Agentic computing systems, which autonomously spawn new functionalities based on natural language instructions, are becoming increasingly prevalent. While immensely capable, these systems raise serious security, privacy, and safety concerns. Fundamentally, the full set of functionalities offered by these systems, combined with their probabilistic execution flows, is not known beforehand. Given this lack of characterization, it is non-trivial to validate whether a system has successfully carried out the user's intended task or instead executed irrelevant actions, potentially as a consequence of compromise. In this paper, we propose Agent-Sentry, a framework that attempts to bound agentic systems to address this problem. Our key insight is that agentic systems are designed for specific use cases and therefore need not expose unbounded or unspecified functionalities. Once bounded, these systems become easier to scrutinize. Agent-Sentry operationalizes this insight by uncovering frequent functionalities offered by an agentic system, along with their execution traces, to construct behavioral bounds. It then learns a policy from these traces and blocks tool calls that deviate from learned behaviors or that misalign with user intent. Our evaluation shows that Agent-Sentry helps prevent over 90\% of attacks that attempt to trigger out-of-bounds executions, while preserving up to 98\% of system utility.

翻译：智能计算系统能够根据自然语言指令自主生成新功能，正变得越来越普遍。尽管这些系统能力强大，却引发了严重的安全、隐私和可靠性问题。从根本上说，这些系统提供的全部功能集及其概率性执行流在事前是未知的。由于缺乏这种特征描述，验证系统是否成功执行了用户预期的任务，或者是否因被攻陷而执行了无关动作，变得异常困难。在本文中，我们提出Agent-Sentry框架，该框架试图通过约束智能体系统来解决这一问题。我们的核心洞察是：智能体系统是为特定用例设计的，因此无需暴露无界或未指定的功能。一旦被约束，这些系统就更容易被审查。Agent-Sentry通过挖掘智能体系统提供的频繁功能及其执行轨迹来构建行为边界，从而将这一洞察付诸实践。随后，它从这些轨迹中学习策略，并阻断偏离学习行为或与用户意图不符的工具调用。评估结果表明，Agent-Sentry能帮助防御超过90%试图触发越界执行的攻击，同时保留高达98%的系统效用。