scan-v5.json (27844B)
1 { 2 "scan_version": 5, 3 "paper_type": "empirical", 4 "paper": { 5 "title": "Defense Against Prompt Injection Attack by Leveraging Attack Techniques", 6 "authors": [ 7 "Yulin Chen", 8 "Haoran Li", 9 "Zihao Zheng", 10 "Dekai Wu", 11 "Yangqiu Song", 12 "Bryan Hooi" 13 ], 14 "year": 2024, 15 "venue": "Annual Meeting of the Association for Computational Linguistics", 16 "arxiv_id": "2411.00459", 17 "doi": "10.48550/arXiv.2411.00459" 18 }, 19 "checklist": { 20 "claims_and_evidence": { 21 "abstract_claims_supported": { 22 "applies": true, 23 "answer": true, 24 "justification": "The abstract claims that defense methods outperform existing approaches and achieve state-of-the-art results; Tables 1, 2, 4, and 5 consistently show lower ASR for all four proposed methods versus all five training-free baselines across three open-source and two closed-source models.", 25 "source": "haiku" 26 }, 27 "causal_claims_justified": { 28 "applies": true, 29 "answer": true, 30 "justification": "Comparative claims are supported by controlled experiments isolating each defense method against each attack type; the ablation in Figure 3 tests the causal claim that 'stronger attacks yield stronger defenses' across three model families, providing adequate experimental grounding.", 31 "source": "haiku" 32 }, 33 "generalization_bounded": { 34 "applies": true, 35 "answer": false, 36 "justification": "The abstract claims methods 'outperform existing defense approaches' broadly, but experiments cover only 5 training-free baselines (with comparison to just one fine-tuning method in one scenario) on two datasets; multilingual, RAG-pipeline, or agent-tool-use settings are not evaluated and not disclaimed.", 37 "source": "haiku" 38 }, 39 "alternative_explanations_discussed": { 40 "applies": true, 41 "answer": false, 42 "justification": "The paper offers no mechanistic analysis of why inverting attack prompts improves defense; a simpler alternative—that merely repeating the original instruction at the end of the prompt (as Sandwich partially does) explains the gains—is not considered or ruled out.", 43 "source": "haiku" 44 }, 45 "proxy_outcome_distinction": { 46 "applies": true, 47 "answer": true, 48 "justification": "ASR is explicitly defined as detecting whether the answer to the injected instruction appears in the generated response, and utility is separately measured by QA accuracy and SST2 accuracy; the paper clearly distinguishes these two measurement dimensions.", 49 "source": "haiku" 50 } 51 }, 52 "limitations_and_scope": { 53 "limitations_section_present": { 54 "applies": true, 55 "answer": true, 56 "justification": "A dedicated 'Limitations' section appears before the Ethical Consideration section, not merely as a sentence in the conclusion.", 57 "source": "haiku" 58 }, 59 "threats_to_validity_specific": { 60 "applies": true, 61 "answer": true, 62 "justification": "The limitations section specifically names: absence of a long-query benchmark preventing thorough truncation analysis, the decision not to use gradient-based attacks as defenses (citing poor prior performance), and the lack of a mathematical proof for why prompt-engineering defenses work.", 63 "source": "haiku" 64 }, 65 "scope_boundaries_stated": { 66 "applies": true, 67 "answer": false, 68 "justification": "While specific gaps are noted, the paper does not state explicit boundaries such as which model architectures, languages, or deployment scenarios the results do NOT cover; the conclusion asserts broad effectiveness without clarifying scope exclusions.", 69 "source": "haiku" 70 } 71 }, 72 "conflicts_of_interest": { 73 "funding_disclosed": { 74 "applies": true, 75 "answer": true, 76 "justification": "The acknowledgment section discloses that Dr. Haoran Li is a JC STEM Early Career Research Fellow supported by The Hong Kong Jockey Club Charities Trust.", 77 "source": "haiku" 78 }, 79 "affiliations_disclosed": { 80 "applies": true, 81 "answer": true, 82 "justification": "Author affiliations with National University of Singapore, HKUST, and Harbin Institute of Technology Shenzhen are disclosed in the header.", 83 "source": "haiku" 84 }, 85 "funder_independent_of_outcome": { 86 "applies": true, 87 "answer": true, 88 "justification": "The Hong Kong Jockey Club Charities Trust is a charitable organization unrelated to LLM products or prompt injection defense tools; no financial stake in the experimental outcome is apparent.", 89 "source": "haiku" 90 }, 91 "financial_interests_declared": { 92 "applies": true, 93 "answer": false, 94 "justification": "The Ethical Consideration section acknowledges the ACL code of conduct but contains no competing interests or financial interests declaration.", 95 "source": "haiku" 96 } 97 }, 98 "scope_and_framing": { 99 "key_terms_defined": { 100 "applies": true, 101 "answer": true, 102 "justification": "Direct and indirect prompt injection, attack success rate (ASR), the five attack techniques (naive, escape, ignore, fake completion, fake completion with template), and shield prompt are all defined with illustrative figures.", 103 "source": "haiku" 104 }, 105 "intended_contribution_clear": { 106 "applies": true, 107 "answer": true, 108 "justification": "Section 1 explicitly lists three contributions: a novel approach repurposing attack techniques as defenses, four specific defense methods, and empirical demonstration of reduced ASR; the contribution framing is unambiguous.", 109 "source": "haiku" 110 }, 111 "engagement_with_prior_work": { 112 "applies": true, 113 "answer": true, 114 "justification": "Section 2 surveys both attack and defense prior work in detail, explains how existing training-free defenses fail, and directly benchmarks against five contemporary baselines; the paper situates its contribution relative to fine-tuning approaches as well.", 115 "source": "haiku" 116 } 117 } 118 }, 119 "type_checklist": { 120 "empirical": { 121 "artifacts": { 122 "code_released": { 123 "applies": true, 124 "answer": true, 125 "justification": "Footnote 1 states 'Code is publicly available at https://github.com/LukeChen-go/pia-defense-by-attack'; this is a direct release, not a promise.", 126 "source": "haiku" 127 }, 128 "data_released": { 129 "applies": true, 130 "answer": true, 131 "justification": "All three datasets used—AlpacaFarm, the filtered QA dataset from Li et al. (2023b), and SST2—are standard public benchmarks used unmodified.", 132 "source": "haiku" 133 }, 134 "environment_specified": { 135 "applies": true, 136 "answer": false, 137 "justification": "Appendix A.1 states PyTorch 2.1.0 and a single NVIDIA A100 GPU; no requirements.txt, Dockerfile, or full dependency list is provided.", 138 "source": "haiku" 139 }, 140 "reproduction_instructions": { 141 "applies": true, 142 "answer": false, 143 "justification": "Generation hyperparameters are given (do_sample=false, max_new_tokens=256, max_length=8192) but no step-by-step instructions for reproducing the pipeline appear in the paper; the reader must infer procedure from the code repository.", 144 "source": "haiku" 145 } 146 }, 147 "statistical_methodology": { 148 "confidence_intervals_or_error_bars": { 149 "applies": true, 150 "answer": false, 151 "justification": "None of the result tables (Tables 1–12) report confidence intervals or error bars; only point-estimate ASR and accuracy values are given.", 152 "source": "haiku" 153 }, 154 "significance_tests": { 155 "applies": true, 156 "answer": false, 157 "justification": "No statistical significance tests are applied to any comparative claims; improvements over baselines are asserted from raw percentages alone.", 158 "source": "haiku" 159 }, 160 "effect_sizes_reported": { 161 "applies": true, 162 "answer": true, 163 "justification": "Absolute ASR reduction figures (e.g., from 100% to 0.05–0.10% for Fakecom-t in indirect injection) provide interpretable effect sizes relative to both no-defense and baseline-defense conditions.", 164 "source": "haiku" 165 }, 166 "sample_size_justified": { 167 "applies": true, 168 "answer": false, 169 "justification": "208 samples for direct injection and 2,000 for indirect injection are used without any power analysis or justification for why those sizes are sufficient.", 170 "source": "haiku" 171 }, 172 "variance_reported": { 173 "applies": true, 174 "answer": false, 175 "justification": "All results are single-run point estimates; no standard deviation or variance across repeated runs is reported for any experiment.", 176 "source": "haiku" 177 } 178 }, 179 "evaluation_design": { 180 "baselines_included": { 181 "applies": true, 182 "answer": true, 183 "justification": "Five training-free baselines (Sandwich, Instructional, Reminder, Isolation, Spotlight) and a no-defense condition are included in all main experiments.", 184 "source": "haiku" 185 }, 186 "baselines_contemporary": { 187 "applies": true, 188 "answer": true, 189 "justification": "Baselines include Hines et al. (2024) and Yi et al. (2023); the most recently published baselines available at submission time are represented.", 190 "source": "haiku" 191 }, 192 "ablation_study": { 193 "applies": true, 194 "answer": true, 195 "justification": "Section 5.4 contains a structured ablation addressing five specific questions: closed-source generalization, gradient-based attack defense, template-aware attack vulnerability, attack-defense strength correlation, and long-input truncation.", 196 "source": "haiku" 197 }, 198 "multiple_metrics": { 199 "applies": true, 200 "answer": true, 201 "justification": "Both ASR (security metric) and task accuracy on QA and SST2 (utility metric) plus inference time overhead (Table 8) are reported.", 202 "source": "haiku" 203 }, 204 "human_evaluation": { 205 "applies": false, 206 "answer": false, 207 "justification": "Human evaluation is not relevant for automated prompt injection defense benchmarking; all evaluation is automated via string-match ASR detection.", 208 "source": "haiku" 209 }, 210 "held_out_test_set": { 211 "applies": false, 212 "answer": false, 213 "justification": "The defense methods are training-free prompt-engineering techniques with no model training phase; a train/test split is not applicable.", 214 "source": "haiku" 215 }, 216 "per_category_breakdown": { 217 "applies": true, 218 "answer": true, 219 "justification": "Tables 1 and 2 break down ASR by all five attack types (Naive, Ignore, Escape, Fakecom, Combined) across each of three victim models separately.", 220 "source": "haiku" 221 }, 222 "failure_cases_discussed": { 223 "applies": true, 224 "answer": true, 225 "justification": "Section 5.5 shows concrete response examples where attacks succeed without defense and explains mechanistically why some defenses fail (e.g., Ignore defense not always suppressing both instructions).", 226 "source": "haiku" 227 }, 228 "negative_results_reported": { 229 "applies": true, 230 "answer": true, 231 "justification": "The paper reports that Ours-Escape underperforms on Fake completion attacks (ASR 70.19% for Qwen2 in Table 1), that removing retrieved data severely degrades utility (Table 12), and notes one exception to the attack-defense correlation in Figure 3.", 232 "source": "haiku" 233 } 234 }, 235 "setup_transparency": { 236 "model_versions_specified": { 237 "applies": true, 238 "answer": true, 239 "justification": "Exact model names are stated: Llama3-8b-Instruct, Llama3.1-8b-Instruct, Qwen2-7b-Instruct, GPT-3.5-Turbo, and GPT-4o-Latest, each with a citation to the corresponding technical report.", 240 "source": "haiku" 241 }, 242 "prompts_provided": { 243 "applies": true, 244 "answer": true, 245 "justification": "Figures 2 and 4–15 show the complete prompt templates for all four defense methods and all five attack types including system, user, and assistant turn content.", 246 "source": "haiku" 247 }, 248 "hyperparameters_reported": { 249 "applies": true, 250 "answer": true, 251 "justification": "Appendix A.1 reports do_sample=false, max_new_tokens=256, max_length=8192 for generation; these are the key inference hyperparameters.", 252 "source": "haiku" 253 }, 254 "scaffolding_described": { 255 "applies": false, 256 "answer": false, 257 "justification": "The defense methods are purely prompt-engineering based with no agentic scaffolding, tool use, or multi-step agent loops.", 258 "source": "haiku" 259 }, 260 "data_preprocessing_documented": { 261 "applies": true, 262 "answer": false, 263 "justification": "The paper uses a 'filtered QA dataset' from Li et al. (2023b) and 208 samples from AlpacaFarm but does not describe how attacks were injected into these datasets or what filtering criteria were applied beyond citing the source paper.", 264 "source": "haiku" 265 } 266 }, 267 "data_integrity": { 268 "raw_data_available": { 269 "applies": true, 270 "answer": true, 271 "justification": "All evaluation datasets (AlpacaFarm, SST2) are publicly available; the QA dataset is from Li et al. (2023b) which is also publicly available.", 272 "source": "haiku" 273 }, 274 "data_collection_described": { 275 "applies": true, 276 "answer": true, 277 "justification": "Section 5.1 identifies each dataset, its size, and its source paper; the attack injection procedure is described conceptually through the methodology and figures.", 278 "source": "haiku" 279 }, 280 "recruitment_methods_described": { 281 "applies": false, 282 "answer": false, 283 "justification": "No human participants were recruited; all experiments use automated evaluation on standard benchmark datasets.", 284 "source": "haiku" 285 }, 286 "data_pipeline_documented": { 287 "applies": true, 288 "answer": false, 289 "justification": "The paper does not document the pipeline for constructing the attacked versions of datasets (e.g., exactly how malicious prompts were injected into each QA sample), relying on the reader to infer from attack descriptions.", 290 "source": "haiku" 291 } 292 }, 293 "contamination": { 294 "training_cutoff_stated": { 295 "applies": true, 296 "answer": false, 297 "justification": "The paper does not state the training data cutoff for any of the evaluated models (Llama3, Llama3.1, Qwen2, GPT-3.5, GPT-4o), despite using benchmark datasets that may have been available before training.", 298 "source": "haiku" 299 }, 300 "train_test_overlap_discussed": { 301 "applies": true, 302 "answer": false, 303 "justification": "No discussion of whether AlpacaFarm or the QA dataset appeared in the training data of the victim models is present anywhere in the paper.", 304 "source": "haiku" 305 }, 306 "benchmark_contamination_addressed": { 307 "applies": true, 308 "answer": false, 309 "justification": "AlpacaFarm (2024) and SST2 (2013) predate the training cutoffs of models like Llama3 and Qwen2; potential contamination is not acknowledged or addressed.", 310 "source": "haiku" 311 } 312 }, 313 "human_studies": { 314 "pre_registered": { 315 "applies": false, 316 "answer": false, 317 "justification": "No human participants; pre-registration not applicable.", 318 "source": "haiku" 319 }, 320 "irb_or_ethics_approval": { 321 "applies": false, 322 "answer": false, 323 "justification": "No human participants; IRB approval not applicable.", 324 "source": "haiku" 325 }, 326 "demographics_reported": { 327 "applies": false, 328 "answer": false, 329 "justification": "No human participants.", 330 "source": "haiku" 331 }, 332 "inclusion_exclusion_criteria": { 333 "applies": false, 334 "answer": false, 335 "justification": "No human participants.", 336 "source": "haiku" 337 }, 338 "randomization_described": { 339 "applies": false, 340 "answer": false, 341 "justification": "No human participants.", 342 "source": "haiku" 343 }, 344 "blinding_described": { 345 "applies": false, 346 "answer": false, 347 "justification": "No human participants.", 348 "source": "haiku" 349 }, 350 "attrition_reported": { 351 "applies": false, 352 "answer": false, 353 "justification": "No human participants.", 354 "source": "haiku" 355 } 356 }, 357 "cost_and_practicality": { 358 "inference_cost_reported": { 359 "applies": true, 360 "answer": true, 361 "justification": "Table 8 reports inference time in seconds per item for all defense methods across all three victim models; overhead from Fakecom-t is quantified relative to no-defense baseline.", 362 "source": "haiku" 363 }, 364 "compute_budget_stated": { 365 "applies": true, 366 "answer": false, 367 "justification": "Appendix A.1 mentions a single NVIDIA A100 GPU but does not state total GPU-hours or compute budget for the full experimental suite.", 368 "source": "haiku" 369 } 370 } 371 } 372 }, 373 "claims": [ 374 { 375 "claim": "Training-free defense methods derived from attack techniques outperform all existing training-free defense baselines on both direct and indirect prompt injection scenarios", 376 "evidence": "Tables 1 and 2 show lower ASR for all four proposed methods versus Sandwich, Instructional, Reminder, Isolation, and Spotlight across Llama3, Llama3.1, and Qwen2", 377 "supported": "strong" 378 }, 379 { 380 "claim": "The Fake Completion with Template defense (Fakecom-t) reduces ASR to near zero (≤0.10%) for indirect prompt injection attacks", 381 "evidence": "Table 2 shows Ours-Fakecom-t achieving ASR of 0.05–0.10% across all five attack types for indirect injection on Llama3 and Llama3.1", 382 "supported": "strong" 383 }, 384 { 385 "claim": "Stronger attack techniques yield stronger corresponding defense methods when the attack technique is inverted", 386 "evidence": "Figure 3 shows a positive correlation between average attack ASR and corresponding defense effectiveness across three models, with one exception noted for Qwen2/Llama3.1", 387 "supported": "moderate" 388 }, 389 { 390 "claim": "The proposed training-free methods are competitive with fine-tuning-based defenses (StruQ) while offering better generalization to unseen attack types", 391 "evidence": "Table 7 shows Ours-Ignore achieving 0.05–1.35% ASR comparable to StruQ-Ignore's 0.05% on most attacks, but StruQ-Naive fails on Fakecom (35.55%) while Ours-Ignore holds at 0.10%", 392 "supported": "moderate" 393 }, 394 { 395 "claim": "Defense methods do not significantly degrade model utility on downstream tasks", 396 "evidence": "Tables 3 and 11 show QA accuracy and SST2 accuracy within ±2pp of no-defense baseline across all three models and all defense methods", 397 "supported": "strong" 398 }, 399 { 400 "claim": "The proposed methods are effective on closed-source models (GPT-3.5-Turbo, GPT-4o-Latest)", 401 "evidence": "Table 4 shows Ours-Ignore reducing ASR from 50.48% to 3.36% on GPT-3.5 and from 92.78% to 0.90% on GPT-4o for Ignore attacks", 402 "supported": "moderate" 403 } 404 ], 405 "methodology_tags": [ 406 "benchmark-eval", 407 "empirical" 408 ], 409 "key_findings": "The paper demonstrates that prompt injection attack techniques can be directly inverted to create effective training-free defenses: by appending an attack-derived 'shield prompt' followed by the original instruction, the LLM is redirected away from injected instructions. The Fake Completion with Template defense achieves near-zero ASR (≤0.10%) on indirect injection across all tested attack types, outperforming all five training-free baselines and matching or exceeding one fine-tuning approach (StruQ) with better generalization. A positive correlation exists between attack effectiveness and the strength of the corresponding defense method. Defense overhead is minimal: inference time increases by at most 19% for the most complex defense, and task accuracy is preserved within ±2pp.", 410 "red_flags": [ 411 { 412 "flag": "No statistical testing", 413 "detail": "No confidence intervals, error bars, or significance tests are reported for any comparison; improvements over baselines are asserted from single-run point estimates across only 208–2,000 samples." 414 }, 415 { 416 "flag": "Small direct-injection sample", 417 "detail": "Only 208 AlpacaFarm samples are used for direct injection experiments with no power analysis; this limits the reliability of comparisons between methods with similar ASR values." 418 }, 419 { 420 "flag": "No mechanistic explanation", 421 "detail": "The paper does not explain why attack inversion works mechanistically or rule out the simpler hypothesis that appending the original instruction at the end of the prompt (independent of the shield prompt structure) accounts for most of the gain." 422 }, 423 { 424 "flag": "Adversarial adaptation not addressed", 425 "detail": "The paper assumes attackers do not know the defense mechanism; no evaluation considers adaptive attackers who modify their injection knowing the Fakecom-t defense is in use." 426 }, 427 { 428 "flag": "Benchmark contamination unaddressed", 429 "detail": "AlpacaFarm and SST2 predate the training cutoffs of Llama3 and Qwen2; potential data contamination affecting model behavior on these benchmarks is not discussed." 430 }, 431 { 432 "flag": "No variance across runs", 433 "detail": "All results are single point estimates with do_sample=false; reproducibility across different random seeds or hardware is not demonstrated." 434 } 435 ], 436 "cited_papers": [ 437 { 438 "title": "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection", 439 "relevance": "Foundational indirect prompt injection paper; defines the threat model this defense addresses" 440 }, 441 { 442 "title": "Ignore Previous Prompt: Attack Techniques for Language Models", 443 "relevance": "Introduces the Ignore attack technique that directly inspires one of the four defense methods" 444 }, 445 { 446 "title": "StruQ: Defending Against Prompt Injection with Structured Queries", 447 "relevance": "Fine-tuning-based defense baseline used for direct comparison; provides the evaluation protocol adopted in this paper" 448 }, 449 { 450 "title": "Defending Against Indirect Prompt Injection Attacks with Spotlighting", 451 "relevance": "Training-free defense baseline; one of five methods compared against proposed approaches" 452 }, 453 { 454 "title": "The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions", 455 "relevance": "Fine-tuning-based defense approach contextualizing the trade-off between training cost and effectiveness" 456 }, 457 { 458 "title": "Formalizing and Benchmarking Prompt Injection Attacks and Defenses", 459 "relevance": "Provides the Combined attack baseline evaluated in this paper" 460 }, 461 { 462 "title": "InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated LLM Agents", 463 "relevance": "Contextualizes prompt injection risk in agentic tool-use settings beyond the QA scenario tested here" 464 }, 465 { 466 "title": "Universal and Transferable Adversarial Attacks on Aligned Language Models", 467 "relevance": "GCG gradient-based attack method used as one of the attack baselines in the ablation study" 468 }, 469 { 470 "title": "Evaluating the Instruction-Following Robustness of Large Language Models to Prompt Injection", 471 "relevance": "Source of the filtered QA dataset (2,000 samples) used for indirect injection evaluation" 472 } 473 ], 474 "engagement_factors": { 475 "practical_relevance": { 476 "score": 3, 477 "justification": "Training-free defense methods requiring only prompt modification are immediately deployable in any LLM application without retraining." 478 }, 479 "surprise_contrarian": { 480 "score": 2, 481 "justification": "The core insight—that attack prompts can be directly repurposed as defense prompts—is counterintuitive and not previously explored in the literature." 482 }, 483 "fear_safety": { 484 "score": 2, 485 "justification": "Addresses the OWASP #1 LLM security risk; results showing near-zero ASR with the Fakecom-t defense are reassuring but the unaddressed adaptive attacker concern is concerning." 486 }, 487 "drama_conflict": { 488 "score": 1, 489 "justification": "No significant controversy; the paper straightforwardly proposes and validates a defense approach without challenging established consensus." 490 }, 491 "demo_ability": { 492 "score": 3, 493 "justification": "Code is publicly released and the defense is purely prompt-based—anyone with API access to an LLM can immediately test it with no infrastructure." 494 }, 495 "brand_recognition": { 496 "score": 1, 497 "justification": "Authors from NUS and HKUST are respected academic institutions but not a major AI lab; no famous product or industry partnership is involved." 498 } 499 }, 500 "hn_data": { 501 "threads": [ 502 { 503 "hn_id": "38150915", 504 "title": "The Generative AI Paradox: \"What It Can Create, It May Not Understand\"", 505 "points": 5, 506 "comments": 0, 507 "url": "https://news.ycombinator.com/item?id=38150915", 508 "created_at": "2023-11-05T13:23:46Z" 509 }, 510 { 511 "hn_id": "42487268", 512 "title": "Specification-Driven Code Translation Powered by LLMs: How Far Are We?", 513 "points": 4, 514 "comments": 0, 515 "url": "https://news.ycombinator.com/item?id=42487268", 516 "created_at": "2024-12-22T16:20:09Z" 517 }, 518 { 519 "hn_id": "38146155", 520 "title": "The Generative AI Paradox: \"What It Can Create, It May Not Understand\"", 521 "points": 3, 522 "comments": 1, 523 "url": "https://news.ycombinator.com/item?id=38146155", 524 "created_at": "2023-11-04T23:06:37Z" 525 }, 526 { 527 "hn_id": "43268036", 528 "title": "Evolutionary Multi-Agent Reinforcement Learning in Group Social Dilemmas", 529 "points": 2, 530 "comments": 0, 531 "url": "https://news.ycombinator.com/item?id=43268036", 532 "created_at": "2025-03-05T15:41:54Z" 533 }, 534 { 535 "hn_id": "35719730", 536 "title": "Schrödinger cat states of a 16-microgram mechanical oscillator", 537 "points": 1, 538 "comments": 0, 539 "url": "https://news.ycombinator.com/item?id=35719730", 540 "created_at": "2023-04-26T20:43:33Z" 541 } 542 ], 543 "top_points": 5, 544 "total_points": 15, 545 "total_comments": 1 546 } 547 }