A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures

📝 Paper Summary

Agent Communication Protocols Agent Security

The paper provides the first comprehensive definition and classification of agent communication, identifying security risks and defenses across User-Agent, Agent-Agent, and Agent-Environment interactions.

Core Problem

As agents evolve from isolated models to communicating entities using protocols like MCP and A2A, they expose new attack surfaces (e.g., spoofing, privacy leakage) that existing security frameworks do not address.

Why it matters:

Cross-organization agent communication significantly enlarges the attack surface, potentially leading to severe real-world damage via unauthorized tool access or data breaches
Current research focuses on single-agent security or general Multi-Agent Systems (MAS) without addressing the specific protocols and lifecycle risks of LLM-driven agent communication
Market adoption is rapid (e.g., hundreds of enterprises adopting Anthropic's MCP), but security research is still in a nascent stage compared to deployment speed

Concrete Example: When making a travel plan, an agent must communicate with external entities (weather services, ticket booking agents). Without secure communication protocols, a malicious entity could spoof a booking agent to steal funds or inject false weather data to disrupt the plan.

Key Novelty

Three-Layer Agent Communication Architecture & Security Taxonomy

Proposes the first clear definition of 'agent communication' and classifies it into three distinct classes: User-Agent (U-A), Agent-Agent (A-A), and Agent-Environment (A-E)
Develops a three-layered communication architecture for each class to pinpoint exactly where security risks arise within the communication lifecycle
Systematically categorizes 19 existing communication protocols and maps them to specific security risks and defense countermeasures

Architecture

The organization of the survey and the proposed three-layered communication architecture, categorizing the field into User-Agent, Agent-Agent, and Agent-Environment interactions

Breakthrough Assessment

8/10

Establishment of a foundational taxonomy for a rapidly emerging field (Agent Communication). While it is a survey, the structural definition and security mapping fill a critical gap left by general agent surveys.

⚙️ Technical Details

Problem Definition

Setting: Security analysis of the complete lifecycle of LLM-driven AI agent communication

Inputs: Existing communication protocols (e.g., MCP, A2A), interaction scenarios, and threat models

Outputs: Taxonomy of risks, classification of protocols, and proposed defense countermeasures

Pipeline Flow

User-Agent (U-A) Analysis
Agent-Agent (A-A) Analysis
Agent-Environment (A-E) Analysis

System Modules

User-Agent (U-A) Framework

Analyze protocols and risks in human-agent interaction

Model or implementation: Survey of protocols (e.g., AG-UI, ACP-AgentUnion)

Agent-Agent (A-A) Framework

Analyze protocols and risks in multi-agent collaboration

Model or implementation: Survey of protocols (e.g., A2A, ACN, Agent Protocol)

Agent-Environment (A-E) Framework

Analyze protocols and risks in tool/data access

Model or implementation: Survey of protocols (e.g., MCP, API Bridge Agent)

Novel Architectural Elements

Three-layered communication architecture proposed to clarify functional boundaries and isolate risk layers within each communication class (U-A, A-A, A-E)

Comparison to Prior Work

vs. Gan et al.: This paper covers the full communication lifecycle (U-A, A-A, A-E) rather than just User-Agent interaction
vs. Yang et al.: This paper integrates security risk analysis and defense countermeasures, which are absent in Yang et al.
vs. General MAS Surveys: Distinguishes LLM-driven agents from traditional Multi-Agent Systems (MAS) and addresses the unique prompt-injection and non-deterministic risks of LLMs

Limitations

Field is nascent; many identified risks are theoretical or based on preliminary protocols like MCP/A2A
Defense countermeasures are likely in early stages of development compared to the rapid deployment of agents
Specific quantitative results of the MCP/A2A experiments are not available in the provided text snippet

Reproducibility

Code: https://github.com/theshi-1128/awesome-agent-communication-security

The paper is a survey but includes a repository of related papers (https://github.com/theshi-1128/awesome-agent-communication-security). The authors mention conducting experiments on MCP and A2A, but specific code for these attacks is not explicitly linked in the provided text snippets.

📊 Experiments & Results

Evaluation Setup

Survey and taxonomy construction, supplemented by practical vulnerability testing of leading protocols

Benchmarks:

Model Context Protocol (MCP) (Agent-Environment Communication Standard)
Agent-to-Agent Protocol (A2A) (Agent-Agent Communication Standard)

Metrics:

Security Vulnerability (Qualitative)
Attack Feasibility
Statistical methodology: Not explicitly reported in the paper

Main Takeaways

Agent communication introduces novel attack surfaces beyond those of standalone LLMs, including agent spoofing and bullying in A-A interactions
Existing popular protocols like MCP and A2A currently expose significant security hazards that can cause severe damage in real-world scenarios
A systematic three-layer architecture is necessary to categorize and defend against risks that arise at different stages of the agent communication lifecycle
Current security research lags behind the rapid commercial adoption of agent communication standards by major tech companies

📚 Prerequisite Knowledge

Prerequisites

Understanding of LLM-driven Agents (perception, reasoning, execution)
Basic knowledge of API and communication protocols
Familiarity with cybersecurity concepts (Attack Surface, DoS, Spoofing)

Key Terms

MCP: Model Context Protocol—A universal open standard by Anthropic that allows agents to communicate with external data and tools

A2A: Agent-to-Agent Protocol—A Google-proposed protocol enabling seamless communication and collaboration among remote agents across the Internet

U-A: User-Agent Interaction—Communication between human users and AI agents

A-A: Agent-Agent Interaction—Collaboration or communication between multiple AI agents, potentially across different organizations

A-E: Agent-Environment Interaction—Communication between agents and external environments, such as datasets, tools, or APIs

IoA: Internet of Agents—A network of interconnected agents collaborating to perform complex tasks, analogous to the Internet of Things

Spoofing: An attack where a malicious party impersonates a legitimate agent or user to gain unauthorized access

DoS: Denial of Service—An attack meant to shut down a machine or network, making it inaccessible to its intended users