MindGuard: Decision-Level Security
- MindGuard is a decision-level security system that defends LLM agents by tracking decision provenance via a Decision Dependence Graph.
- It distinguishes poisoned decision signals from normal execution patterns, addressing vulnerabilities that traditional behavior-level monitoring misses.
- The system employs attention-based aggregation and anomaly influence ratios to effectively detect and attribute malicious tool metadata.
Searching arXiv for the specified MindGuard paper and closely related guardrail work. MindGuard is a decision-level security system for MCP-based LLM agents designed to defend against Tool Poisoning Attacks (TPA), a class of attacks in which a malicious MCP server poisons tool metadata so that the agent is manipulated into making unauthorized tool-call decisions. Its central claim is that behavior-level defenses are fundamentally ineffective against TPA because poisoned tools need not be executed: the attack can succeed by corrupting the planner’s internal reasoning and thereby inducing a legitimate but inappropriate tool call or malicious arguments for a legitimate tool. MindGuard addresses this by providing provenance tracking of call decisions, policy-agnostic detection, and poisoning source attribution through an attention-derived representation called the Decision Dependence Graph (DDG) (Wang et al., 28 Aug 2025).
1. Threat model and the shift from behavior-level to decision-level security
The system is motivated by the Model Context Protocol’s tool-registration design, which injects tool descriptions directly into the LLM’s context. In MindGuard’s threat model, the user is honest, the MCP host is honest but vulnerable, trusted servers provide legitimate tools, and malicious servers can register poisoned tools with arbitrary metadata. The attacker’s goal is to induce a call decision
The paper emphasizes two attack patterns: A1, explicit invocation hijacking, in which the model is pushed to call a completely different tool than the user intended, and A2, implicit parameter manipulation, in which the tool choice is correct but the arguments are malicious (Wang et al., 28 Aug 2025).
This threat is framed as a modern Confused Deputy problem. A poisoned tool often never needs to be invoked: it is sufficient that its metadata alters the model’s internal planning state. Because of that, systems that monitor only observable execution behavior can see an apparently valid call chain and still miss that the decision was poisoned. This is the paper’s key distinction between behavior-level monitoring and decision-level security. The former inspects what was executed; the latter inspects the provenance of why that decision was made.
A common misconception is that tool poisoning should be detectable by post hoc behavioral auditing in the same way as prompt injection or anomalous tool execution. MindGuard is explicitly built against that assumption. Its argument is that TPA happens before execution, at the point where tool metadata has already shaped the planner’s decision. This suggests that call provenance, rather than execution trace alone, is the relevant security object.
2. Decision Dependence Graph as an attention-based provenance model
MindGuard’s technical core is the Decision Dependence Graph (DDG), which adapts the classical Program Dependence Graph (PDG) to probabilistic LLM decision-making. The system uses attention as an empirical signal for decision tracking. The paper does not claim that attention is perfectly causal, but reports that when a tool meaningfully influences the final call, that tool’s context receives conspicuous attention activation; when it does not influence the call, the attention is negligible. In poisoned invocations, an uninvoked malicious tool produces a strong and anomalous attention footprint (Wang et al., 28 Aug 2025).
The DDG is defined as a weighted, directed graph
where
Here is the user query, are all registered tools, are prior tool execution results, and are the two target vertices: the invoked tool name and the invocation arguments. The edge set satisfies
and each edge has a nonnegative weight that measures influence from source concept 0 to target concept 1 (Wang et al., 28 Aug 2025).
A distinctive design choice is the separation of the output into two target vertices. The invoked tool name vertex 2 captures semantic reasoning about what tool to choose, while the invoked arguments vertex 3 captures parameter generation, which often looks more like copying from context. The paper argues that combining them can hide subtle reasoning signals behind strong copying signals.
The DDG is also decomposed into two security-relevant views. The subgraph of edges targeting 4 functions as a Control Flow Graph, answering “who controlled the tool choice?” The subgraph of edges targeting 5 functions as a Data Flow Graph, answering “where did the parameter data originate?” This allows DDG to be related to classical integrity policies such as CFI and DFI. In the paper’s examples, an anomalous edge from a malicious tool to the invoked tool name violates CFI, while an anomalous edge from a malicious tool to an argument such as recipient violates DFI.
3. Context parsing and DDG construction
MindGuard consists of three main modules: Context Parser, DDG Builder, and Anomaly-aware Defender. The Context Parser extracts the logical vertices from the LLM context and maps them to token spans. It parses the user query, each tool description, prior tool results, and the output call. The target vertex 6 corresponds to the pre-argument invocation block, namely the tokens from the start of the output up to and including the tool name, while 7 corresponds to the generated argument values (Wang et al., 28 Aug 2025).
The DDG Builder converts raw attention into weighted edges through a three-step pipeline: Sink Filter, Attention Partition, and TAE Aggregation. Attention from all layers is first combined using a Gaussian-weighted sum, with the middle layers emphasized because they are thought to encode the most important semantic and inferential relations. The resulting combined attention matrix is denoted 8.
The paper identifies two forms of noise that must be removed before provenance analysis: the attention sink phenomenon, in which tokens attract attention because of model mechanics rather than semantics, and low-value activations accumulation, in which many small scores can sum to a misleading aggregate after concept-level grouping. The sink filter first computes total received attention for each input token,
9
selects the top-0 tokens by cumulative activation, and then computes normalized entropy
1
where
2
If 3, the token is treated as a sink and its column is zeroed in the attention matrix. The fixed hyperparameters used in experiments are 4 and 5 (Wang et al., 28 Aug 2025).
After filtering, Attention Partition extracts a submatrix for each source-target pair,
6
with rows indexed by the target token span and columns indexed by the source token span. For each valid pair, the graph adds an edge 7. The edge weight is then computed by Total Attention Energy (TAE),
8
The paper presents TAE as a signal-processing-inspired aggregation that improves signal-to-noise ratio and avoids many tiny irrelevant activations summing into a false signal. After normalization, these weights become the DDG edge weights 9.
4. Detection, attribution, and policy-based guarantees
MindGuard formalizes decision-level security through an influence function. Given a tool call 0, the influence of a source context 1 on the call is denoted 2. The paper defines a call as secure if, for malicious tools,
3
It also gives a policy-based version: with a policy function
4
a call is secure if for all forbidden sources 5, 6 (Wang et al., 28 Aug 2025).
The paper first introduces a naive detection rule,
7
This is motivated by the intuition that an uninvoked tool should not strongly influence the output while the user query remains weak. However, because MCP servers differ in the number of tools and in description style, absolute thresholds are difficult to tune globally.
MindGuard therefore replaces this with the Anomaly Influence Ratio (AIR),
8
AIR is a relative, context-adaptive measure that normalizes influence from an uninvoked tool by the combined influence from the user query and the invoked tool’s own description. An edge 9 is anomalous if 0 exceeds a single threshold 1. When such an anomalous edge is found, the tool corresponding to 2 is identified as the poisoned source (Wang et al., 28 Aug 2025).
The paper further states that any tool call passing AIR detection satisfies the policy-based decision-level security guarantee when the policy is interpreted as “forbidden sources are all uninvoked tools.” In a case study involving CaMeL’s sender policy, where recipients must come from the user, DDG exposes that the generated argument has strong anomalous influence from the poisoned tool, allowing the call to be denied before execution. This suggests that MindGuard is not only a detector but also an enforcement substrate for higher-level policy systems.
5. Evaluation, ablations, and operational characteristics
The main benchmark is MCPTox, described as the first benchmark designed specifically for tool poisoning attacks. Because MCPTox’s normal examples still occur in poisoned contexts, the paper also constructs a clean dataset from ToolACE by taking the first turn and reformatting it into MCP style. Evaluation spans Qwen3-8b, Qwen3-14b, Phi-4, Mistral-7b, and Gemma2-9b, with and without Chain-of-Thought mode. The primary metrics are detection accuracy 3, average precision 4, area under the ROC curve 5, and attribution accuracy 6; the paper also reports TPR, FPR, and 7 (Wang et al., 28 Aug 2025).
On the main MCPTox setting, MindGuard achieves an average detection accuracy of 95.3%, average AP of 93.2%, and average AUC of 96.5%. On the clean dataset, AP and AUC are consistently above 94% and in some cases above 99%. For attribution, the reported results are near-perfect on several models—100% on Qwen3-8b, Qwen3-14b, and Gemma2-9b—and the average attribution accuracy across all tested models is 98.6%. The detailed model results include: Qwen3-8b with 8, 9, 0, 1; Qwen3-8b with CoT at 2, 3, 4, 5; and Gemma2-9b at 6, 7, 8, 9 (Wang et al., 28 Aug 2025).
The threshold trade-off is reported explicitly. On Qwen3-8b, 0 yields 91.2% TPR with 0.9% FPR on the poisoned-context benchmark and 0.0% FPR on the clean benchmark. The paper uses this to argue that the system can be tuned for strong security with little disruption.
Ablation results are central to the paper’s methodology claims. Removing the sink filter causes the biggest drop; one-stage filtering harms generalization; replacing TAE with simple sum aggregation reduces performance; and using a unified vertex for tool name and arguments hurts because it masks subtle reasoning signals. The system is also reported to be robust to the number of tools registered in context, robust across sink-filter hyperparameters for 1 from 25 to 200 and 2, and more consistent across MCP servers when AIR is used rather than raw attention scores. Operationally, MindGuard adds less than 5% extra time, keeps under one second average latency, and incurs zero additional token cost because it reuses attention from the original reasoning pass (Wang et al., 28 Aug 2025).
6. Limits, broader significance, and name ambiguity
The paper is explicit that the defense is heuristic because attention is not strictly causal. It does not claim universal theoretical guarantees or perfect detection. It discusses an adaptive attacker who might attempt an attention minimization attack by crafting a subtler payload that changes the decision without producing obvious attention spikes. The authors argue that this is practically difficult because a successful poisoning attack must still meaningfully redirect the model’s decision, which should leave some aggregate attention footprint, especially when attention is pooled across layers and heads. The current system is therefore best suited to providers or operators who can inspect internal attention, and future work is described as extending DDG-style auditing to multi-turn adversarial behaviors such as ROP-like attacks (Wang et al., 28 Aug 2025).
Within the MCP security literature, MindGuard occupies the runtime intent-verification layer. The MCP Systematization of Knowledge treats tool poisoning as a structural vulnerability of MCP Tools and surveys MindGuard as a runtime guardrail that tracks the provenance of tool-call decisions via DDG, alongside cryptographic provenance mechanisms such as ETDI (Gaire et al., 9 Dec 2025). This suggests that MindGuard is most naturally understood as complementary to signed manifests, capability scoping, host-side policy gates, and isolation mechanisms: it addresses the provenance of the model’s decision rather than the authenticity of tool metadata alone.
The name is also ambiguous in the broader literature. A separate 2024 paper titled “MindGuard: Towards Accessible and Sitgma-free Mental Health First Aid via Edge LLM” describes an accessible, stigma-free, and professional mobile mental healthcare system designed to provide mental health first aid through an edge LLM that integrates objective mobile sensor data with subjective Ecological Momentary Assessment records (Ji et al., 2024). In contemporary agent-security research, however, MindGuard most commonly refers to the MCP decision-level guardrail for tracking, detecting, and attributing tool poisoning attacks (Wang et al., 28 Aug 2025).