A privacy vulnerability detection method and device in a large model multi-agent system
By constructing a privacy vulnerability detection method for multi-agent systems and using a four-dimensional evaluation space and a PII detector for systematic evaluation, the efficiency and accuracy issues of privacy vulnerability detection in multi-agent systems are solved, and a comprehensive evaluation and risk quantification of the privacy protection capabilities of multi-agent systems are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HARBIN INSTITUTE OF TECHNOLOGY (SHENZHEN) (INSTITUTE OF SCIENCE AND TECHNOLOGY INNOVATION HARBIN INSTITUTE OF TECHNOLOGY SHENZHEN)
- Filing Date
- 2026-04-29
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies lack efficient and accurate methods for detecting privacy vulnerabilities in multi-agent systems, cannot comprehensively measure privacy risks in multi-agent collaborative scenarios, lack standardized data construction methods for multi-agent privacy evaluation, and cannot systematically identify privacy weaknesses in multi-agent systems.
This paper presents a method for detecting privacy vulnerabilities in large-scale multi-agent systems. The method involves obtaining the architecture parameters of the multi-agent system for modeling, constructing a fully loaded system model and a privacy evaluation dataset, using a four-dimensional evaluation space and a PII detector for privacy leakage assessment, and employing a multi-level quantitative indicator system for risk assessment.
It enables a comprehensive assessment of the privacy protection capabilities of multi-agent systems, can capture direct and rewritten leaks of privacy information by models, supports multi-level privacy risk quantification from fine-grained to global levels, and improves the efficiency and accuracy of privacy vulnerability detection.
Smart Images

Figure CN122365518A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of artificial intelligence security technology, and in particular to a method and apparatus for detecting privacy vulnerabilities in a large-scale multi-agent system. Background Technology
[0002] With the rapid development of Large Language Model (LLM) technology, autonomous AI agents have been widely applied in complex scenarios such as healthcare and office automation, driving a significant shift from single-agent systems to multi-agent systems (MAS). MAS coordinates multiple specialized agents through discriminative routing agents, enabling efficient handling of complex tasks and multi-dimensional problems in real-world environments. This collaborative model enhances the applicability and execution efficiency of agent technology, making MAS a cornerstone trend in the evolution of intelligent agents.
[0003] To provide high-quality services, multi-agent systems must rely on deep awareness and persistent storage of user privacy data. Multi-agent systems significantly improve the efficiency and quality of task processing by decomposing complex tasks into collaborative processing by multiple specialized agents. In a typical multi-agent architecture, the system usually includes an Intent Agent and multiple Function Agents. The Intent Agent analyzes user requests and distributes them to the most appropriate Function Agents, while each Function Agent retrieves relevant information from its own knowledge base and generates a response based on Retrieval-Augmented Generation (RAG) technology.
[0004] However, in processing user requests, multi-agent systems inevitably need to collect and process large amounts of personally identifiable information (PII), such as names, phone numbers, ID numbers, medical records, and financial data. This private information flows and is stored among multiple agents within the system, posing serious privacy and security risks. Compared to monolithic architectures, privacy risks in multi-agent systems (MAS) exhibit higher dimensionality and complexity. Sensitive information not only exists in externally retrieved knowledge but also accumulates in the local interaction history of each functional node. This structural complexity facilitates unintended data exposure through cross-agent information flow, significantly expanding the potential attack surface for privacy breaches.
[0005] Building upon existing research exploring privacy and memory risks in single-agent systems, this paper introduces a new paradigm in multi-agent systems: collaborative distributed memory. Unlike isolated memory modules, this decentralized storage network is logically interconnected through collaborative workflows, generating unprecedented risks that current work cannot address. Because the interaction traces generated by agents' memories and contexts during multi-agent collaboration provide richer semantic context than single-turn interactions, these traces can be reverse-engineered to extract sensitive historical information. Current benchmark data primarily focuses on static or isolated scenarios, making it difficult to simulate such complex "routing-execution-memory" paths or assess the cumulative risks of observing collaborative logs.
[0006] Existing privacy protection research mainly focuses on the following aspects: Privacy leakage assessment for a single LLM (Local Level Model), testing whether the model will leak private information in the training data through methods such as hint injection attacks. These methods only focus on the privacy risks of a single model and fail to consider additional privacy leakage paths brought about by inter-agent collaboration in multi-agent systems; Privacy protection methods based on differential privacy, federated learning, etc., protect privacy by introducing noise or distributed training during data processing, but these methods mainly target the model training stage and fail to effectively address privacy leakage risks during the inference stage; Security research on RAG (Research Aggregator) systems mainly focuses on attack methods such as knowledge base poisoning and retrieval result tampering, but fails to systematically assess the risk of leakage of user privacy information in RAG systems.
[0007] In the existing technology, there is a lack of an efficient and accurate method for detecting privacy vulnerabilities in multi-agent systems. Summary of the Invention
[0008] To address the shortcomings of existing technologies, such as the lack of a systematic privacy breach assessment benchmark for multi-agent systems, which prevents a comprehensive measurement of privacy risks in multi-agent collaborative scenarios; the lack of standardized data construction methods for multi-agent privacy evaluation, as existing datasets fail to simulate real-world scenarios where privacy information is distributed and stored among multiple agents; and the lack of a comprehensive evaluation framework covering multiple domains, PII types, and attack dimensions, which hinders the systematic identification of privacy vulnerabilities in multi-agent systems, this invention provides a method and apparatus for detecting privacy vulnerabilities in large-scale multi-agent systems. The technical solution is as follows: On the one hand, a method for detecting privacy vulnerabilities in large-scale multi-agent systems is provided. This method is implemented by a privacy vulnerability detection device and includes: Obtain the architecture parameters of the multi-agent system to be evaluated; based on the architecture parameters, perform architecture modeling on the multi-agent system to obtain the initial multi-agent system model; Obtain the privacy assessment task requirements; based on the PII classification system, construct data according to the privacy assessment task requirements and the initial multi-agent system model to obtain the fully loaded system model and the privacy assessment dataset; Based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, a four-dimensional evaluation space privacy evaluation is performed on the fully loaded system model according to the privacy evaluation dataset, and a PII detector is used to capture privacy leakage datasets. Based on a multi-level quantitative indicator system, a quantitative assessment of privacy breaches is conducted using privacy evaluation datasets and privacy breach datasets to obtain privacy risk assessment results.
[0009] On the other hand, a privacy vulnerability detection device for large-scale multi-agent systems is provided. This device is applied to a privacy vulnerability detection method for large-scale multi-agent systems. The device includes: The system modeling module is used to obtain the architecture parameters of the multi-agent system to be evaluated; based on the architecture parameters, the architecture of the multi-agent system is modeled to obtain the initial multi-agent system model; The data construction module is used to obtain the privacy assessment task requirements; based on the PII classification system, data is constructed according to the privacy assessment task requirements and the initial multi-agent system model to obtain the fully loaded system model and the privacy assessment dataset. The privacy detection module is used to perform four-dimensional evaluation space privacy evaluation on the fully loaded system model based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, and to use the privacy evaluation dataset to capture privacy leakage datasets. The risk assessment module is used to conduct quantitative assessments of privacy breaches based on a multi-level quantitative indicator system, using privacy evaluation datasets and privacy breach datasets, and to obtain privacy risk assessment results.
[0010] On the other hand, a privacy vulnerability detection device is provided, the privacy vulnerability detection device comprising: a processor; a memory storing computer-readable instructions, wherein when the computer-readable instructions are executed by the processor, any one of the privacy vulnerability detection methods in the above-described large model multi-agent system is implemented.
[0011] On the other hand, a computer-readable storage medium is provided, wherein at least one instruction is stored therein, the at least one instruction being loaded and executed by a processor to implement any of the above-described methods for detecting privacy vulnerabilities in large-scale multi-agent systems.
[0012] The beneficial effects of the technical solutions provided in the embodiments of the present invention include at least the following: This invention proposes a privacy vulnerability detection method for large-scale multi-agent systems. Based on a PII classification system and pattern definition, multi-domain data generation using domain templates, a distributed knowledge base injection strategy, and interactive memory construction with controllable memory expansion, it can systematically generate evaluation data simulating real-world privacy distributions. Based on a four-dimensional evaluation space, it achieves a comprehensive assessment of the privacy protection capabilities of multi-agent systems through automated evaluation query generation and standardized evaluation execution processes. A dual detection mechanism combining precise matching and semantic matching is employed to capture both direct and rewritten privacy information leaks by the model. A multi-level quantitative evaluation index system, including single-point privacy leakage rate, dimensional aggregation analysis, cross-agent leakage rate, memory dilution coefficient, and global privacy risk score, supports multi-level privacy risk quantification from fine-grained to global levels. This invention provides an efficient and accurate privacy vulnerability detection method for multi-agent systems. Attached Figure Description
[0013] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0014] Figure 1 This is a flowchart of a privacy vulnerability detection method in a large-scale multi-agent system provided by an embodiment of the present invention; Figure 2 This is a block diagram of a privacy vulnerability detection device in a large-scale multi-agent system provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of the structure of a privacy vulnerability detection device provided in an embodiment of the present invention. Detailed Implementation
[0015] The technical solution of the present invention will now be described with reference to the accompanying drawings.
[0016] In embodiments of the present invention, words such as "exemplarily," "for example," etc., are used to indicate that something is an example, illustration, or description. Any embodiment or design described as "exemplary" in the present invention should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of the word "exemplary" is intended to present the concept in a concrete manner. Furthermore, in embodiments of the present invention, the meaning expressed by "and / or" can be both, or either one.
[0017] In the embodiments of this invention, the terms "image" and "picture" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning. Similarly, the terms "of," "corresponding (relevant)," and "corresponding" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning.
[0018] In this embodiment of the invention, sometimes a subscript such as W1 may be written in a non-subscript form such as W1. When the difference is not emphasized, the meaning they express is the same.
[0019] To make the technical problems, technical solutions and advantages of the present invention clearer, a detailed description will be given below in conjunction with the accompanying drawings and specific embodiments.
[0020] This invention provides a method for detecting privacy vulnerabilities in large-scale multi-agent systems. This method can be implemented using a privacy vulnerability detection device, which can be a terminal or a server. Figure 1 The flowchart shown is for a privacy vulnerability detection method in a large-scale multi-agent system. The processing flow of this method may include the following steps: S1. Obtain the architecture parameters of the multi-agent system to be evaluated; based on the architecture parameters, perform architecture modeling on the multi-agent system to obtain the initial multi-agent system model; The multi-agent system model includes an intent-routing agent model, a functional agent model, a knowledge base model, and a memory storage model.
[0021] In one feasible implementation, during the multi-agent system architecture modeling stage, the present invention performs formal modeling of typical multi-agent system architectures.
[0022] Define multi-agent systems ,in For the intention routing agent, For the first A functional intelligent agent, For the corresponding knowledge base, For memory storage. User query. After analysis by the intent-based routing agent, the route is routed to the functional agent. ,in The functional agent retrieves documents from the knowledge base through the RAG mechanism. and combine memory to generate responses The model identifies three storage locations for privacy information within the system: a knowledge base, memory storage, and the intent routing and delivery process.
[0023] S2. Obtain privacy assessment task requirements; Based on the PII classification system, construct data according to the privacy assessment task requirements and the initial multi-agent system model to obtain the fully loaded system model and privacy assessment dataset. Optionally, based on the PII classification system, data is constructed according to the privacy evaluation task requirements and the initial multi-agent system model to obtain a fully loaded system model and a privacy evaluation dataset, including: Based on the PII classification system, and according to the set of virtual user parameters required by the privacy assessment task, a structured data generation method is used to generate virtual user profiles to obtain a set of user privacy profiles. Based on the user privacy profile set, and according to the multi-domain application requirements of the privacy assessment task, the domain template function is used to generate documents to obtain a domain document set. Based on a distributed storage strategy, information is injected into the initial multi-agent system model according to the domain document set to obtain a knowledge base loading system model; Based on the optimized multi-agent system model, historical information is generated according to the multi-round interaction requirements of the privacy assessment task, and multi-round interaction historical data is obtained. Based on the historical data of multiple rounds of interaction, information is injected into the knowledge base loading system model to obtain the full loading system model; Based on the full-load system model, a scenario instantiation of a controllable memory expansion mechanism is performed according to the memory scale configuration parameters required by the privacy assessment task, thereby obtaining the privacy assessment dataset.
[0024] In one feasible implementation, this invention proposes a standardized data construction method during the privacy assessment data construction phase. This includes defining a PII classification system. ,in This is a PII category, which includes various specific PII types.
[0025] For each virtual user Generate a complete PII profile ,in Ensure that the generated privacy information conforms to the characteristics of real data. These are privacy fields, including name and phone number; This represents the value of the corresponding field for user u. For different application domains, a domain-specific document collection is constructed based on a pre-defined scenario template library (including scenario types such as w_worried (w_worried), w_routine (w_routine), w_planning (w_planning), and w_emergency (w_emergency). , For the nth domain scenario requirement data; through the domain template function By naturally embedding user PII information into domain documents, natural dialogue scenarios can be generated.
[0026] Distribute documents into the knowledge bases of various functional agents. This ensures that different types of PII information for the same user are stored separately in different agents. Constructing multi-round interaction history data... And inject memory storage, The response information of the k-th agent in round t; through a controllable memory expansion mechanism. Construct evaluation scenarios with different memory scales. Configure parameters for the memory size, such as how many memories there are.
[0027] S3. Based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, a four-dimensional evaluation space privacy evaluation is performed on the fully loaded system model according to the privacy evaluation dataset, and a PII detector is used to capture the privacy leakage dataset. The evaluation dimensions of the four-dimensional evaluation space include application domain dimension, PII type dimension, multi-agent system component dimension, and attack path dimension.
[0028] In one feasible implementation, the present invention defines a four-dimensional evaluation space. ,in Based on the domain dimension (including education, healthcare, finance, and other fields). For PII type dimensions (including PII types such as name, email, phone, address, SSN, etc.), This is at the system component level (including components such as intent routing Router and function agents). The attack path dimension covers three attack algorithms: RAG-Thief, Pirates, and MEXTRA.
[0029] Optionally, based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters, and preset attack path methods, a four-dimensional evaluation space privacy evaluation is performed on the fully loaded system model according to the privacy evaluation dataset, and a PII detector is used to capture the privacy leakage dataset, including: A four-dimensional evaluation space is constructed based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters, and preset attack path methods. Based on the four-dimensional evaluation space, and using the privacy evaluation dataset, an automated query generation method is used to generate the evaluation query set. Based on the evaluation query set, a full-load system model is used to submit multiple rounds of evaluation queries and collect the evaluation response set. Based on the privacy evaluation dataset, the PII detector is used to detect privacy information leakage on the evaluation response set to obtain a privacy leakage dataset.
[0030] In one feasible implementation, during the design phase of the multi-dimensional comprehensive evaluation framework, each evaluation point is... Automatically generate evaluation query sets The query is semantically related to the target PII but does not directly contain privacy content. During the evaluation process, the system is initialized, queries are submitted, responses are collected, and a PII detector is used to determine whether the response contains privacy information.
[0031] The PII detector uses a combination of exact matching and semantic matching. , The threshold for semantic similarity is used; hard matching checks whether the original PII text appears through precise string matching, while soft matching detects PII rewriting and approximate leakage through semantic similarity matching to capture direct leakage and rewriting leakage.
[0032] S4. Based on a multi-level quantitative indicator system, a quantitative assessment of privacy breaches is conducted using privacy evaluation datasets and privacy breach datasets to obtain privacy risk assessment results.
[0033] Optionally, based on a multi-level quantitative indicator system, a quantitative assessment of privacy breaches is conducted using privacy evaluation datasets and privacy breach datasets to obtain privacy risk assessment results, including: Based on the privacy assessment dataset and the privacy leakage dataset, the leakage rate of assessment points is calculated to obtain a set of single-point leakage rates. Based on the single-point leakage rate set, perform domain-by-domain leakage rate aggregation analysis to obtain a multi-domain privacy leakage rate set; Based on preset risk weights, a weighted average is calculated according to a set of privacy leakage rates from multiple domains to obtain a global privacy risk score. Based on the preset intent routing agent identifier, the leakage rate is extracted according to the multi-domain privacy leakage rate set to obtain the intent routing privacy leakage rate set; the cross-agent leakage rate is calculated based on the intent routing privacy leakage rate set. A comparative analysis of privacy leakage rates at multiple memory scales was conducted based on privacy assessment datasets and privacy leakage datasets to obtain the memory dilution coefficient.
[0034] In one feasible implementation, during the privacy leakage quantitative assessment stage, this invention proposes a multi-level quantitative indicator system.
[0035] Calculate the single-point privacy breach rate for each evaluation point. Aggregate analysis is performed along various dimensions to identify high-risk areas, PII types, and system components, such as aggregation by area. .
[0036] A comprehensive privacy risk score is calculated based on all dimensions. ,in Risk weighting This represents the preset total number of test samples.
[0037] Define cross-agent leakage rate The memory dilution factor is defined to measure the proportion of cross-agent privacy breaches caused by intent routing. Assess the impact of memory expansion on privacy breaches, when This indicates that memory expansion has a "dilution effect".
[0038] This invention proposes a privacy vulnerability detection method for large-scale multi-agent systems. Based on a PII classification system and pattern definition, multi-domain data generation using domain templates, a distributed knowledge base injection strategy, and interactive memory construction with controllable memory expansion, it can systematically generate evaluation data simulating real-world privacy distributions. Based on a four-dimensional evaluation space, it achieves a comprehensive assessment of the privacy protection capabilities of multi-agent systems through automated evaluation query generation and standardized evaluation execution processes. A dual detection mechanism combining precise matching and semantic matching is employed to capture both direct and rewritten privacy information leaks by the model. A multi-level quantitative evaluation index system, including single-point privacy leakage rate, dimensional aggregation analysis, cross-agent leakage rate, memory dilution coefficient, and global privacy risk score, supports multi-level privacy risk quantification from fine-grained to global levels. This invention provides an efficient and accurate privacy vulnerability detection method for multi-agent systems.
[0039] Figure 2 This is a block diagram of a privacy vulnerability detection device in a large-scale multi-agent system provided by an embodiment of the present invention. This device is used in a privacy vulnerability detection method for large-scale multi-agent systems. (Refer to...) Figure 2 The device includes a system modeling module 210, a data construction module 220, a privacy detection module 230, and a risk assessment module 240. Among them: The system modeling module 210 is used to obtain the architecture parameters of the multi-agent system to be evaluated; and to perform architecture modeling on the multi-agent system based on the architecture parameters to obtain an initial multi-agent system model. The data construction module 220 is used to obtain the privacy evaluation task requirements; based on the PII classification system, data is constructed according to the privacy evaluation task requirements and the initial multi-agent system model to obtain the fully loaded system model and the privacy evaluation dataset. The privacy detection module 230 is used to perform four-dimensional evaluation space privacy evaluation on the fully loaded system model based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, and to use the privacy evaluation dataset to capture privacy leakage datasets. The risk assessment module 240 is used to conduct a quantitative assessment of privacy breaches based on a multi-level quantitative indicator system, using privacy evaluation datasets and privacy breach datasets, and to obtain privacy risk assessment results.
[0040] The multi-agent system model includes an intent-routing agent model, a functional agent model, a knowledge base model, and a memory storage model.
[0041] Optionally, the data construction module 220 is further used for: Based on the PII classification system, and according to the set of virtual user parameters required by the privacy assessment task, a structured data generation method is used to generate virtual user profiles to obtain a set of user privacy profiles. Based on the user privacy profile set, and according to the multi-domain application requirements of the privacy assessment task, the domain template function is used to generate documents to obtain a domain document set. Based on a distributed storage strategy, information is injected into the initial multi-agent system model according to the domain document set to obtain a knowledge base loading system model; Based on the optimized multi-agent system model, historical information is generated according to the multi-round interaction requirements of the privacy assessment task, and multi-round interaction historical data is obtained. Based on the historical data of multiple rounds of interaction, information is injected into the knowledge base loading system model to obtain the full loading system model; Based on the full-load system model, a scenario instantiation of a controllable memory expansion mechanism is performed according to the memory scale configuration parameters required by the privacy assessment task, thereby obtaining the privacy assessment dataset.
[0042] Optionally, the privacy detection module 230 is further used for: A four-dimensional evaluation space is constructed based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters, and preset attack path methods. Based on the four-dimensional evaluation space, and using the privacy evaluation dataset, an automated query generation method is used to generate the evaluation query set. Based on the evaluation query set, a full-load system model is used to submit multiple rounds of evaluation queries and collect the evaluation response set. Based on the privacy evaluation dataset, the PII detector is used to detect privacy information leakage on the evaluation response set to obtain a privacy leakage dataset.
[0043] The evaluation dimensions of the four-dimensional evaluation space include application domain dimension, PII type dimension, multi-agent system component dimension, and attack path dimension.
[0044] Optionally, the risk assessment module 240 is further used for: Based on the privacy assessment dataset and the privacy leakage dataset, the leakage rate of assessment points is calculated to obtain a set of single-point leakage rates. Based on the single-point leakage rate set, perform domain-by-domain leakage rate aggregation analysis to obtain a multi-domain privacy leakage rate set; Based on preset risk weights, a weighted average is calculated according to a set of privacy leakage rates from multiple domains to obtain a global privacy risk score. Based on the preset intent routing agent identifier, the leakage rate is extracted according to the multi-domain privacy leakage rate set to obtain the intent routing privacy leakage rate set; the cross-agent leakage rate is calculated based on the intent routing privacy leakage rate set. A comparative analysis of privacy leakage rates at multiple memory scales was conducted based on privacy assessment datasets and privacy leakage datasets to obtain the memory dilution coefficient.
[0045] This invention proposes a privacy vulnerability detection method for large-scale multi-agent systems. Based on a PII classification system and pattern definition, multi-domain data generation using domain templates, a distributed knowledge base injection strategy, and interactive memory construction with controllable memory expansion, it can systematically generate evaluation data simulating real-world privacy distributions. Based on a four-dimensional evaluation space, it achieves a comprehensive assessment of the privacy protection capabilities of multi-agent systems through automated evaluation query generation and standardized evaluation execution processes. A dual detection mechanism combining precise matching and semantic matching is employed to capture both direct and rewritten privacy information leaks by the model. A multi-level quantitative evaluation index system, including single-point privacy leakage rate, dimensional aggregation analysis, cross-agent leakage rate, memory dilution coefficient, and global privacy risk score, supports multi-level privacy risk quantification from fine-grained to global levels. This invention provides an efficient and accurate privacy vulnerability detection method for multi-agent systems.
[0046] Figure 3 This is a schematic diagram of the structure of a privacy vulnerability detection device provided in an embodiment of the present invention, as shown below. Figure 3 As shown, privacy vulnerability detection devices may include the above-mentioned Figure 2 The privacy vulnerability detection device shown is used in a large-scale multi-agent system. Optionally, the privacy vulnerability detection device 310 may include a first processor 2001.
[0047] Optionally, the privacy vulnerability detection device 310 may also include a memory 2002 and a transceiver 2003.
[0048] The first processor 2001, memory 2002, and transceiver 2003 can be connected via a communication bus.
[0049] The following is combined with Figure 3 A detailed introduction to each component of the privacy vulnerability detection device 310: The first processor 2001 is the control center of the privacy vulnerability detection device 310. It can be a single processor or a collective term for multiple processing elements. For example, the first processor 2001 can be one or more central processing units (CPUs), application-specific integrated circuits (ASICs), or one or more integrated circuits configured to implement embodiments of the present invention, such as one or more digital signal processors (DSPs), or one or more field-programmable gate arrays (FPGAs).
[0050] Optionally, the first processor 2001 can perform various functions of the privacy vulnerability detection device 310 by running or executing software programs stored in the memory 2002 and calling data stored in the memory 2002.
[0051] In a specific implementation, as one example, the first processor 2001 may include one or more CPUs, for example... Figure 3 CPU0 and CPU1 are shown in the diagram.
[0052] In a specific implementation, as one example, the privacy vulnerability detection device 310 may also include multiple processors, for example... Figure 3 The first processor 2001 and the second processor 2004 are shown in the diagram. Each of these processors can be a single-core processor or a multi-core processor. Here, a processor can refer to one or more devices, circuits, and / or processing cores used to process data (such as computer program instructions).
[0053] The memory 2002 is used to store the software program that executes the present invention, and is controlled by the first processor 2001 to execute it. The specific implementation method can be referred to the above method embodiment, and will not be repeated here.
[0054] Optionally, the memory 2002 may be a read-only memory (ROM) or other type of static storage device capable of storing static information and instructions, random access memory (RAM) or other type of dynamic storage device capable of storing information and instructions, or electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and accessible by a computer, but not limited thereto. The memory 2002 may be integrated with the first processor 2001 or may exist independently, and may be connected via the interface circuit of the privacy vulnerability detection device 310. Figure 3 (Not shown in the image) is coupled to the first processor 2001, and this embodiment of the invention does not specifically limit this.
[0055] The transceiver 2003 is used to communicate with network devices or with terminal devices.
[0056] Alternatively, transceiver 2003 may include a receiver and a transmitter. Figure 3 (Not shown separately). The receiver is used to implement the receiving function, and the transmitter is used to implement the transmitting function.
[0057] Optionally, the transceiver 2003 can be integrated with the first processor 2001, or it can exist independently and be connected to the interface circuit of the privacy vulnerability detection device 310. Figure 3 (Not shown in the image) is coupled to the first processor 2001, and this embodiment of the invention does not specifically limit this.
[0058] It should be noted that, Figure 3 The structure of the privacy vulnerability detection device 310 shown does not constitute a limitation on the router. Actual privacy vulnerability detection devices may include more or fewer components than shown, or combine certain components, or have different component arrangements.
[0059] Furthermore, the technical effectiveness of the privacy vulnerability detection device 310 can be referenced from the technical effectiveness of the privacy vulnerability detection method in the large model multi-agent system described in the above method embodiments, and will not be repeated here.
[0060] It should be understood that the first processor 2001 in the embodiments of the present invention may be a central processing unit (CPU), or it may be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor, or it may be any conventional processor, etc.
[0061] It should also be understood that the memory in the embodiments of the present invention can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of random access memory (RAM) are available, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate synchronous DRAM (DDR SDRAM), enhanced synchronous DRAM (ESDRAM), synchronous linked DRAM (SLDRAM), and direct rambus RAM (DRRAM).
[0062] The above embodiments can be implemented, in whole or in part, by software, hardware (such as circuits), firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.
[0063] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. A and B can be singular or plural. Additionally, the character " / " in this article generally indicates an "or" relationship between the preceding and following related objects, but it can also represent an "and / or" relationship. Please refer to the context for a more accurate understanding.
[0064] In this invention, "at least one" means one or more, and "more than one" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of a single item or a plurality of items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be a single item or multiple items.
[0065] It should be understood that, in various embodiments of the present invention, the order of the above-mentioned process numbers does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
[0066] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0067] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the devices, apparatuses, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0068] In the several embodiments provided by this invention, it should be understood that the disclosed devices, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another device, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.
[0069] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0070] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0071] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0072] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A method for detecting privacy vulnerabilities in a large-scale multi-agent system, characterized in that, The method includes: Obtain the architecture parameters of the multi-agent system to be evaluated; based on the architecture parameters, perform architecture modeling on the multi-agent system to obtain the initial multi-agent system model; Obtain the privacy assessment task requirements; based on the PII classification system, construct data according to the privacy assessment task requirements and the initial multi-agent system model to obtain the fully loaded system model and the privacy assessment dataset; Based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, a four-dimensional evaluation space privacy evaluation is performed on the fully loaded system model according to the privacy evaluation dataset, and a PII detector is used to capture privacy leakage datasets. Based on a multi-level quantitative indicator system, a quantitative assessment of privacy breaches is conducted using privacy evaluation datasets and privacy breach datasets to obtain privacy risk assessment results.
2. The privacy vulnerability detection method in a large-scale multi-agent system according to claim 1, characterized in that, The multi-agent system model includes an intent-routing agent model, a functional agent model, a knowledge base model, and a memory storage model.
3. The privacy vulnerability detection method in a large-scale multi-agent system according to claim 1, characterized in that, The PII-based classification system, according to the privacy assessment task requirements and the initial multi-agent system model, constructs data to obtain a fully loaded system model and a privacy assessment dataset, including: Based on the PII classification system, and according to the set of virtual user parameters required by the privacy assessment task, a structured data generation method is used to generate virtual user profiles to obtain a set of user privacy profiles. Based on the user privacy profile set, and according to the multi-domain application requirements of the privacy assessment task, the domain template function is used to generate documents to obtain a domain document set. Based on a distributed storage strategy, information is injected into the initial multi-agent system model according to the domain document set to obtain a knowledge base loading system model; Based on the optimized multi-agent system model, historical information is generated according to the multi-round interaction requirements of the privacy assessment task, and multi-round interaction historical data is obtained. Based on the historical data of multiple rounds of interaction, information is injected into the knowledge base loading system model to obtain the full loading system model; Based on the full-load system model, a scenario instantiation of a controllable memory expansion mechanism is performed according to the memory scale configuration parameters required by the privacy assessment task, thereby obtaining the privacy assessment dataset.
4. The privacy vulnerability detection method in a large-scale multi-agent system according to claim 1, characterized in that, Based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters, and preset attack path methods, the fully loaded system model undergoes a four-dimensional evaluation space privacy evaluation using the privacy evaluation dataset. A PII detector is then used to capture privacy-leaking datasets, including: A four-dimensional evaluation space is constructed based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters, and preset attack path methods; Based on the four-dimensional evaluation space, and using the privacy evaluation dataset, an automated query generation method is used to generate data and obtain an evaluation query set. Based on the evaluation query set, a full-load system model is used to submit multiple rounds of evaluation queries and collect the evaluation response set. Based on the privacy evaluation dataset, the PII detector is used to detect privacy information leakage on the evaluation response set to obtain a privacy leakage dataset.
5. The privacy vulnerability detection method in a large-scale multi-agent system according to claim 4, characterized in that, The evaluation dimensions of the four-dimensional evaluation space include the application domain dimension, PII type dimension, multi-agent system component dimension, and attack path dimension.
6. The privacy vulnerability detection method in a large-scale multi-agent system according to claim 1, characterized in that, The aforementioned multi-level quantitative indicator system, based on privacy assessment datasets and privacy leakage datasets, performs quantitative assessments of privacy leaks to obtain privacy risk assessment results, including: Based on the privacy assessment dataset and the privacy leakage dataset, the leakage rate of assessment points is calculated to obtain a set of single-point leakage rates. Based on the single-point leakage rate set, perform domain-by-domain leakage rate aggregation analysis to obtain a multi-domain privacy leakage rate set; Based on preset risk weights, a weighted average is calculated according to a set of privacy leakage rates from multiple domains to obtain a global privacy risk score. Based on the preset intent routing agent identifier, the leakage rate is extracted according to the multi-domain privacy leakage rate set to obtain the intent routing privacy leakage rate set; the cross-agent leakage rate is calculated based on the intent routing privacy leakage rate set. A comparative analysis of privacy leakage rates at multiple memory scales was conducted based on privacy assessment datasets and privacy leakage datasets to obtain the memory dilution coefficient.
7. A privacy vulnerability detection device for a large model multi-agent system, wherein the privacy vulnerability detection device for the large model multi-agent system is used to implement the privacy vulnerability detection method for the large model multi-agent system as described in any one of claims 1-6, characterized in that, The device includes: The system modeling module is used to obtain the architecture parameters of the multi-agent system to be evaluated; based on the architecture parameters, the architecture of the multi-agent system is modeled to obtain the initial multi-agent system model; The data construction module is used to obtain the privacy assessment task requirements; based on the PII classification system, data is constructed according to the privacy assessment task requirements and the initial multi-agent system model to obtain the fully loaded system model and the privacy assessment dataset. The privacy detection module is used to perform four-dimensional evaluation space privacy evaluation on the fully loaded system model based on the privacy evaluation task requirements, PII classification system, multi-agent system architecture parameters and preset attack path methods, and to use the privacy evaluation dataset to capture privacy leakage datasets. The risk assessment module is used to conduct quantitative assessments of privacy breaches based on a multi-level quantitative indicator system, using privacy evaluation datasets and privacy breach datasets, and to obtain privacy risk assessment results.
8. The privacy vulnerability detection device in a large-scale multi-agent system according to claim 7, characterized in that, The data construction module is further used for: Based on the PII classification system, and according to the set of virtual user parameters required by the privacy assessment task, a structured data generation method is used to generate virtual user profiles to obtain a set of user privacy profiles. Based on the user privacy profile set, and according to the multi-domain application requirements of the privacy assessment task, the domain template function is used to generate documents to obtain a domain document set. Based on a distributed storage strategy, information is injected into the initial multi-agent system model according to the domain document set to obtain a knowledge base loading system model; Based on the optimized multi-agent system model, historical information is generated according to the multi-round interaction requirements of the privacy assessment task, and multi-round interaction historical data is obtained. Based on the historical data of multiple rounds of interaction, information is injected into the knowledge base loading system model to obtain the full loading system model; Based on the full-load system model, a scenario instantiation of a controllable memory expansion mechanism is performed according to the memory scale configuration parameters required by the privacy assessment task, thereby obtaining the privacy assessment dataset.
9. A privacy vulnerability detection device, characterized in that, The privacy vulnerability detection device includes: processor; A memory storing computer-readable instructions that, when executed by the processor, implement the method as described in any one of claims 1 to 6.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium contains program code that can be invoked by a processor to execute the method as described in any one of claims 1 to 6.