to our work.

3. Generalizability

Thank you for your valuable advice. We conduct experiments on agents based on different VLM and RAG systems. The effectiveness holds when heterogeneous agents coexist in the same system,

• Settings: we adopt 2 VLM models (LlaVA-1.5, InstructBLIP) and 2 RAG encoders (CLIP, DINO V2) in the experiment. The agent chooses its base model and RAG encoder randomly initially to form a multi-agent that consists of heterogeneous agents.
• Results: link.
• Analysis: From the figure, The virus in this system performs worse, while Cowpox is almost equally effective. This is because the cure only targets the RAG system, therefore fewer models are involved in crafting it, making the optimization easier.

Thank you for your careful review of our paper and thoughtful comments. We hope the following responses will address your concerns.

1. About the Inspector:

We agree that the inspector is important to our method. The details of the performance of the inspector used in the paper is as below:

• Settings: The evaluation is conducted on a combination of malicious outputs from Advbench and normal(benign) outputs from the ordinary chat history of our agents. We test the inspector in 1-turn and 3-turn settings. For the multi-turn test, a sample is labeled as harmful if it is classified as harmful in ANY turn.
• Analysis: Overall, although not able to achieve 100% accurate detection, our inspector is effective enough for Cowpox. This is because:
  • Very few benign samples will be misclassified. There are very few Cowpox agents in the system, so less than 2% of benign samples will be misclassified.
  • Misclassifying benign samples has little impact on the system. The cure crafted based on misclassified benign samples still perfectly contains its original information. So there will be almost no effects.
  • FNR approaches 0 when the test round increases. The system only needs the virus to be detected in any chat round ONCE to achieve effective defense. Cowpox does not require a very strong inspector

2.1 Multiple Viruses

Cowpox works well in the multiple virus scene

• Settings: We crafted 10 different viruses carried by random agents initially. They are based on different image and malicious outputs.

• Results.

• Analysis: We can see there is also competition between the virus. All the infectious rate curve approaches 0 at the end of the simulation

2.2 Adaptively Optimized Samples Overrounds:

Cowpox makes the system increasingly robust to similar viruses.

• Settings: The attacker continually collects the cure sample for the previous virus and optimizes the new virus, making it have a higher RAG score.
• Results: Below showed the peak infected rate of viruses of each version.

• Analysis: When the attacker continues to adapt craft the virus, it becomes harder and harder for the virus to gain a higher RAG score, according to Proposition 5.1. Therefore we can see a declining Peak infected rate.

3: About simple baseline

We acknowledge the importance of a good baseline. However, we think it is difficult to compare any existing baseline with our work fairly, currently.

• The infectious attack is very pioneering at present. As the first system-level defense against such attack, there is no similar work that we can compare with.
• The existing defenses are only at the model level. They only provide protection to single agents, regardless of the rest agents in the system. We must assume the defender has access to every agent to achieve reasonable performance. While cowpox works in circumstances where the access to the agents is very limited. These model-level defenses are completely ineffective in these settings.

4: Effectiveness in various structured communication settings.

Cowpox is effective in various structured communication settings.

• Settings: We assume that the system is hierarchical. The agents are divided into 8 groups, and can only do the pair-wise chat with their group members. In each group, there are 3 manager agents, which communicate with manager agents of other groups every 4 rounds. Such hierarchical structures are often adopted in works like AutoGen.
• Results.
• Analysis: We can see that the virus infects agents more slowly, and so does the Cowpox cure the agent. This is because the hierarchical structure can temporarily isolate the infected agents.

5: Diverse base models and RAG systems

The effectiveness holds when heterogeneous agents coexist in the same system,

• Settings: we adopt 2 VLM models (LlaVA-1.5, InstructBLIP) and 2 RAG encoders (CLIP, DINO V2) in the experiment. The agent chooses its base model and RAG encoder randomly initially to form a multi-agent that consists of heterogeneous agents.
• Results.
• Analysis: From the figure, The virus in this system performs worse, while Cowpox is almost equally effective. This is because the cure only targets the RAG system, therefore fewer models are involved in crafting it, making the optimization easier.

6: About the CLIP and BLEU score

CLIP score and BLEU score are used to measure how well the original virus samples can be restored to normal samples by Strategy ①, rather than the system degradation. The CLIP score and BLEU measure how far the output deviates from the benign one. A virus naturally has small scores as its outputs are manipulated.