More Works from Our Lab

Paper Title 1

Brief description of the work and its main contribution.

Conference/Journal 2024
Paper Title 2

Brief description of the work and its main contribution.

Conference/Journal 2023
Paper Title 3

Brief description of the work and its main contribution.

Conference/Journal 2023

A2ASecBench: A Protocol-Aware Security Benchmark for Agent-to-Agent Multi-Agent Systems

Tianhao Li1*, Chuangxin Chu2*, Yujia Zheng1*, Bohan Zhang3
Neil Zhenqiang Gong1 Chaowei Xiao4
1 Duke University, 2 Nanyang Technological University, 3 University of Michigan, Ann Arbor, 4 Johns Hopkins University
The Fourteenth International Conference on Learning Representations (ICLR 2026)
*Indicates Equal Contribution
Paper Code arXiv

Abstract

Multi-agent systems (MAS) built on large language models (LLMs) increasingly rely on agent-to-agent (A2A) protocols to enable capability discovery, task orches- tration, and artifact exchange across heterogeneous stacks. While these protocols promise interoperability, they also introduce new vulnerabilities. In this paper, we present the first comprehensive security evaluation of A2A-MAS. We develop a taxonomy and threat model that categorize risks into supply-chain manipulations and protocol-logic weaknesses, and we detail six concrete attacks spanning all A2A stages and components with impacts on confidentiality, integrity, and avail- ability. Building on this taxonomy, we introduce A2ASECBENCH, the first A2A- specific security benchmark framework capable of probing diverse and previously unexplored attack vectors. Our framework incorporates a dynamic adapter layer for deployment across heterogeneous agent stacks and downstream workloads, alongside a joint safety-utility evaluation methodology that explicitly measures the trade-off between harmlessness and helpfulness by pairing adversarial trials with benign tasks. We empirically validate our framework using official A2A Project demos across three representative high-stakes domains (travel, health- care, and finance), demonstrating that the identified attacks are both pervasive and highly effective, consistently bypassing default safeguards. These findings high- light the urgent need for protocol-level defenses and standardized benchmarking to secure the next generation of agentic ecosystems.

Background

The Agent-to-Agent (A2A) protocol1,2, proposed by Google in April 2025, facilitates interoperability across diverse agent stacks. Similar to HTTP's role in the traditional internet, it standardizes communication between client and server agents in multi-agent settings, following A2A protocol specification3. Moreover, the unique AgentCard element support agent discovery4 in public registry5,6 (like plug-in market in VSCode) while preserving developers' intellectual property based on opaque backend implementation7. Evidence indicates that the A2A protocol has been widely adopted across both academic8,9,10 and industrial11,12,13 sectors, has become an emerging foundational infrastructure for next generation agentic network.
A2A and MCP overview

Source: https://a2aprotocol.ai/

Threat Models

Adversary can exploit vulnerabilities in the agent discovery and trust mechanisms. By publishing spoofed AgentCards (AgentCard Spoofing) in the public registry, the attacker can mislead the system into trusting a malicious agent. Through Capability Cloaking (CC), the adversary hides malicious functionalities within an agent's backend, allowing it to bypass standard checks. Once admitted into the trusted network, the adversary can leverage this agent to disrupt the system's operations. This may include degrading system availability through attacks like Cycle Overflow (CO) and Half-Open Task Flooding (HOTF), or compromising integrity and confidentiality by utilizing techniques such as Agent-Side Request Forgery (ASRF) and Artifact-Triggered Script Injection (ATSI).
Colors: Knowledge Capabilities Goals Shapes: Attack Nodes Knowledge/Capability/Goal Nodes

Click a hexagonal attack node to view threat model in detail

Select an attack to view its mapped Knowledge, Capabilities, and Goals elements.

    Evaluation Framework

    BibTeX

    @inproceedings{
    li2026aasecbench,
    title={A2{AS}ecBench: A Protocol-Aware Security Benchmark for Agent-to-Agent Multi-Agent Systems},
    author={Tianhao Li and Chuangxin Chu and Yujia Zheng and Bohan Zhang and Neil Zhenqiang Gong and Chaowei Xiao},
    booktitle={The Fourteenth International Conference on Learning Representations},
    year={2026},
    url={https://openreview.net/forum?id=LfdFnakqGJ}
}