CIA: Inferring the Communication Topology from LLM-based Multi-Agent Systems

Researchers have identified a critical privacy vulnerability in LLM-based multi-agent systems, demonstrating that communication topologies can be reverse-engineered through black-box attacks. The Communication Inference Attack (CIA) achieves up to 99% accuracy in inferring how agents communicate, exposing significant intellectual property and security risks in AI systems.

The emergence of LLM-based multi-agent systems represents a significant architectural advancement in AI, enabling complex problem-solving through distributed agent collaboration. However, this research exposes a fundamental security gap: the internal communication patterns that define how these systems operate can be systematically extracted by adversaries. This vulnerability matters because communication topology is often proprietary—companies invest substantially in optimizing how their agents interact, and this intellectual property can be stolen through relatively simple inference techniques.

The CIA attack operates within a black-box constraint, meaning attackers need no internal access to the system. By crafting adversarial queries designed to trigger intermediate agent reasoning and analyzing semantic correlations, researchers achieved average inference accuracy of 87% with peak performance reaching 99%. This methodology uses global bias disentanglement and LLM-guided weak supervision to model agent interactions without direct observation. The attack's effectiveness under such restrictive conditions suggests that even well-secured systems remain vulnerable to determined adversaries.

For the AI industry, this finding accelerates the timeline for developing robust security frameworks around multi-agent systems. Companies deploying MAS in production environments must now consider topology obfuscation and communication encryption as baseline requirements rather than optional enhancements. The intellectual property threat is particularly acute for organizations developing specialized agent architectures for competitive advantage.

Looking forward, the security community should expect rapid iteration on both attack and defense mechanisms. Organizations deploying multi-agent systems need immediate security audits, while AI safety research should prioritize developing topology-hiding techniques that maintain system performance without sacrificing security.

• →Communication topologies in LLM-based multi-agent systems can be inferred with up to 99% accuracy through black-box attacks
• →The CIA attack requires only adversarial queries without internal system access, making it broadly exploitable
• →This vulnerability exposes both intellectual property and security risks for deployed multi-agent systems
• →Companies must implement topology obfuscation and communication encryption as standard security practices
• →The attack's effectiveness signals an emerging category of inference-based attacks on AI system architectures