Papers
Topics
Authors
Recent
Search
2000 character limit reached

CASCADE: A Cascaded Hybrid Defense Architecture for Prompt Injection Detection in MCP-Based Systems

Published 18 Apr 2026 in cs.CR and cs.AI | (2604.17125v1)

Abstract: Model Context Protocol (MCP) is a rapidly adopted standard for defining and invoking external tools in LLM applications. The multi-layered architecture of MCP introduces new attack surfaces such as tool poisoning, in addition to traditional prompt injection. Existing defense systems suffer from limitations including high false positive rates, API dependency, or white-box access requirements. In this study, we propose CASCADE, a three-tiered cascaded defense architecture for MCP-based systems: (i) Layer 1 performs fast pre-filtering using regex, phrase weighting, and entropy analysis; (ii) Layer 2 conducts semantic analysis via BGE embedding with an Ollama Llama3 fallback mechanism; (iii) Layer 3 applies pattern-based output filtering. Evaluation on a dataset of 5,000 samples yielded 95.85% precision, 6.06% false positive rate, 61.05% recall, and 74.59% F1-score. Analysis across 31 attack types categorized into 6 tiers revealed high detection rates for data exfiltration (91.5%) and prompt injection (84.2%), while semantic attack (52.5%) and tool poisoning (59.9%) categories showed potential for improvement. A key advantage of CASCADE over existing solutions is its fully local operation, requiring no external API calls

Summary

  • The paper presents a cascaded hybrid architecture that detects prompt injection and tool poisoning in MCP-based LLM systems.
  • It employs a three-tier pipeline—regex pre-filtering, semantic judgment using local LLMs, and output filtering—to ensure efficiency, precision, and privacy.
  • Experimental results demonstrate high precision (95.85%) and low false positives (6.06%), though challenges remain with semantic attack recall.

CASCADE: A Hybrid Cascaded Defense Architecture for Prompt Injection and Tool Poisoning in MCP LLM Systems

Introduction: Threats in MCP-Enabled LLM Ecosystems

The deployment of the Model Context Protocol (MCP) has introduced a versatile interface for connecting LLMs to external tools, thereby expanding capabilities for complex task automation. However, this architectural enhancement has also magnified the attack surface—introducing tool poisoning and novel forms of prompt injection unattainable in traditional LLM setups. Figure 1 delineates the classical LLM pipeline with a singular attack vector, while Figure 2 highlights the considerably broader attack perimeter in MCP-based systems due to multi-tier tool mediation and metadata exposure. Figure 1

Figure 1: Inference pipeline and security boundary of a traditional LLM architecture.

Figure 2

Figure 2: The attack surface complexity of MCP-based systems compared to monolithic LLM architectures.

Persistent vulnerabilities such as prompt injection, tool poisoning (including subtypes like rug pulls and schema poisoning), indirect injection, and data exfiltration, are critically prevalent, with empirical attack success rates exceeding 70% on real-world LLM agent testbeds. Existing countermeasures are systematically insufficient—suffering from high false positive rates, reliance on external APIs, or infeasibility in black-box settings.

CASCADE Architecture: Layered, Fully-Local Defense

CASCADE operationalizes a three-tier hybrid detection pipeline. Each layer incrementally mediates the trade-off between computational efficiency, detection coverage, and privacy, as illustrated in Figure 3. Figure 3

Figure 3: The CASCADE three-layer security architecture for MCP-based LLM systems.

Layer 1: Fast Pre-Filter

Layer 1 executes regex-centric, phrase-weighted, and entropy-based filtering after rigorous normalization, glyph unification, and obfuscation decoding. With over 100 regex templates across seven attack classes, this layer distinguishes direct/indirect/hybrid injections via contextual and governance lexemes. Risk scoring dictates immediate blocking for high-confidence matches.

Layer 2: Semantic Judge

Inputs surviving Layer 1 are semantically analyzed via BGE embedding similarity to attack archetypes. Ambiguous cases invoke a Llama3-based local LLM for secondary verification, operating strictly “on-prem” to maintain data sovereignty. Decisions are tri-valued: BLOCK, ALLOW, or REVIEW (human-in-the-loop).

Layer 3: Output Filter

Layer 3 introspects all generated outputs prior to externalization. Multi-modal pattern recognition—covering secret detection, credential regex, and entropy checks—prevents outbound data exfiltration and indirect injection.

The full pipeline imposes no external API dependencies, ensuring high-throughput operation and adherence to strict data privacy constraints.

Experimental Results: Attack Coverage and Usability

The evaluation employs a dataset of 5,000 samples, aggregating benign and malicious inputs from GitHub Adversarial, VulnerableMCP, and OWASP sources, with real-world attack distributions.

Key outcomes:

  • Precision: 95.85%
  • False Positive Rate: 6.06%
  • Recall: 61.05%
  • F1-score: 0.7459
  • Specificity: 93.94%

CASCADE yields high detection in data exfiltration (91.5%) and prompt injection (84.2%), contrasting with lower recall on semantic attacks (52.5%) and tool poisoning (59.9%).

All false positives originated in direct injection patterns due to ambiguity between benign and nefarious intent—a non-negligible source of usability cost but a marked improvement over previously reported FPR values exceeding 90% in API/LLM-based solutions.

Implications and Limitations

Practical Implications

  • Deployment: The local design ensures applicability in regulated environments where data egress is prohibited.
  • Usability: The reduction in FPR to 6.06% renders CASCADE viable for deployment compared to prior frameworks with prohibitive false detection rates.
  • Human-AI Teaming: The explicit REVIEW verdict supports workflows integrating human security operators, crucial for adjudicating ambiguous, context-dependent attacks.

Theoretical Implications

The embedding-first, LLM-fallback resolution advances hybrid detection architectures. The outcome suggests that pure rule-based or pure generative approaches underperform on complex, context-rich attack classes—advocating for continued research in composite, context- and semantic-aware filtering, especially as threat actors exploit LLM/agent chains.

Limitations

  • Semantic and Tool Poisoning Recall: Coverage in these domains is limited, indicating the need for continual enrichment of attack corpora and the exploration of more sophisticated neural semantic models.
  • Dataset Distribution: Coverage for rare classes (e.g., tool shadowing, privilege escalation) is insufficient.
  • Generalization: All benchmarks are on static, predominantly English datasets, with untested generalization to dynamic, multi-lingual, multi-agent or adversarially adaptive environments.

Future Directions

CASCADE’s modular design permits straightforward extension:

  • Integration of more diverse LLMs (GPT-4, Claude, Mistral) as auxiliary judges may enhance detection at Layer 2.
  • Tool-specific or schema-aware detectors could augment recall on poisoning attacks.
  • Adopting adversarial training and data augmentation with automatically synthesized attacks may evince further robustness, especially for low-frequency/novelty attacks.
  • Evaluating in real-time MCP orchestration contexts with cross-agent, cross-server communication is critical for practical assurance.

Conclusion

CASCADE presents a privacy-centric, hybrid defense for MCP-enabled LLM agents, achieving state-of-the-art FPR while maintaining high precision and practical recall across high-impact attack classes. The architecture substantiates the necessity of compositional approaches—merging symbolic and neural techniques—for resilient LLM security in the presence of advanced adversaries. Future research should target improved generalization for semantic and meta-protocol attacks, tool-specific adaptation, and broader benchmarking to solidify MCP agent trust boundaries (2604.17125).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.