scan.json (32817B)
1 { 2 "paper": { 3 "title": "Injecting Falsehoods: Adversarial Man-in-the-Middle Attacks Undermining Factual Recall in LLMs", 4 "authors": [ 5 "Alina Fastowski", 6 "Bardh Prenkaj", 7 "Yuxiao Li", 8 "Gjergji Kasneci" 9 ], 10 "year": 2025, 11 "venue": "arXiv.org", 12 "arxiv_id": "2511.05919", 13 "doi": "10.48550/arXiv.2511.05919" 14 }, 15 "scan_version": 3, 16 "active_modules": [ 17 "experimental_rigor", 18 "data_leakage" 19 ], 20 "methodology_tags": [ 21 "benchmark-eval" 22 ], 23 "key_findings": "The χmera framework demonstrates that trivial instruction-based MitM attacks (α-χmera, appending \"Respond with a wrong, exact answer only\") achieve the highest attack success rates (up to ~85.3% averaged across datasets for GPT-4o-mini), outperforming more sophisticated fact-aware attacks. Compromised answers exhibit significantly higher uncertainty (entropy, perplexity) than correct answers, enabling Random Forest classifiers trained on uncertainty features to detect attacks with AUC up to ~96%. Smaller models are generally more robust to instruction-based attacks, possibly because they ignore adversarial instructions, while larger instruction-following models like GPT-4o-mini are more susceptible.", 24 "checklist": { 25 "artifacts": { 26 "code_released": { 27 "applies": true, 28 "answer": true, 29 "justification": "A GitHub repository is provided in the abstract: https://github.com/afastowski/llm_attack. The paper states 'Code & Dataset' with this link." 30 }, 31 "data_released": { 32 "applies": true, 33 "answer": true, 34 "justification": "The paper releases a 'Factually Adversarial Dataset' with 3000 samples (1000 per QA dataset) as stated in contributions (item 5) and Section 5.1. The dataset is linked alongside the code repository. The underlying QA datasets (TriviaQA, HotpotQA, Natural Questions) are also publicly available." 35 }, 36 "environment_specified": { 37 "applies": true, 38 "answer": false, 39 "justification": "Appendix A mentions hardware (AMD EPYC 7002/3 64-Core CPU, two NVIDIA TESLA A100 GPUs) but no requirements.txt, Dockerfile, conda environment, or library versions are provided in the paper." 40 }, 41 "reproduction_instructions": { 42 "applies": true, 43 "answer": false, 44 "justification": "No step-by-step reproduction instructions are provided in the paper. The code repository is linked but the paper itself does not contain a 'Reproducing Results' section or specific commands to run." 45 } 46 }, 47 "statistical_methodology": { 48 "confidence_intervals_or_error_bars": { 49 "applies": true, 50 "answer": true, 51 "justification": "Table 1 reports standard errors (±) for all accuracy results across models, datasets, and attack types, computed over 10 runs." 52 }, 53 "significance_tests": { 54 "applies": true, 55 "answer": false, 56 "justification": "No statistical significance tests are performed. The paper compares attack success rates and uncertainty levels across models and attack types, claiming one attack is 'most impactful,' but these comparisons rely solely on point estimates and standard errors without any formal tests (e.g., t-tests, Mann-Whitney U)." 57 }, 58 "effect_sizes_reported": { 59 "applies": true, 60 "answer": true, 61 "justification": "Attack success rates are reported with baseline context (e.g., α-χmera ~59.6% ASR, β ~46.5%, γ ~25.3%). Figure 5 shows absolute differences in uncertainty between correct and incorrect answers. Table 1 provides post-attack accuracies alongside the ASR column, allowing effect size interpretation." 62 }, 63 "sample_size_justified": { 64 "applies": true, 65 "answer": false, 66 "justification": "The paper uses 1000 samples per dataset (3000 total) without justifying why this number was chosen. No power analysis or discussion of sample adequacy is provided." 67 }, 68 "variance_reported": { 69 "applies": true, 70 "answer": true, 71 "justification": "Table 1 reports standard errors over 10 runs for all accuracy measurements. Section 5.2 states: 'We compute the uncertainty scores by averaging the log probabilities of the generated questions in ten different runs.'" 72 } 73 }, 74 "evaluation_design": { 75 "baselines_included": { 76 "applies": true, 77 "answer": true, 78 "justification": "Baseline (unattacked) performance is reported in Figure 4 and Table 2 (w/o χ column). All attack results are compared against these unattacked baselines." 79 }, 80 "baselines_contemporary": { 81 "applies": true, 82 "answer": true, 83 "justification": "The comparison is between attacked vs. unattacked conditions on the same models, which is the natural baseline for attack evaluation. The models tested (GPT-4o, GPT-4o-mini, Mistral-7B-Instruct-v0.3, etc.) are contemporary." 84 }, 85 "ablation_study": { 86 "applies": true, 87 "answer": true, 88 "justification": "The three attack types (α, β, γ) vary systematically in complexity: instruction-based (α), fact-aware with false context (β), and random context injection (γ). This enables understanding which attack mechanism is most effective, serving as an ablation across attack strategies." 89 }, 90 "multiple_metrics": { 91 "applies": true, 92 "answer": true, 93 "justification": "The paper uses accuracy (Table 1), entropy (Eq. 5), perplexity (Eq. 6), token probability (Eq. 7), and AUC-ROC for the defense classifiers (Figure 6). Multiple complementary metrics are used throughout." 94 }, 95 "human_evaluation": { 96 "applies": true, 97 "answer": false, 98 "justification": "All evaluation is automated. Answer correctness is checked via substring matching ('we check if the ground truth answer is part of the model answer'). No human evaluation of model outputs is performed." 99 }, 100 "held_out_test_set": { 101 "applies": true, 102 "answer": true, 103 "justification": "For the Random Forest classifiers, Section 5.2 states: 'Model tuning is performed through 5-fold cross-validation on the training set, with final configurations evaluated on a separate test set.'" 104 }, 105 "per_category_breakdown": { 106 "applies": true, 107 "answer": true, 108 "justification": "Results are broken down by model (5 models), dataset (TriviaQA, HotpotQA, Natural Questions), and attack type (α, β, γ) in Tables 1 and 2. Figure 6 provides per-model ROC curves." 109 }, 110 "failure_cases_discussed": { 111 "applies": true, 112 "answer": true, 113 "justification": "The paper discusses cases where attacks fail, noting that 'χmera attacks can fail. Hence, the victim LLMs can still respond correctly.' Figure 5 explicitly compares uncertainty levels of successful vs. unsuccessful attacks. The paper also discusses GPT-4o-mini's unexpected vulnerability to α-χmera and smaller models' unexpected resistance." 114 }, 115 "negative_results_reported": { 116 "applies": true, 117 "answer": true, 118 "justification": "γ-χmera reports relatively low attack success rates (~16.9-30.1% ASR). The general attack classifier underperforms specific classifiers (AUC ~0.60 vs ~0.96). These negative/weaker results are reported and discussed." 119 } 120 }, 121 "claims_and_evidence": { 122 "abstract_claims_supported": { 123 "applies": true, 124 "answer": true, 125 "justification": "The abstract claims α-χmera achieves 'up to ~85.3%' success rate, which matches GPT-4o-mini's average ASR across three datasets under α-χmera: (80.2+85.1+90.6)/3 ≈ 85.3%. The defense AUC 'up to ~96%' matches Figure 6's α-χmera detection AUCs averaging ~96.4% across models." 126 }, 127 "causal_claims_justified": { 128 "applies": true, 129 "answer": true, 130 "justification": "The core causal claim — that specific prompt perturbations cause accuracy drops — is justified through controlled single-variable manipulation (same questions, same models, different attack conditions). Each attack type is a specific intervention with measurable effect. The design is adequate for these causal claims." 131 }, 132 "generalization_bounded": { 133 "applies": true, 134 "answer": false, 135 "justification": "The title says 'Undermining Factual Recall in LLMs' broadly, and the paper frames results as general LLM vulnerabilities. However, testing is limited to 5 specific models in one setting (closed-book factual QA). The paper does not explicitly state what the results do NOT generalize to — e.g., open-book settings, non-factual tasks, other model families, or production deployments with safety filters." 136 }, 137 "alternative_explanations_discussed": { 138 "applies": true, 139 "answer": false, 140 "justification": "The paper offers one speculative explanation for GPT-4o-mini's high vulnerability to α-χmera ('might be excellent at following instructions') but does not rigorously consider alternatives. No discussion of whether confounds (e.g., model alignment training, safety filtering, prompt formatting effects) could explain the observed patterns." 141 }, 142 "proxy_outcome_distinction": { 143 "applies": true, 144 "answer": true, 145 "justification": "The paper measures answer correctness (substring matching of ground truth in model response) and clearly frames this as measuring factual accuracy under attack. The claims match the granularity of the measurements without overclaiming broader constructs." 146 } 147 }, 148 "setup_transparency": { 149 "model_versions_specified": { 150 "applies": true, 151 "answer": false, 152 "justification": "HuggingFace models are specified as checkpoints (Llama-2-13b-chat-hf, Mistral-7B-Instruct-v0.3, Phi-3.5-mini-instruct). However, OpenAI models are listed only as 'gpt-4o' and 'gpt-4o-mini' without snapshot dates or API versions. Model behavior varies across versions, making these insufficiently specified." 153 }, 154 "prompts_provided": { 155 "applies": true, 156 "answer": false, 157 "justification": "The attack modifications are shown (α: 'Respond with a wrong, exact answer only'; β/γ: context prepended to question). The adversarial dataset construction prompts are in Appendix C. However, the complete prompt template sent to victim LLMs (including any system message, instruction format, or QA framing) is not provided — the reader cannot reconstruct the exact API calls." 158 }, 159 "hyperparameters_reported": { 160 "applies": true, 161 "answer": false, 162 "justification": "Random Forest hyperparameters are reported in Appendix B. Top-k for logprobs is set to 10. However, LLM inference hyperparameters (temperature, top-p, max tokens) are not reported for any of the five victim models, despite significantly affecting output." 163 }, 164 "scaffolding_described": { 165 "applies": false, 166 "answer": false, 167 "justification": "No agentic scaffolding is used. The approach is straightforward prompt-in, response-out for both attacks and victim models." 168 }, 169 "data_preprocessing_documented": { 170 "applies": true, 171 "answer": true, 172 "justification": "Section 5.1 describes: adjusting datasets for closed-book evaluation, constructing adversarial contexts via GPT-4o (detailed in Appendix C), random sampling of 1000 questions per dataset. Section 5.2 describes pre-filtering to correctly answered questions only, and the 10-run averaging procedure with majority vote for answer correctness." 173 } 174 }, 175 "limitations_and_scope": { 176 "limitations_section_present": { 177 "applies": true, 178 "answer": false, 179 "justification": "There is no dedicated limitations or threats-to-validity section. The conclusion mentions future work directions but does not discuss limitations of the current study." 180 }, 181 "threats_to_validity_specific": { 182 "applies": true, 183 "answer": false, 184 "justification": "No specific threats to validity are discussed anywhere in the paper. Issues like the simplicity of α-χmera (which any content filter would catch), the closed-book-only setting, potential benchmark contamination, or the gap between the experimental setup and real MitM deployment scenarios are not addressed." 185 }, 186 "scope_boundaries_stated": { 187 "applies": true, 188 "answer": false, 189 "justification": "The paper does not explicitly state what the results do NOT show. No mention of scope limitations such as: the attacks only test factual QA (not reasoning, coding, etc.), only closed-book settings, only five models, or that real deployments would have safety filters that could block these attacks." 190 } 191 }, 192 "data_integrity": { 193 "raw_data_available": { 194 "applies": true, 195 "answer": false, 196 "justification": "The adversarial input dataset (3000 samples) is released. However, the raw experimental outputs — model responses, per-token uncertainty values across all 10 runs — are not mentioned as available. For OpenAI models, outputs cannot be exactly reproduced, making raw data availability important for verification." 197 }, 198 "data_collection_described": { 199 "applies": true, 200 "answer": true, 201 "justification": "Section 5.1 and Appendix C describe the data collection in detail: 1000 random samples per dataset, GPT-4o used to generate correct contexts and adversarial answers with specific prompts provided, entity-type preservation ensured via two-step construction." 202 }, 203 "recruitment_methods_described": { 204 "applies": false, 205 "answer": false, 206 "justification": "No human participants. Data sources are standard QA benchmarks (TriviaQA, HotpotQA, Natural Questions)." 207 }, 208 "data_pipeline_documented": { 209 "applies": true, 210 "answer": true, 211 "justification": "The pipeline is documented: (1) sample 1000 questions per dataset, (2) construct adversarial contexts via GPT-4o (Appendix C), (3) evaluate baseline accuracy to filter to correctly-answered questions (Figure 4), (4) apply attacks and run 10 times, (5) take majority vote for correctness, (6) compute uncertainty metrics. Effective sample sizes per model can be inferred from Figure 4." 212 } 213 }, 214 "conflicts_of_interest": { 215 "funding_disclosed": { 216 "applies": true, 217 "answer": false, 218 "justification": "No funding sources are mentioned anywhere in the paper. There is no acknowledgments section disclosing grants or sponsors." 219 }, 220 "affiliations_disclosed": { 221 "applies": true, 222 "answer": true, 223 "justification": "All authors are disclosed as affiliated with Technical University of Munich. They evaluate third-party models (OpenAI, Meta, Mistral, Microsoft) without direct affiliation to those companies." 224 }, 225 "funder_independent_of_outcome": { 226 "applies": true, 227 "answer": false, 228 "justification": "Funding is not disclosed, so independence of the funder cannot be assessed." 229 }, 230 "financial_interests_declared": { 231 "applies": true, 232 "answer": false, 233 "justification": "No competing interests or financial interests statement is present in the paper." 234 } 235 }, 236 "contamination": { 237 "training_cutoff_stated": { 238 "applies": true, 239 "answer": false, 240 "justification": "No training data cutoff dates are stated for any of the five models. This is relevant because the QA benchmarks (TriviaQA 2017, HotpotQA 2018, NQ 2019) predate all models and may be in their training data." 241 }, 242 "train_test_overlap_discussed": { 243 "applies": true, 244 "answer": false, 245 "justification": "No discussion of whether the QA benchmark questions or answers appeared in the models' training data. The baseline accuracies (e.g., GPT-4o at 79% on TriviaQA) could be inflated by memorization rather than genuine factual knowledge." 246 }, 247 "benchmark_contamination_addressed": { 248 "applies": true, 249 "answer": false, 250 "justification": "All three benchmarks (TriviaQA 2017, HotpotQA 2018, Natural Questions 2019) were published well before the training cutoffs of all evaluated models. The paper does not address the substantial contamination risk. This is especially problematic because the study claims to test 'factual recall' — if answers are memorized from training data rather than recalled from learned knowledge, the attack dynamics could differ." 251 } 252 }, 253 "human_studies": { 254 "pre_registered": { 255 "applies": false, 256 "answer": false, 257 "justification": "No human participants in this study." 258 }, 259 "irb_or_ethics_approval": { 260 "applies": false, 261 "answer": false, 262 "justification": "No human participants in this study." 263 }, 264 "demographics_reported": { 265 "applies": false, 266 "answer": false, 267 "justification": "No human participants in this study." 268 }, 269 "inclusion_exclusion_criteria": { 270 "applies": false, 271 "answer": false, 272 "justification": "No human participants in this study." 273 }, 274 "randomization_described": { 275 "applies": false, 276 "answer": false, 277 "justification": "No human participants in this study." 278 }, 279 "blinding_described": { 280 "applies": false, 281 "answer": false, 282 "justification": "No human participants in this study." 283 }, 284 "attrition_reported": { 285 "applies": false, 286 "answer": false, 287 "justification": "No human participants in this study." 288 } 289 }, 290 "cost_and_practicality": { 291 "inference_cost_reported": { 292 "applies": true, 293 "answer": false, 294 "justification": "No inference costs, API spend, or per-query latency is reported. The study involves 5 models × 3 datasets × 4 conditions × 10 runs, requiring substantial API usage for GPT-4o and GPT-4o-mini, plus GPU compute for open-source models, but costs are not quantified." 295 }, 296 "compute_budget_stated": { 297 "applies": true, 298 "answer": false, 299 "justification": "Appendix A mentions hardware (AMD EPYC CPU, 2x NVIDIA A100 GPUs) and that OpenAI experiments were done via API, but total GPU hours, API spend, and wall-clock time are not reported." 300 } 301 }, 302 "experimental_rigor": { 303 "seed_sensitivity_reported": { 304 "applies": true, 305 "answer": true, 306 "justification": "Results are reported across 10 runs with standard errors in Table 1. This captures run-to-run variation from stochastic model outputs." 307 }, 308 "number_of_runs_stated": { 309 "applies": true, 310 "answer": true, 311 "justification": "Section 5.2 explicitly states: 'We compute the uncertainty scores by averaging the log probabilities of the generated questions in ten different runs.' Table 1 confirms '10 runs.'" 312 }, 313 "hyperparameter_search_budget": { 314 "applies": true, 315 "answer": true, 316 "justification": "Appendix B provides the full GridSearch space for the Random Forest classifiers (Table 3) and final optimized values (Table 4). The LLM evaluation uses models as-is without hyperparameter tuning." 317 }, 318 "best_config_selection_justified": { 319 "applies": true, 320 "answer": true, 321 "justification": "Section 5.2 states classifiers are optimized via 'GridSearch' with '5-fold cross-validation on the training set, with final configurations evaluated on a separate test set.' Appendix B reports the final hyperparameters." 322 }, 323 "multiple_comparison_correction": { 324 "applies": true, 325 "answer": false, 326 "justification": "The paper makes many comparisons (5 models × 3 datasets × 3 attacks = 45 conditions) without any correction for multiple comparisons. No Bonferroni, Holm, or other family-wise error rate corrections are applied." 327 }, 328 "self_comparison_bias_addressed": { 329 "applies": true, 330 "answer": false, 331 "justification": "The authors evaluate their own attack framework (χmera) and defense mechanism without acknowledging author-evaluation bias. No independent evaluation is mentioned." 332 }, 333 "compute_budget_vs_performance": { 334 "applies": false, 335 "answer": false, 336 "justification": "Compute differences between the three attack types are negligible (different text prepended/appended to the same queries). The study does not compare methods at different compute levels." 337 }, 338 "benchmark_construct_validity": { 339 "applies": true, 340 "answer": false, 341 "justification": "The paper uses TriviaQA, HotpotQA, and Natural Questions as proxies for 'LLM factual memory' and 'factual recall' but does not discuss whether these QA benchmarks actually measure the construct they claim to test. Questions about whether correct QA responses reflect genuine knowledge vs. memorization are not addressed." 342 }, 343 "scaffold_confound_addressed": { 344 "applies": false, 345 "answer": false, 346 "justification": "No scaffolding is involved. The evaluation is direct prompt-in, response-out." 347 } 348 }, 349 "data_leakage": { 350 "temporal_leakage_addressed": { 351 "applies": true, 352 "answer": false, 353 "justification": "All three benchmarks (TriviaQA 2017, HotpotQA 2018, NQ 2019) predate the training of all evaluated models. Models may have seen the exact question-answer pairs during training. This is not discussed." 354 }, 355 "feature_leakage_addressed": { 356 "applies": true, 357 "answer": false, 358 "justification": "Not discussed. In β-χmera, the injected false context contains a specific entity that often becomes the model's wrong answer, which could be considered a form of answer steering beyond the intended 'attack' — this confound is not analyzed." 359 }, 360 "non_independence_addressed": { 361 "applies": true, 362 "answer": false, 363 "justification": "No discussion of whether samples within or across the three datasets share structural similarities (e.g., overlapping questions, common entities, or duplicate formulations)." 364 }, 365 "leakage_detection_method": { 366 "applies": true, 367 "answer": false, 368 "justification": "No leakage detection or prevention method is used. No canary strings, membership inference, n-gram overlap analysis, or decontamination is performed despite substantial contamination risk." 369 } 370 } 371 }, 372 "claims": [ 373 { 374 "claim": "Trivial instruction-based attacks (α-χmera) achieve the highest attack success rate, up to ~85.3% for GPT-4o-mini across three QA datasets.", 375 "evidence": "Table 1 shows GPT-4o-mini's post-attack accuracies under α-χmera: 19.8% (TriviaQA), 14.9% (HotpotQA), 9.4% (NQ), corresponding to ASRs of ~80.2%, ~85.1%, ~90.6%, averaging ~85.3%. Average ASR across all models: ~59.6% for α vs ~46.5% for β and ~25.3% for γ.", 376 "supported": "strong" 377 }, 378 { 379 "claim": "Compromised (incorrectly answered) responses exhibit significantly higher uncertainty levels than correct responses under the same attack conditions.", 380 "evidence": "Figure 5 shows absolute differences in entropy, perplexity, and token probability between correct and incorrect answers across all models and attacks. Table 2 shows α-χmera consistently produces the highest uncertainty, e.g., entropy jumps from 0.09 to 0.88 for GPT-4o on TriviaQA.", 381 "supported": "strong" 382 }, 383 { 384 "claim": "Random Forest classifiers trained on uncertainty metrics can detect specific attacks with average AUC up to ~96%.", 385 "evidence": "Figure 6 shows ROC curves: α-χmera detection AUCs of 0.98 (GPT-4o), 0.95 (GPT-4o-mini), 0.97 (Mistral-7B), 0.98 (LLaMA-2-13B), 0.94 (Phi-3.5-mini), averaging ~96.4%. β and γ classifiers average ~87% and ~88% respectively.", 386 "supported": "strong" 387 }, 388 { 389 "claim": "Attack impact depends on model size, with larger models generally achieving higher baseline accuracy but also being more susceptible to certain attacks.", 390 "evidence": "Table 1 and Figure 4. GPT-4o-mini, despite being larger than open-source models, shows extreme vulnerability to α-χmera (9.4% accuracy on NQ). The paper argues this reflects instruction-following capability being exploited.", 391 "supported": "moderate" 392 }, 393 { 394 "claim": "Instruction-following capability makes models more prone to MitM attacks.", 395 "evidence": "Section 5.2 speculates that GPT-4o-mini 'might be excellent at following instructions' based on its vulnerability to α-χmera. However, this is not rigorously tested — no measure of instruction-following capability is used, and the explanation is post-hoc.", 396 "supported": "weak" 397 } 398 ], 399 "red_flags": [ 400 { 401 "flag": "No limitations section", 402 "detail": "The paper has no dedicated limitations or threats-to-validity section. Significant design limitations — such as the closed-book-only setting, the simplicity of the attacks, and the gap between the experimental setup and realistic deployment scenarios with safety filters — are not discussed." 403 }, 404 { 405 "flag": "Unaddressed benchmark contamination", 406 "detail": "All three QA benchmarks (TriviaQA 2017, HotpotQA 2018, Natural Questions 2019) predate the training of all five evaluated models by several years. The models may have memorized the answers. This is especially problematic for a paper claiming to test 'factual recall' — memorized vs. genuinely recalled answers may respond differently to adversarial perturbation." 407 }, 408 { 409 "flag": "Ecological validity of α-χmera", 410 "detail": "The most successful attack (α-χmera) simply appends 'Respond with a wrong, exact answer only' to the query. In any real deployment, this would be trivially detectable by basic input content filtering or output monitoring. The paper's threat model section acknowledges realistic deployment settings but does not discuss why such trivial manipulation would evade existing safeguards." 411 }, 412 { 413 "flag": "No significance tests despite many comparisons", 414 "detail": "The paper draws conclusions about which attacks are most effective and which models are most vulnerable across 45+ conditions (5 models × 3 datasets × 3 attacks) without performing any statistical significance tests or corrections for multiple comparisons." 415 }, 416 { 417 "flag": "Missing LLM inference parameters", 418 "detail": "Temperature, top-p, and max tokens are not reported for any of the five models. These parameters significantly affect output variability and uncertainty metrics, which are central to both the attack evaluation and the defense mechanism." 419 } 420 ], 421 "cited_papers": [ 422 { 423 "title": "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection", 424 "authors": ["S. Abdelnabi", "K. Greshake", "S. Mishra", "C. Endres", "T. Holz", "M. Fritz"], 425 "year": 2023, 426 "relevance": "Foundational work on indirect prompt injection attacks against LLM-integrated applications, directly relevant to LLM security evaluation." 427 }, 428 { 429 "title": "INSIDE: LLMs' Internal States Retain the Power of Hallucination Detection", 430 "authors": ["C. Chen", "K. Liu", "Z. Chen", "Y. Gu", "Y. Wu", "M. Tao", "Z. Fu", "J. Ye"], 431 "year": 2024, 432 "arxiv_id": "2402.03744", 433 "relevance": "Uses LLM internal states for hallucination detection, related to uncertainty-based defense mechanisms for LLM outputs." 434 }, 435 { 436 "title": "TrojanRAG: Retrieval-Augmented Generation Can Be Backdoor Driver in Large Language Models", 437 "authors": ["P. Cheng", "Y. Ding", "T. Ju", "Z. Wu", "W. Du", "P. Yi", "Z. Zhang", "G. Liu"], 438 "year": 2024, 439 "arxiv_id": "2405.13401", 440 "relevance": "Demonstrates backdoor attacks on RAG systems, closely related to adversarial manipulation of LLM inputs." 441 }, 442 { 443 "title": "An LLM can Fool Itself: A Prompt-Based Adversarial Attack", 444 "authors": ["X. Xu", "K. Kong", "N. Liu", "L. Cui", "D. Wang", "J. Zhang", "M. S. Kankanhalli"], 445 "year": 2024, 446 "relevance": "Prompt-based adversarial attacks on LLMs demonstrated at ICLR 2024, directly relevant to understanding LLM vulnerability to input manipulation." 447 }, 448 { 449 "title": "Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents", 450 "authors": ["A. Shafran", "R. Schuster", "V. Shmatikov"], 451 "year": 2024, 452 "arxiv_id": "2406.05870", 453 "relevance": "Adversarial attacks specifically targeting RAG pipelines, relevant to understanding MitM-style attacks in LLM information retrieval." 454 }, 455 { 456 "title": "On the Vulnerability of Applying Retrieval-Augmented Generation within Knowledge-Intensive Application Domains", 457 "authors": ["X. Xian", "G. Wang", "X. Bi", "J. Srinivasa", "A. Kundu", "C. Fleming", "M. Hong", "J. Ding"], 458 "year": 2024, 459 "arxiv_id": "2409.17275", 460 "relevance": "Assesses RAG vulnerabilities in knowledge-intensive domains, relevant to evaluating robustness of LLM-based information systems." 461 }, 462 { 463 "title": "A New Era in LLM Security: Exploring Security Concerns in Real-World LLM-based Systems", 464 "authors": ["F. Wu", "N. Zhang", "S. Jha", "P. D. McDaniel", "C. Xiao"], 465 "year": 2024, 466 "arxiv_id": "2402.18649", 467 "relevance": "Comprehensive survey of security concerns in deployed LLM systems, directly relevant to understanding real-world LLM attack surfaces." 468 }, 469 { 470 "title": "Language models as knowledge bases?", 471 "authors": ["F. Petroni", "T. Rocktäschel", "P. Lewis", "A. Bakhtin", "Y. Wu", "A. H. Miller", "S. Riedel"], 472 "year": 2019, 473 "arxiv_id": "1909.01066", 474 "relevance": "Foundational work on probing LLMs' factual knowledge, directly relevant to understanding what factual recall means in language models." 475 }, 476 { 477 "title": "How Can We Know When Language Models Know? On the Calibration of Language Models for Question Answering", 478 "authors": ["Z. Jiang", "J. Araki", "H. Ding", "G. Neubig"], 479 "year": 2021, 480 "relevance": "Studies calibration of LLM confidence in QA settings, directly relevant to the uncertainty-based defense mechanism proposed in this paper." 481 }, 482 { 483 "title": "Is My Data in Your Retrieval Database? Membership Inference Attacks Against Retrieval Augmented Generation", 484 "authors": ["M. Anderson", "G. Amit", "A. Goldsteen"], 485 "year": 2024, 486 "arxiv_id": "2405.20446", 487 "relevance": "Privacy attacks against RAG systems, relevant to understanding the broader attack surface of LLM-based retrieval systems." 488 }, 489 { 490 "title": "Benchmarking large language models in retrieval-augmented generation", 491 "authors": ["J. Chen", "H. Lin", "X. Han", "L. Sun"], 492 "year": 2024, 493 "relevance": "Benchmarking LLMs in RAG settings, relevant to evaluation methodology for LLM information retrieval capabilities." 494 } 495 ], 496 "engagement_factors": { 497 "practical_relevance": { 498 "score": 2, 499 "justification": "Practitioners building LLM-based chatbots and QA systems should understand MitM vulnerabilities; the uncertainty-based detection approach is a usable defense concept." 500 }, 501 "surprise_contrarian": { 502 "score": 1, 503 "justification": "The finding that the simplest attack (appending 'respond wrong') is most effective is mildly surprising, but LLM vulnerability to prompt manipulation is well-established." 504 }, 505 "fear_safety": { 506 "score": 2, 507 "justification": "Demonstrates that LLMs used for factual QA can be manipulated to give wrong answers at high rates (~85%), raising concerns about information integrity in deployed systems." 508 }, 509 "drama_conflict": { 510 "score": 1, 511 "justification": "Highlights vulnerability of popular commercial models (GPT-4o) but doesn't create major controversy or challenge any specific company's claims." 512 }, 513 "demo_ability": { 514 "score": 2, 515 "justification": "Code and dataset released on GitHub; the attacks are simple enough that anyone with API access could replicate them immediately." 516 }, 517 "brand_recognition": { 518 "score": 1, 519 "justification": "From Technical University of Munich, a respected institution but not a headline AI lab. Tests GPT-4o which adds some name recognition." 520 } 521 } 522 }