Hierarchical Attacks for Multi-Modal Multi-Agent Reasoning

2026-05-15 · Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

JD.com researchers introduced HAM3, a Hierarchical Attack framework designed to identify vulnerabilities in multi-modal multi-agent systems (MM-MAS) by decomposing attacks into three interconnected layers: perception, communication, and reasoning. The framework perturbs visual and textual inputs at the perception layer, corrupts message content and interaction topology at the communication layer, and interferes with agents' cognitive pipelines at the reasoning layer. Evaluated on the GQA benchmark using MM-MAS built on ReAct, Plan-and-Solve, and Reflexion paradigms, HAM3 achieved an Attack Success Rate (ASR) of up to 78.3%. Reasoning-layer attacks, particularly the Chain-of-Thought Injection Attack (CIA), proved most effective, with more than half of successful attacks leading to consistent errors across multiple agents. Larger models like GPT-4o demonstrated higher robustness, while the ReAct paradigm was found most vulnerable. The study highlights the cascading nature of vulnerabilities and the dominance of systemic errors across all attack layers.

Key takeaway

For AI Architects and Research Scientists developing or deploying multi-modal multi-agent systems, this research indicates that reasoning-layer vulnerabilities pose the most significant threat, leading to systemic failures. You should prioritize designing robust internal reasoning mechanisms and validation steps, especially when using paradigms like ReAct. Consider integrating larger, more stable foundation models and implementing comprehensive security strategies that address not just input perturbations but also communication topology and internal cognitive processes to mitigate cascading adversarial effects.

Key insights

HAM3 reveals how hierarchical attacks across perception, communication, and reasoning layers compromise multi-modal multi-agent systems.

Principles

• Reasoning-layer attacks are most effective.
• Larger models offer better adversarial robustness.
• Systemic errors dominate across all attack layers.

Method

HAM3 decomposes attacks into perception (input perturbation), communication (message/topology corruption), and reasoning (cognitive pipeline interference) layers, evaluating their impact on MM-MAS using metrics like ASR and Cross-Modal Consistency.

In practice

• Prioritize securing reasoning pipelines in MM-MAS.
• Implement robust cross-validation in communication layers.
• Use larger foundation models for enhanced resilience.

Topics

• Multi-Modal Multi-Agent Systems
• Hierarchical Attack Framework
• Adversarial Robustness
• Perception Layer Attacks
• Communication Layer Attacks

Code references

• jd-opensource/OxyGent

Best for: AI Architect, Research Scientist, CTO, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

• Hierarchical Attacks for Multi-Modal Multi-Agent Reasoning — HAM³ introduces a hierarchical attack framework for multi-modal multi-agent systems across perception, communication, and reasoning layers.
• When Embedding-Based Defenses Fail: Rethinking Safety in LLM-Based Multi-Agent Systems — Embedding-based MAS defenses fail when attackers craft near-benign messages, necessitating token-level confidence signals for robustness.
• Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks — Cross-modal attacks on multimodal web agents exploit dual observation channels, necessitating specialized safety training.
• Multi-Agent Influence Diagrams to Hybrid Threat Modeling — A novel MAID framework unifies game theory and probabilistic modeling to assess counter-hybrid threat effectiveness under deep uncertainty.
• A Layered Security Framework Against Prompt Injection in RAG-Based Chatbots — A layered security framework significantly reduces prompt injection vulnerability in RAG chatbots by addressing attack vectors across the inference pipeline.
• Consistency of Large Reasoning Models Under Multi-Turn Attacks — Reasoning models show incomplete robustness to multi-turn attacks, exhibiting specific failure modes and requiring new defense strategies.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.