Autonomous AI agents executing multi-step tool sequences face semantic attacks that manifest in behavioral traces rather than isolated prompts. A critical challenge is cross-attack generalization: can detectors trained on known attack families recognize novel, unseen attack types? We discover that standard conversational tokenization -- capturing linguistic patterns from agent interactions -- fails catastrophically on structural attacks like tool hijacking (AUC 0.39) and data exfiltration (AUC 0.46), while succeeding on linguistic attacks like social engineering (AUC 0.78). We introduce structural tokenization, encoding execution-flow patterns (tool calls, arguments, observations) rather than conversational content. This simple representational change dramatically improves cross-attack generalization: +46 AUC points on tool hijacking, +39 points on data exfiltration, and +71 points on unknown attacks, while simultaneously improving in-distribution performance (+6 points). For attacks requiring linguistic features, we propose gated multi-view fusion that adaptively combines both representations, achieving AUC 0.89 on social engineering without sacrificing structural attack detection. Our findings reveal that AI agent security is fundamentally a structural problem: attack semantics reside in execution patterns, not surface language. While our rule-based tokenizer serves as a baseline, the structural abstraction principle generalizes even with simple implementation.

翻译：执行多步骤工具序列的自主AI智能体面临语义攻击，这些攻击体现在行为轨迹而非孤立提示中。一个关键挑战是跨攻击泛化：在已知攻击家族上训练的检测器能否识别新型未见攻击类型？我们发现，标准对话分词方法（从智能体交互中捕捉语言模式）在工具劫持（AUC 0.39）和数据窃取（AUC 0.46）等结构性攻击上完全失效，而在社会工程学（AUC 0.78）等语言攻击上表现良好。我们提出结构分词方法，编码执行流模式（工具调用、参数、观察结果）而非对话内容。这一简单的表征改变显著提升了跨攻击泛化能力：工具劫持攻击AUC提升46点，数据窃取攻击提升39点，未知攻击提升71点，同时提升分布内性能（+6点）。对于需要语言特征的攻击，我们提出门控多视图融合方法，自适应结合两种表征，在社会工程学攻击上达到AUC 0.89且不牺牲结构性攻击检测能力。我们的研究揭示AI智能体安全本质上是结构性问题：攻击语义存在于执行模式中，而非表层语言。虽然基于规则的分词器作为基线，但结构抽象原则即使通过简单实现也能保持泛化能力。