- The paper presents a cascaded hybrid architecture that detects prompt injection and tool poisoning in MCP-based LLM systems.
- It employs a three-tier pipeline—regex pre-filtering, semantic judgment using local LLMs, and output filtering—to ensure efficiency, precision, and privacy.
- Experimental results demonstrate high precision (95.85%) and low false positives (6.06%), though challenges remain with semantic attack recall.
Introduction: Threats in MCP-Enabled LLM Ecosystems
The deployment of the Model Context Protocol (MCP) has introduced a versatile interface for connecting LLMs to external tools, thereby expanding capabilities for complex task automation. However, this architectural enhancement has also magnified the attack surface—introducing tool poisoning and novel forms of prompt injection unattainable in traditional LLM setups. Figure 1 delineates the classical LLM pipeline with a singular attack vector, while Figure 2 highlights the considerably broader attack perimeter in MCP-based systems due to multi-tier tool mediation and metadata exposure.
Figure 1: Inference pipeline and security boundary of a traditional LLM architecture.
Figure 2: The attack surface complexity of MCP-based systems compared to monolithic LLM architectures.
Persistent vulnerabilities such as prompt injection, tool poisoning (including subtypes like rug pulls and schema poisoning), indirect injection, and data exfiltration, are critically prevalent, with empirical attack success rates exceeding 70% on real-world LLM agent testbeds. Existing countermeasures are systematically insufficient—suffering from high false positive rates, reliance on external APIs, or infeasibility in black-box settings.
CASCADE Architecture: Layered, Fully-Local Defense
CASCADE operationalizes a three-tier hybrid detection pipeline. Each layer incrementally mediates the trade-off between computational efficiency, detection coverage, and privacy, as illustrated in Figure 3.
Figure 3: The CASCADE three-layer security architecture for MCP-based LLM systems.
Layer 1: Fast Pre-Filter
Layer 1 executes regex-centric, phrase-weighted, and entropy-based filtering after rigorous normalization, glyph unification, and obfuscation decoding. With over 100 regex templates across seven attack classes, this layer distinguishes direct/indirect/hybrid injections via contextual and governance lexemes. Risk scoring dictates immediate blocking for high-confidence matches.
Layer 2: Semantic Judge
Inputs surviving Layer 1 are semantically analyzed via BGE embedding similarity to attack archetypes. Ambiguous cases invoke a Llama3-based local LLM for secondary verification, operating strictly “on-prem” to maintain data sovereignty. Decisions are tri-valued: BLOCK, ALLOW, or REVIEW (human-in-the-loop).
Layer 3: Output Filter
Layer 3 introspects all generated outputs prior to externalization. Multi-modal pattern recognition—covering secret detection, credential regex, and entropy checks—prevents outbound data exfiltration and indirect injection.
The full pipeline imposes no external API dependencies, ensuring high-throughput operation and adherence to strict data privacy constraints.
Experimental Results: Attack Coverage and Usability
The evaluation employs a dataset of 5,000 samples, aggregating benign and malicious inputs from GitHub Adversarial, VulnerableMCP, and OWASP sources, with real-world attack distributions.
Key outcomes:
- Precision: 95.85%
- False Positive Rate: 6.06%
- Recall: 61.05%
- F1-score: 0.7459
- Specificity: 93.94%
CASCADE yields high detection in data exfiltration (91.5%) and prompt injection (84.2%), contrasting with lower recall on semantic attacks (52.5%) and tool poisoning (59.9%).
All false positives originated in direct injection patterns due to ambiguity between benign and nefarious intent—a non-negligible source of usability cost but a marked improvement over previously reported FPR values exceeding 90% in API/LLM-based solutions.
Implications and Limitations
Practical Implications
- Deployment: The local design ensures applicability in regulated environments where data egress is prohibited.
- Usability: The reduction in FPR to 6.06% renders CASCADE viable for deployment compared to prior frameworks with prohibitive false detection rates.
- Human-AI Teaming: The explicit REVIEW verdict supports workflows integrating human security operators, crucial for adjudicating ambiguous, context-dependent attacks.
Theoretical Implications
The embedding-first, LLM-fallback resolution advances hybrid detection architectures. The outcome suggests that pure rule-based or pure generative approaches underperform on complex, context-rich attack classes—advocating for continued research in composite, context- and semantic-aware filtering, especially as threat actors exploit LLM/agent chains.
Limitations
- Semantic and Tool Poisoning Recall: Coverage in these domains is limited, indicating the need for continual enrichment of attack corpora and the exploration of more sophisticated neural semantic models.
- Dataset Distribution: Coverage for rare classes (e.g., tool shadowing, privilege escalation) is insufficient.
- Generalization: All benchmarks are on static, predominantly English datasets, with untested generalization to dynamic, multi-lingual, multi-agent or adversarially adaptive environments.
Future Directions
CASCADE’s modular design permits straightforward extension:
- Integration of more diverse LLMs (GPT-4, Claude, Mistral) as auxiliary judges may enhance detection at Layer 2.
- Tool-specific or schema-aware detectors could augment recall on poisoning attacks.
- Adopting adversarial training and data augmentation with automatically synthesized attacks may evince further robustness, especially for low-frequency/novelty attacks.
- Evaluating in real-time MCP orchestration contexts with cross-agent, cross-server communication is critical for practical assurance.
Conclusion
CASCADE presents a privacy-centric, hybrid defense for MCP-enabled LLM agents, achieving state-of-the-art FPR while maintaining high precision and practical recall across high-impact attack classes. The architecture substantiates the necessity of compositional approaches—merging symbolic and neural techniques—for resilient LLM security in the presence of advanced adversaries. Future research should target improved generalization for semantic and meta-protocol attacks, tool-specific adaptation, and broader benchmarking to solidify MCP agent trust boundaries (2604.17125).