PrefixGuard: From LLM-Agent Traces to Online Failure-Warning Monitors
摘要
# Paper page - PrefixGuard: From LLM-Agent Traces to Online Failure-Warning Monitors Source: [https://huggingface.co/papers/2605.06455](https://huggingface.co/papers/2605.06455) ## Abstract PrefixGuard enables effective online monitoring of LLM agents through trace analysis and prefix\-based risk scoring, demonstrating strong performance across multiple benchmark tasks while providing diagnostic insights for alert reliability\. Large language model \(LLM\) agents now execute long, tool\-using ta
查看缓存全文
缓存时间: 2026/05/11 10:44
Paper page - PrefixGuard: From LLM-Agent Traces to Online Failure-Warning Monitors
Source: https://huggingface.co/papers/2605.06455
Abstract
PrefixGuard enables effective online monitoring of LLM agents through trace analysis and prefix-based risk scoring, demonstrating strong performance across multiple benchmark tasks while providing diagnostic insights for alert reliability.
Large language model (LLM) agents now execute long, tool-using tasks where final outcome checks can arrive too late for intervention. Online warning requires lightweightprefix monitorsover heterogeneous traces, but hand-authored event schemas are brittle and deployment-time LLM judging is costly. We introduce PrefixGuard, atrace-to-monitor frameworkwith an offlineStepView inductionstep followed by supervised monitor training. StepView induces deterministic typed-step adapters from raw trace samples, and the monitor learns anevent abstractionandprefix-risk scorerfrom terminal outcomes. Across WebArena, τ^2-Bench, SkillsBench, and TerminalBench, the strongest PrefixGuard monitors reach 0.900/0.710/0.533/0.557AUPRC. Using the strongest backend within each representation, they improve over raw-text controls by an average of +0.137AUPRC. LLM judges remain substantially weaker under the same prefix-warning protocol. We also derive an observability ceiling on score-based area under the precision-recall curve (AUPRC) that separates monitor error from failures lacking evidence in the observed prefix. Forfinite-state audit, post-hocdeterministic finite automaton (DFA)extraction remains compact on WebArena and τ^2-Bench (29 and 20 states) but expands to 151 and 187 states on SkillsBench and TerminalBench. Finally, first-alert diagnostics show that strong ranking does not imply deployment utility: WebArena ranks well yet fails to support low-false-alarm alerts, whereas τ^2-Bench and TerminalBench retain more actionable early alerts. Together, these results position PrefixGuard as a practical monitor-synthesis recipe with explicit diagnostics for when prefix warnings translate into actionable interventions.
View arXiv pageView PDFGitHub1Add to collection
Get this paper in your agent:
hf papers read 2605\.06455
Don’t have the latest CLI?curl \-LsSf https://hf\.co/cli/install\.sh \| bash
Models citing this paper0
No model linking this paper
Cite arxiv.org/abs/2605.06455 in a model README.md to link it from this page.
Datasets citing this paper0
No dataset linking this paper
Cite arxiv.org/abs/2605.06455 in a dataset README.md to link it from this page.
Spaces citing this paper0
No Space linking this paper
Cite arxiv.org/abs/2605.06455 in a Space README.md to link it from this page.
Collections including this paper0
No Collection including this paper
Add this paper to acollectionto link it from this page.
相似文章
PropGuard:通过传播感知的探索与修复保障LLM-MAS安全
PropGuard是一种传播感知框架,用于保护基于LLM的多智能体系统(LLM-MAS)免受跨智能体和轮次传播的恶意指令的影响。它构建了一个双视角时空图,并使用经过GE-GRPO训练的检查器来检测和修复可疑的传播子图。
PolicyGuard:面向LLM代理政策遵从性的对话基础子代理验证器
PolicyGuard是一种子代理验证器,通过在多轮交互中提供上下文推理和对话特定反馈,增强LLM代理的政策遵从性,在tau^2-BENCH基准上取得了显著改进。
通过溯源分析防范LLM代理失对齐
本文提出了一种基于溯源的框架和多阶段流水线\tool,用于在LLM代理执行工具调用前检测失对齐,与基于LLM作为裁判的基线相比,显著降低了错误率。
通过行为识别:利用UI痕迹对LLM浏览器代理进行指纹识别
本文证明,网站可以通过分析浏览代理的行为模式和时序数据,识别其背后的大语言模型,在14个前沿LLM上实现了高达96%的F1分数。本文正式定义了这一攻击面,并表明随机时序延迟不足以阻止识别。
内存增强型LLM智能体中的状态污染
本文识别并研究了LLM智能体中的“记忆洗白”现象,即有毒或对抗性上下文被压缩成记忆摘要后,能够逃避标准毒性检测器,同时仍影响后续生成。文章引入了亚阈值传播间隙(SPG)来衡量隐藏的下游影响,并表明在摘要之前对有毒状态进行消毒比事后清理更有效。