LLM agents are highly vulnerable to Indirect Prompt Injection (IPI), where adversaries embed malicious directives in untrusted tool outputs to hijack execution. Most existing defenses treat IPI as an input-level semantic discrimination problem, which often fails to generalize to unseen payloads. We propose a new paradigm, action-level causal attribution, which secures agents by asking why a particular tool call is produced. The central goal is to distinguish tool calls supported by the user's intent from those causally driven by untrusted observations. We instantiate this paradigm with AttriGuard, a runtime defense based on parallel counterfactual tests. For each proposed tool call, AttriGuard verifies its necessity by re-executing the agent under a control-attenuated view of external observations. Technically, AttriGuard combines teacher-forced shadow replay to prevent attribution confounding, hierarchical control attenuation to suppress diverse control channels while preserving task-relevant information, and a fuzzy survival criterion that is robust to LLM stochasticity. Across four LLMs and two agent benchmarks, AttriGuard achieves 0% ASR under static attacks with negligible utility loss and moderate overhead. Importantly, it remains resilient under adaptive optimization-based attacks in settings where leading defenses degrade significantly.

翻译：LLM智能体极易受到间接提示注入（IPI）攻击，攻击者将恶意指令嵌入不可信的工具输出中，以劫持执行流程。现有防御大多将IPI视为输入层语义判别问题，往往难以泛化至未知攻击载荷。我们提出一种新范式——动作层因果归因，通过追问"为何产生特定工具调用"来保障智能体安全。其核心目标在于区分由用户意图支撑的工具调用与由不可信观测因果驱动的工具调用。我们通过AttriGuard实例化该范式，这是一种基于并行反事实测试的运行时防御机制。针对每个待调用的工具，AttriGuard通过在外界观测的控制衰减视图下重新执行智能体来验证工具调用的必要性。技术上，AttriGuard融合了三项创新：采用教师强制影子重放以避免归因混淆、设计层级化控制衰减以抑制多元控制信道同时保留任务相关信息、建立对LLM随机性具有鲁棒性的模糊存活准则。在四种LLM和两个智能体基准测试中，AttriGuard在静态攻击下实现0%攻击成功率，同时保持可忽略的效用损失和适度的计算开销。更重要的是，在自适应优化攻击场景下，当主流防御性能显著下降时，该方法仍保持强韧性。