This work addresses the vulnerability of large language model (LLM) multi-agent systems to security threats that propagate through communication channels, potentially triggering cascading failures. Existing defenses are predominantly reactive, often failing to prevent irreversible damage. To overcome this limitation, the paper introduces SAIGuard—the first proactive defense framework tailored for LLM multi-agent systems. SAIGuard innovatively integrates a joint communication-state simulation mechanism that, prior to message propagation, models the potential impact of incoming messages on both local and global system states. By leveraging the multi-agent interaction graph, the framework enables early detection of malicious content through communication-state simulation, benign pattern reconstruction, and anomaly identification. Evaluated across diverse network topologies and attack scenarios, SAIGuard significantly reduces attack success rates while preserving collaborative performance, outperforming conventional passive defense strategies.

LLM-based multi-agent systems (MAS) solve complex tasks through inter-agent collaboration, but their communication-driven nature also allows security risks to spread across agents and trigger system-wide failures. Existing MAS defenses mainly follow a reactive paradigm after execution by detecting and isolating harmful agents, which may cause irreversible damage and degrade collaborative utility. To address this, we propose a proactive defense framework for MAS security, namely a Simulation-aware Interception Guard (SAIGuard). SAIGuard performs communication-state simulation over the MAS interaction graph, estimates the impact of incoming messages on local agent states and the global MAS state, and detects risky messages via reconstruction deviations from benign communication patterns. Instead of isolating agents, SAIGuard sanitizes or regenerates suspicious messages before it propagation into system. Experiments across diverse topologies and attack scenarios show that SAIGuard reduces attack success rates while maintaining MAS utility, outperforming reactive defenses.