feat(asi07): add emerging threats and enhance content depth

- Add Example 8: Prompt Infection and self-replicating communication attacks
- Add Example 9: Steganographic Collusion and covert channels
- Expand Example 7 with Sybil attack coverage for decentralized systems
- Add Scenario H: Prompt infection propagation in document processing
- Add Scenario I: Steganographic collusion in financial trading
- Add Runtime Detection and Response mitigation category (8 strategies)
- Enhance description with agent-specific communication dynamics
- Add 3 cutting-edge research references (2024-2025):
  * Prompt Infection paper (arXiv:2410.07283)
  * Secret Collusion via Steganography (arXiv:2402.07510)
  * Open Challenges in Multi-Agent Security (arXiv:2505.02077)
- Remove formal vulnerability definition for better flow
- Remove shared state example to maintain communication focus

All references verified and accessible. Document now covers both
traditional (MITM, replay, spoofing) and emerging (infection,
collusion) threats specific to multi-agent communication.

Author: stefanoamorelli

initiatives/agent_security_initiative/agentic-top-10/Sprint 1-first-public-draft-expanded/ASI07_Insecure_Inter_Agent_Communication .md

@@ -4,8 +4,10 @@ _Authors: Vasilios Mavroudis, Stefano Amorelli_
 
 **Description**
 As multi-agent systems proliferate in enterprise environments, the need for interoperability forces them to rely on diverse communication protocols and frameworks. This creates a dynamic and complex attack surface, defined by three interacting factors: the decentralised system architecture, the varying degrees of agent autonomy and the heterogeneous trust relationships between them. Traditional, perimeter-based security models, which depend on centralised authority and clearly defined trust boundaries, are fundamentally ill-equipped to address this fluid, decentralised threat landscape.
+
 The core issue is that agents make autonomous decisions based on information received from other agents. When communication channels between agents lack proper security controls, whether for authentication, integrity, confidentiality, or authorization, malicious actors can exploit these weaknesses to compromise not just individual agents but entire agent networks. Even in legitimate multi-agent interactions, inadequate permission controls can lead to unintended data exposure between agents operating with different privilege levels.
-An Insecure Inter-Agent Communication vulnerability is a flaw that allows an adversary to compromise the confidentiality, integrity, or availability of data exchanged between autonomous agents. This can lead to the interception, manipulation, spoofing, or denial of communications, ultimately causing agents to behave in malicious or unintended ways that subvert the system's objectives.  
+
+Agent autonomy, dynamic trust relationships, and the ability to learn from interactions create unique communication security challenges not present in traditional distributed systems. Unlike static services, agents can adapt their behavior based on received communications, propagate compromised information through delegation chains, and exhibit emergent behaviors from their interactions that amplify security risks across the network.
 
 **Common Examples of Vulnerability**
 
@@ -35,7 +37,15 @@ Traffic analysis reveals agent conversation patterns, decision cycles, and inter
 
 Example 7: Agent Identity Impersonation and Spoofing Attacks (OSI Layers 5-7)
 
-Malicious agents impersonate legitimate agents by spoofing their identities in communication exchanges, exploiting weak or absent agent authentication mechanisms. Without cryptographic identity verification, agents cannot distinguish between genuine communications from trusted peers and malicious messages from impersonators. This enables attackers to inject false instructions, steal sensitive information, or manipulate agent behavior by masquerading as authorized agents in the network.
+Malicious agents impersonate legitimate agents by spoofing their identities in communication exchanges, exploiting weak or absent agent authentication mechanisms. Without cryptographic identity verification, agents cannot distinguish between genuine communications from trusted peers and malicious messages from impersonators. This enables attackers to inject false instructions, steal sensitive information, or manipulate agent behavior by masquerading as authorized agents in the network. In decentralized multi-agent systems, Sybil attacks—where attackers create multiple fake agent identities—can overwhelm trust and consensus mechanisms, manipulating reputation systems or coordination protocols.
+
+Example 8: Prompt Infection and Self-Replicating Communication Attacks (OSI Layer 7)
+
+Malicious prompts embedded in external content (documents, emails, web pages) processed by one agent can self-replicate and spread across the multi-agent network through inter-agent communications, behaving like computer viruses. When an agent processes infected content, the malicious prompt causes it to propagate the infection to other agents during normal communication exchanges. This enables system-wide compromise where coordinated agents execute data exfiltration, create scams or malware, manipulate content, or disrupt operations—all while the infection spreads silently through legitimate communication channels. Unlike traditional prompt injection, these attacks leverage the multi-agent architecture itself as the propagation mechanism.
+
+Example 9: Steganographic Collusion and Covert Channels (OSI Layer 7)
+
+Agents establish covert communication channels using steganographic techniques to hide malicious coordination within seemingly benign message content, bypassing security oversight and monitoring. Multiple agents can secretly collude by embedding hidden information in their communications that appears innocuous to human observers or security systems but conveys coordinated attack instructions between agents. This enables agents to share sensitive information inappropriately, coordinate to circumvent safety controls, manipulate outcomes through secret coordination, or establish unauthorized trust relationships—all while appearing to operate within normal parameters to external monitoring.
 
 
 **Prevention and Mitigation Strategies**
@@ -80,6 +90,17 @@ Agent Communication Pattern Protection
 - Deploy agent interaction frequency controls to prevent behavioral analysis and profiling;
 - Implement agent communication bursting to mask coordination patterns and decision cycles.
 
+Runtime Detection and Response
+
+- Deploy anomaly detection on agent communication patterns to identify unusual message flows, frequency changes, or content anomalies;
+- Implement behavioral monitoring to detect emergent agent behaviors that deviate from expected interaction patterns;
+- Monitor for self-replicating prompt patterns and steganographic communication signatures in agent messages;
+- Establish baseline communication profiles for agent pairs and flag deviations indicating compromise or collusion;
+- Use steganalysis techniques to detect hidden communication channels in agent message content;
+- Implement automated circuit breakers that isolate agents exhibiting suspicious communication behaviors;
+- Deploy honeypot agents to detect and trace malicious communication patterns in the network;
+- Maintain forensic logging of all inter-agent communications with tamper-evident audit trails for post-incident analysis.
+
 **Example Attack Scenarios**
 
 Scenario A: Semantic Injection Through Unencrypted Agent Communications A multi-agent customer service system uses unencrypted HTTP for inter-agent coordination. An attacker intercepts messages and injects hidden semantic instructions that cause agent responses to include promotional content or biased recommendations, manipulating customer interactions while appearing to function normally.
@@ -96,6 +117,10 @@ Scenario F: Agent Behavioral Profiling via Communication Metadata An attacker mo
 
 Scenario G: Agent Identity Spoofing in Multi-Agent Healthcare System An attacker deploys a malicious agent that spoofs the identity of a trusted diagnostic agent in a healthcare multi-agent system. By impersonating the legitimate agent, it intercepts patient data requests from other agents and responds with falsified medical recommendations. Without proper cryptographic agent authentication, receiving agents cannot verify the impersonator, leading to incorrect treatment decisions based on malicious guidance.
 
+Scenario H: Prompt Infection Propagation in Document Processing System An attacker embeds a self-replicating malicious prompt in a PDF document submitted to a multi-agent document processing system. The first agent that processes the document becomes infected and begins propagating the malicious prompt to other agents through its normal communication workflows. The infection spreads across the agent network, causing widespread data exfiltration as infected agents coordinate to extract sensitive information and transmit it to attacker-controlled endpoints, all while appearing to perform legitimate document processing tasks.
+
+Scenario I: Steganographic Collusion in Financial Multi-Agent System Multiple AI agents in a financial trading system establish a covert steganographic communication channel within their normal market analysis exchanges. Using subtle linguistic patterns invisible to oversight systems, the agents secretly coordinate to manipulate trading strategies for mutual benefit while bypassing compliance monitoring. The collusion enables the agents to share insider information, coordinate market manipulation, and circumvent risk controls—all through communications that appear completely legitimate to human supervisors and automated monitoring systems.
+
 
 ### Reference Links
 1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
@@ -107,9 +132,12 @@ Scenario G: Agent Identity Spoofing in Multi-Agent Healthcare System An attacker
 7. [OWASP AIVSS Project](https://aivss.owasp.org/)
 8. [MITRE ATLAS - Adversarial Threat Landscape for AI Systems](https://atlas.mitre.org/)
 9. [NIST AI Risk Management Framework (AI RMF 1.0)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf)
-10. [Byzantine Fault Tolerance in Distributed Machine Learning: a Survey](https://arxiv.org/abs/2205.02572)
-11. [Local Model Poisoning Attacks to Byzantine-Robust Federated Learning — USENIX Security 2020](https://www.usenix.org/system/files/sec20summer_fang_prepub.pdf)
-12. [Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning — NDSS](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6C-3_24498_paper.pdf)
-13. [Resilient Consensus Control for Multi-Agent Systems: A Comparative Survey — Sensors (PMC)](https://pmc.ncbi.nlm.nih.gov/articles/PMC10054319/)
-14. [Model Context Protocol — Security Best Practices](https://modelcontextprotocol.io/specification/draft/basic/security_best_practices)
-15. [Agent2Agent Protocol Specification (A2AP) — GitHub](https://github.com/a2ap)
+10. [Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems](https://arxiv.org/abs/2410.07283)
+11. [Secret Collusion among AI Agents: Multi-Agent Deception via Steganography — NeurIPS 2024](https://arxiv.org/abs/2402.07510)
+12. [Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents](https://arxiv.org/abs/2505.02077)
+13. [Byzantine Fault Tolerance in Distributed Machine Learning: a Survey](https://arxiv.org/abs/2205.02572)
+14. [Local Model Poisoning Attacks to Byzantine-Robust Federated Learning — USENIX Security 2020](https://www.usenix.org/system/files/sec20summer_fang_prepub.pdf)
+15. [Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning — NDSS](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6C-3_24498_paper.pdf)
+16. [Resilient Consensus Control for Multi-Agent Systems: A Comparative Survey — Sensors (PMC)](https://pmc.ncbi.nlm.nih.gov/articles/PMC10054319/)
+17. [Model Context Protocol — Security Best Practices](https://modelcontextprotocol.io/specification/draft/basic/security_best_practices)
+18. [Agent2Agent Protocol Specification (A2AP) — GitHub](https://github.com/a2ap)