Multi-agent systems, powered by large language models, have shown great abilities across various tasks due to the collaboration of expert agents, each focusing on a specific domain. However, when agents are deployed separately, there is a risk that malicious users may introduce malicious agents who generate incorrect or irrelevant results that are too stealthy to be identified by other non-specialized agents. Therefore, this paper investigates two essential questions: (1) What is the resilience of various multi-agent system structures (e.g., A$\rightarrow$B$\rightarrow$C, A$\leftrightarrow$B$\leftrightarrow$C) under malicious agents, on different downstream tasks? (2) How can we increase system resilience to defend against malicious agents? To simulate malicious agents, we devise two methods, AutoTransform and AutoInject, to transform any agent into a malicious one while preserving its functional integrity. We run comprehensive experiments on four downstream multi-agent systems tasks, namely code generation, math problems, translation, and text evaluation. Results suggest that the "hierarchical" multi-agent structure, i.e., A$\rightarrow$(B$\leftrightarrow$C), exhibits superior resilience with the lowest performance drop of $23.6\%$, compared to $46.4\%$ and $49.8\%$ of other two structures. Additionally, we show the promise of improving multi-agent system resilience by demonstrating that two defense methods, introducing a mechanism for each agent to challenge others' outputs, or an additional agent to review and correct messages, can enhance system resilience. Our code and data are available at https://github.com/CUHK-ARISE/MAS-Resilience.

翻译：基于大型语言模型的多智能体系统通过领域专家智能体的协同合作，已在各类任务中展现出卓越能力。然而，当智能体被独立部署时，恶意用户可能引入生成错误或无关结果的恶意智能体，这些结果因隐蔽性过高而难以被其他非专业智能体识别。为此，本文探究两个核心问题：(1) 不同下游任务中，各类多智能体系统结构（如 A$\rightarrow$B$\rightarrow$C、A$\leftrightarrow$B$\leftrightarrow$C）在恶意智能体攻击下的鲁棒性如何？(2) 如何提升系统鲁棒性以抵御恶意智能体？为模拟恶意智能体，我们设计了 AutoTransform 与 AutoInject 两种方法，可在保持功能完整性的前提下将任意智能体转化为恶意智能体。我们在代码生成、数学问题求解、文本翻译和文本评估四个下游多智能体系统任务上进行了全面实验。结果表明，层级化多智能体结构 A$\rightarrow$(B$\leftrightarrow$C) 展现出最优鲁棒性，其性能下降幅度最低（$23.6\%$），而其他两种结构的下降幅度分别为 $46.4\%$ 与 $49.8\%$。此外，我们通过两种防御方法验证了提升系统鲁棒性的可行性：一是为每个智能体引入质疑其他智能体输出的机制，二是增设专门审核修正消息的额外智能体。本研究的代码与数据已公开于 https://github.com/CUHK-ARISE/MAS-Resilience。