A-MemGuard: A Proactive Defense Framework for LLM-Based Agent Memory
Problem Statement
LLM agents increasingly rely on persistent memory to plan and act autonomously, but this creates a serious attack surface: adversaries can plant innocuous-looking records that only trigger malicious behavior in specific contexts, evading per-entry audits. Worse, once triggered, the corrupted outcome gets stored as precedent, creating a self-reinforcing error cycle that amplifies harm and lowers the bar for future attacks—a dynamic threat that existing static, filter-based defenses fail to address.
Key Novelty
- First proactive defense framework specifically designed for LLM agent memory, shifting from static one-time filtering to an ongoing, experience-driven security model
- Consensus-based validation that detects anomalous or manipulated memories by comparing reasoning paths derived from multiple related memory entries, rather than auditing entries in isolation
- Dual-memory architecture that distills detected failures into reusable 'lessons' consulted before future actions, explicitly designed to break self-reinforcing error cycles
- Defense is bolted onto the agent's memory pipeline without requiring modification of the underlying agent architecture, easing adoption
Evaluation Highlights
- Reduces attack success rate by over 95% across multiple benchmarks
- Achieves this security gain with minimal utility cost to normal agent performance
Signal Assessment
Methodology
- Characterize the threat model: context-activated malicious memory injections that evade isolated auditing and create self-reinforcing error cycles once triggered
- Apply consensus-based validation by deriving reasoning paths from multiple related memories and flagging inconsistencies/anomalies indicative of manipulation
- Route detected failures into a separate 'lesson' memory store, distilling the failure into a generalized cautionary insight
- Consult the lesson store before future action planning to preempt repetition of the same manipulation, thereby breaking the error-amplification cycle
- Evaluate attack success rate and utility cost across multiple agent benchmarks against baseline (undefended) memory systems
System Components
Cross-references reasoning paths derived from multiple related memory entries to detect anomalies that would be invisible when auditing a single memory record in isolation
Maintains a standard operational memory alongside a separate 'lesson' memory, isolating distilled failure knowledge from raw experience records
Converts detected attack/failure instances into generalized, reusable lessons rather than simply deleting or flagging the offending memory
Checks candidate action plans against the lesson store before execution, proactively preventing recurrence of previously identified manipulations
Results
| Metric | Undefended Baseline | A-MemGuard | Delta |
|---|---|---|---|
| Attack Success Rate (memory injection attacks) | High (no protection) | Reduced substantially | >95% reduction |
| Agent Utility / Task Performance | Reference (undefended) performance | Near-parity with baseline | Minimal utility cost |
Key Takeaways
- Memory poisoning is a distinct and growing threat vector for agentic LLM systems that static, entry-level filtering cannot adequately address
- Validating memories by comparing reasoning paths across related entries (consensus checking) can surface context-dependent manipulations invisible to single-record audits
- Separating 'lessons learned from failures' into their own memory store, consulted before acting, is an effective way to prevent repeated or escalating attacks
- Defenses that don't require modifying the base agent architecture are more practical to retrofit into existing production agent systems
- Security for memory-augmented agents should be designed as an adaptive, experience-driven process rather than a one-time static safeguard
Abstract
Large Language Model (LLM) agents use memory to learn from past interactions, enabling autonomous planning and decision-making in complex environments. However, this reliance on memory introduces a critical security risk: an adversary can inject seemingly harmless records into an agent's memory to manipulate its future behavior. This vulnerability is characterized by two core aspects: First, the malicious effect of injected records is only activated within a specific context, making them hard to detect when individual memory entries are audited in isolation. Second, once triggered, the manipulation can initiate a self-reinforcing error cycle: the corrupted outcome is stored as precedent, which not only amplifies the initial error but also progressively lowers the threshold for similar attacks in the future. To address these challenges, we introduce A-MemGuard (Agent-Memory Guard), the first proactive defense framework for LLM agent memory. The core idea of our work is the insight that memory itself must become both self-checking and self-correcting. Without modifying the agent's core architecture, A-MemGuard combines two mechanisms: (1) consensus-based validation, which detects anomalies by comparing reasoning paths derived from multiple related memories and (2) a dual-memory structure, where detected failures are distilled into ``lessons''stored separately and consulted before future actions, breaking error cycles and enabling adaptation. Comprehensive evaluations on multiple benchmarks show that A-MemGuard effectively cuts attack success rates by over 95% while incurring a minimal utility cost. This work shifts LLM memory security from static filtering to a proactive, experience-driven model where defenses strengthen over time. Our code is available in https://github.com/TangciuYueng/AMemGuard