Memory Poisoning Propagation Dynamics and Defense Strategy Comparison in Multi-Agent LLM Collaboration: An Empirical Study on AutoGen and LangGraph Frameworks

Abstract

The rapid adoption of multi-agent large language model (LLM) systems has elevated shared memory into a primary attack surface: a single corrupted entry can propagate across collaborating agents, contaminate downstream reasoning, and degrade task accuracy in ways that are difficult to localize after the fact. This paper presents a controlled empirical study of memory poisoning propagation dynamics in two widely used agentic orchestration frameworks, AutoGen and LangGraph. We construct a five-agent collaborative environment spanning code generation, tabular data analysis, and decision-reasoning tasks, inject five categories of synthetic poisoned entries into the shared memory at a controlled ratio ranging from 5% to 50%, and trace contamination spread through the communication graph using a custom propagation tracker. We compare four representative defense strategies — signature verification, consensus voting, time-based memory decay, and trusted-source weighting — both in isolation and as a hybrid ensemble. At a 30% poison ratio the hybrid defense raises task accuracy from a no-defense baseline of 54.83% to 86.27%, attains a poison-detection F1 of 0.8513, and contains 82.65% of poisoned entries within three communication rounds. Ablation, sensitivity, and case-study analyses confirm that each component contributes non-trivially and that the hybrid is robust across both AutoGen and LangGraph topologies. The fully synthetic setup makes every result reproducible without external datasets.