@inproceedings{khan-etal-2026-adaptive,
    title = "The Adaptive Interrogator: Detecting Trojan {LLM}s in Multi-Agent Systems via Evolved Conversational Strategies",
    author = "Khan, Rana Muhammad Shahroz  and
      Zhang, Ruichen  and
      Tan, Zhen  and
      Fleming, Charles  and
      Chen, Tianlong",
    editor = "Liakata, Maria  and
      Moreira, Viviane P.  and
      Zhang, Jiajun  and
      Jurgens, David",
    booktitle = "Findings of the {A}ssociation for {C}omputational {L}inguistics: {ACL} 2026",
    month = jul,
    year = "2026",
    address = "San Diego, California, United States",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-acl/2026.findings-acl.1348/",
    pages = "27029--27044",
    ISBN = "979-8-89176-395-1",
    abstract = "While Large Language Model (LLM) safety has focused on single-agent, white-box settings, the adoption of Multi-Agent Systems (MAS) creates a critical blind spot: $\textit{supply chain vulnerabilities in MAS ecosystems}$. These systems often rely on third-party agents accessed via black-box APIs, creating risks where attackers can embed hidden triggers to manipulate collective reasoning or outputs. Because internal weights are inaccessible, traditional white-box defenses fail to detect these threats. Consequently, a critical gap exists in auditing these systems for ``Trojan'' agents, $\textit{i.e.}$, malicious models that behave normally until triggered by specific, often multi-turn, conversational contexts. To bridge this gap, we introduce the $\textbf{C}$onversational $\textbf{T}$rojan $\textbf{U}$nmasking $\textbf{S}$ystem ($\textbf{CTUS}$), a black-box auditing framework that leverages an Evolutionary Algorithm (EA) to autonomously expose hidden threats. Drawing on social deduction mechanics, CTUS deploys a ``Judge'' agent to evolve conversational probes that provoke Trojan agents into revealing their malicious nature without alerting benign peers. We validate CTUS across diverse architectures (Llama-2/3, Gemma, Mistral) and attack vectors (word, syntax, semantic, RLHF). Our results demonstrate that CTUS achieves superior detection rates (up to 100{\%} in specific configurations). Furthermore, we conduct rigorous analyses to confirm the framework{'}s robustness, exhibiting negligible false positives on benign systems and stability across system configurations, establishing CTUS as a scalable safeguard for the multi-agent landscape."
}