scan.json (20877B)
1 { 2 "paper": { 3 "title": "A Survey on Large Language Model (LLM) Security and Privacy: The Good, the Bad, and the Ugly", 4 "authors": ["Yifan Yao", "Jinhao Duan", "Kaidi Xu", "Yuanfang Cai", "Zhibo Sun", "Yue Zhang"], 5 "year": 2023, 6 "venue": "High-Confidence Computing", 7 "arxiv_id": "2312.02003", 8 "doi": "10.1016/j.hcc.2024.100211" 9 }, 10 "scan_version": 2, 11 "active_modules": ["survey_methodology"], 12 "methodology_tags": ["meta-analysis"], 13 "key_findings": "This survey of 281 papers categorizes LLM security/privacy research into beneficial applications ('the good', 83 papers), offensive uses ('the bad', 54 papers), and LLM vulnerabilities/defenses ('the ugly', 144 papers). The authors find that LLMs contribute more positively than negatively to cybersecurity, with 17/25 papers concluding LLM-based methods outperform traditional approaches for code security. User-level attacks are the most prevalent offensive application (33 papers), attributed to LLMs' human-like reasoning. Model extraction and parameter extraction attacks remain limited and primarily theoretical.", 14 "checklist": { 15 "artifacts": { 16 "code_released": { 17 "applies": true, 18 "answer": false, 19 "justification": "No repository URL or code release mentioned. A survey could release its paper collection pipeline or analysis scripts." 20 }, 21 "data_released": { 22 "applies": true, 23 "answer": false, 24 "justification": "No dataset of the 281 collected papers or their metadata is released. The paper lists papers in tables but does not provide a structured, downloadable dataset." 25 }, 26 "environment_specified": { 27 "applies": false, 28 "answer": false, 29 "justification": "This is a literature survey with no computational experiments requiring environment specification." 30 }, 31 "reproduction_instructions": { 32 "applies": true, 33 "answer": false, 34 "justification": "No instructions provided for reproducing the literature search or paper collection process." 35 } 36 }, 37 "statistical_methodology": { 38 "confidence_intervals_or_error_bars": { 39 "applies": false, 40 "answer": false, 41 "justification": "This is a literature survey that does not run experiments or perform statistical aggregation." 42 }, 43 "significance_tests": { 44 "applies": false, 45 "answer": false, 46 "justification": "No statistical tests are applicable to this narrative literature review." 47 }, 48 "effect_sizes_reported": { 49 "applies": false, 50 "answer": false, 51 "justification": "No quantitative meta-analysis is performed; the survey is narrative." 52 }, 53 "sample_size_justified": { 54 "applies": false, 55 "answer": false, 56 "justification": "No experiments conducted; paper counts (281) are reported but not as statistical samples." 57 }, 58 "variance_reported": { 59 "applies": false, 60 "answer": false, 61 "justification": "No experiments with multiple runs; this is a literature survey." 62 } 63 }, 64 "evaluation_design": { 65 "baselines_included": { 66 "applies": true, 67 "answer": false, 68 "justification": "The paper does not compare its survey against prior surveys in a structured way. §8 (Related Work) discusses other surveys but only narratively, not with a systematic comparison of coverage or methodology." 69 }, 70 "baselines_contemporary": { 71 "applies": true, 72 "answer": true, 73 "justification": "The related work section (§8) discusses contemporary surveys from 2023 on LLM security, including works by Caven, Al-Hawawreh, Gupta, Schwinn, and others." 74 }, 75 "ablation_study": { 76 "applies": false, 77 "answer": false, 78 "justification": "No system with components to ablate; this is a survey." 79 }, 80 "multiple_metrics": { 81 "applies": false, 82 "answer": false, 83 "justification": "No evaluation metrics are applicable to this narrative literature survey." 84 }, 85 "human_evaluation": { 86 "applies": false, 87 "answer": false, 88 "justification": "No system outputs to evaluate; this is a survey paper." 89 }, 90 "held_out_test_set": { 91 "applies": false, 92 "answer": false, 93 "justification": "No experiments requiring train/test splits." 94 }, 95 "per_category_breakdown": { 96 "applies": true, 97 "answer": true, 98 "justification": "Papers are broken down into Good (83), Bad (54), and Ugly (144), with further sub-categorization (e.g., hardware/OS/software/network/user-level attacks in §5, attack types in §6)." 99 }, 100 "failure_cases_discussed": { 101 "applies": true, 102 "answer": true, 103 "justification": "The paper discusses cases where LLM-based methods did NOT outperform SOTA (4/25 papers in Table 2), and limitations of LLMs for various attacks (e.g., model extraction remaining theoretical, Finding V)." 104 }, 105 "negative_results_reported": { 106 "applies": true, 107 "answer": true, 108 "justification": "Papers with negative findings are reported: Cheshkov et al. found ChatGPT performed 'no better than a dummy classifier' for vulnerability detection; Moumita et al. found higher false positives/negatives (Table 2)." 109 } 110 }, 111 "claims_and_evidence": { 112 "abstract_claims_supported": { 113 "applies": true, 114 "answer": true, 115 "justification": "Abstract claims about LLMs enhancing code security and data privacy, user-level attacks being most prevalent, and model extraction being limited are all supported by the categorized findings in §4-§6." 116 }, 117 "causal_claims_justified": { 118 "applies": false, 119 "answer": false, 120 "justification": "The paper makes no causal claims; it categorizes and summarizes existing literature." 121 }, 122 "generalization_bounded": { 123 "applies": true, 124 "answer": false, 125 "justification": "The paper makes broad claims like 'LLMs contribute more positively than negatively to security' (Finding I) based on paper counts (83 good vs 54 bad), without bounding this to its search scope or acknowledging that paper counts don't measure impact magnitude." 126 }, 127 "alternative_explanations_discussed": { 128 "applies": false, 129 "answer": false, 130 "justification": "This is a pure survey/taxonomy paper presenting no empirical results of its own." 131 }, 132 "proxy_outcome_distinction": { 133 "applies": true, 134 "answer": false, 135 "justification": "The paper uses paper counts as a proxy for the relative 'positive vs negative' impact of LLMs on security (Finding I: 83 good vs 54 bad), without acknowledging that the number of papers in a category does not measure actual impact or harm." 136 } 137 }, 138 "setup_transparency": { 139 "model_versions_specified": { 140 "applies": false, 141 "answer": false, 142 "justification": "No models are used in experiments; this is a survey." 143 }, 144 "prompts_provided": { 145 "applies": false, 146 "answer": false, 147 "justification": "No prompting is used; this is a survey." 148 }, 149 "hyperparameters_reported": { 150 "applies": false, 151 "answer": false, 152 "justification": "No experiments with hyperparameters; this is a survey." 153 }, 154 "scaffolding_described": { 155 "applies": false, 156 "answer": false, 157 "justification": "No agentic scaffolding used; this is a survey." 158 }, 159 "data_preprocessing_documented": { 160 "applies": true, 161 "answer": false, 162 "justification": "The paper states it 'conducted a search on Google Scholar and compiled papers related to security and privacy involving LLMs' (§3.2) but does not document search queries, date ranges, inclusion/exclusion criteria, or filtering stages with counts." 163 } 164 }, 165 "limitations_and_scope": { 166 "limitations_section_present": { 167 "applies": true, 168 "answer": false, 169 "justification": "No dedicated limitations section. The paper has a Discussion (§7) and Future Directions (§7.2), but no explicit limitations or threats-to-validity section." 170 }, 171 "threats_to_validity_specific": { 172 "applies": true, 173 "answer": false, 174 "justification": "No threats to validity are discussed. The paper does not acknowledge potential biases in its literature search or categorization methodology." 175 }, 176 "scope_boundaries_stated": { 177 "applies": true, 178 "answer": true, 179 "justification": "§3.1 explicitly states: 'our primary focus remains steadfastly on matters of security and privacy' and acknowledges that 'LLMs wield multifaceted applications extending beyond security considerations (e.g., social and financial impacts)' which are excluded." 180 } 181 }, 182 "data_integrity": { 183 "raw_data_available": { 184 "applies": true, 185 "answer": false, 186 "justification": "The full list of 281 papers and their categorizations is not available as downloadable data. Papers are referenced in-text and tables but not provided as a structured dataset." 187 }, 188 "data_collection_described": { 189 "applies": true, 190 "answer": false, 191 "justification": "The paper says 'we conducted a search on Google Scholar' (§3.2) but provides no details on search terms, date ranges, or how many results were initially retrieved." 192 }, 193 "recruitment_methods_described": { 194 "applies": false, 195 "answer": false, 196 "justification": "No human participants; data source is published papers from Google Scholar." 197 }, 198 "data_pipeline_documented": { 199 "applies": true, 200 "answer": false, 201 "justification": "No documentation of how the 281 papers were filtered from initial search results. The categorization into good/bad/ugly is described conceptually but the pipeline from search to final corpus is not documented." 202 } 203 }, 204 "conflicts_of_interest": { 205 "funding_disclosed": { 206 "applies": true, 207 "answer": true, 208 "justification": "Acknowledgement section states: 'This research was supported partly by the NSF award FMitF-2319242.'" 209 }, 210 "affiliations_disclosed": { 211 "applies": true, 212 "answer": true, 213 "justification": "All authors are affiliated with Drexel University, clearly stated in the author block." 214 }, 215 "funder_independent_of_outcome": { 216 "applies": true, 217 "answer": true, 218 "justification": "NSF is an independent government funding agency with no financial stake in the survey's conclusions about LLM security." 219 }, 220 "financial_interests_declared": { 221 "applies": true, 222 "answer": false, 223 "justification": "No competing interests statement is present in the paper." 224 } 225 }, 226 "contamination": { 227 "training_cutoff_stated": { 228 "applies": false, 229 "answer": false, 230 "justification": "This is a survey paper that does not evaluate any pre-trained model on benchmarks." 231 }, 232 "train_test_overlap_discussed": { 233 "applies": false, 234 "answer": false, 235 "justification": "This is a survey paper that does not evaluate any pre-trained model on benchmarks." 236 }, 237 "benchmark_contamination_addressed": { 238 "applies": false, 239 "answer": false, 240 "justification": "This is a survey paper that does not evaluate any pre-trained model on benchmarks." 241 } 242 }, 243 "human_studies": { 244 "pre_registered": { 245 "applies": false, 246 "answer": false, 247 "justification": "No human participants in this survey." 248 }, 249 "irb_or_ethics_approval": { 250 "applies": false, 251 "answer": false, 252 "justification": "No human participants in this survey." 253 }, 254 "demographics_reported": { 255 "applies": false, 256 "answer": false, 257 "justification": "No human participants in this survey." 258 }, 259 "inclusion_exclusion_criteria": { 260 "applies": false, 261 "answer": false, 262 "justification": "No human participants in this survey." 263 }, 264 "randomization_described": { 265 "applies": false, 266 "answer": false, 267 "justification": "No human participants in this survey." 268 }, 269 "blinding_described": { 270 "applies": false, 271 "answer": false, 272 "justification": "No human participants in this survey." 273 }, 274 "attrition_reported": { 275 "applies": false, 276 "answer": false, 277 "justification": "No human participants in this survey." 278 } 279 }, 280 "cost_and_practicality": { 281 "inference_cost_reported": { 282 "applies": false, 283 "answer": false, 284 "justification": "Survey paper with no computational method of its own." 285 }, 286 "compute_budget_stated": { 287 "applies": false, 288 "answer": false, 289 "justification": "Survey paper with no computational experiments." 290 } 291 }, 292 "survey_methodology": { 293 "prisma_or_structured_protocol": { 294 "applies": true, 295 "answer": false, 296 "justification": "No PRISMA diagram, no structured review protocol, no reproducible search queries. The paper states only that it 'conducted a search on Google Scholar' without specifying search terms, inclusion criteria, or screening stages." 297 }, 298 "quality_assessment_of_sources": { 299 "applies": true, 300 "answer": false, 301 "justification": "The survey treats all 281 papers equally regardless of methodological quality. No quality scoring rubric or risk-of-bias assessment is applied to included studies." 302 }, 303 "publication_bias_discussed": { 304 "applies": true, 305 "answer": false, 306 "justification": "No discussion of publication bias. The survey does not consider whether its sources are biased toward positive results or whether negative-result studies are underrepresented." 307 } 308 } 309 }, 310 "claims": [ 311 { 312 "claim": "LLMs contribute more positively than negatively to the security community (83 'good' papers vs 54 'bad' papers).", 313 "evidence": "Paper counts in §3.2 and Finding I. 83 papers on beneficial applications vs 54 on offensive applications.", 314 "supported": "weak" 315 }, 316 { 317 "claim": "17 out of 25 researchers concluded that LLM-based methods outperform traditional approaches for code security.", 318 "evidence": "Table 2 and Finding II (§4.1). Tabulated comparison of papers with SOTA comparison results.", 319 "supported": "moderate" 320 }, 321 { 322 "claim": "User-level attacks are the most prevalent LLM-enabled attack category with 33 papers.", 323 "evidence": "Figure 3 and Finding IV (§5). Paper counts across hardware/OS/software/network/user attack levels.", 324 "supported": "moderate" 325 }, 326 { 327 "claim": "Model extraction, parameter extraction, and similar attacks remain primarily theoretical with limited practical exploration.", 328 "evidence": "Finding V (§6.1.1). Discussion of limited research on extraction attacks and barriers due to LLM scale and confidentiality.", 329 "supported": "moderate" 330 }, 331 { 332 "claim": "ChatGPT is the predominant LLM extensively employed in diverse security applications.", 333 "evidence": "Finding III, Tables 2 and 3 showing ChatGPT as the most frequently used model across reviewed papers.", 334 "supported": "moderate" 335 } 336 ], 337 "red_flags": [ 338 { 339 "flag": "No structured review methodology", 340 "detail": "The survey says it 'conducted a search on Google Scholar' but provides no search terms, date ranges, inclusion/exclusion criteria, or PRISMA-style flow. The 281-paper corpus cannot be independently verified or reproduced." 341 }, 342 { 343 "flag": "Paper counts used as proxy for impact", 344 "detail": "Finding I concludes 'LLMs contribute more positively than negatively' based solely on counting 83 'good' vs 54 'bad' papers. Paper counts do not measure the magnitude of impact — one successful malware campaign could outweigh dozens of incremental security improvements." 345 }, 346 { 347 "flag": "No quality assessment of included papers", 348 "detail": "All 281 papers are treated equally regardless of venue, methodology, or rigor. A preprint describing a theoretical attack receives the same weight as a peer-reviewed empirical study published at IEEE S&P." 349 }, 350 { 351 "flag": "No limitations section", 352 "detail": "The paper has no dedicated limitations or threats-to-validity section, despite being a survey with significant methodological choices (search strategy, categorization scheme) that could affect conclusions." 353 } 354 ], 355 "cited_papers": [ 356 { 357 "title": "Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants", 358 "authors": ["G. Sandoval", "H. Pearce", "T. Nys", "R. Karri", "S. Garg", "B. Dolan-Gavitt"], 359 "year": 2023, 360 "arxiv_id": "2208.09727", 361 "relevance": "User study (58 participants) measuring security implications of LLM code assistants, directly relevant to AI-assisted coding safety." 362 }, 363 { 364 "title": "Large Language Models for Code: Security Hardening and Adversarial Testing", 365 "authors": ["J. He", "M. Vechev"], 366 "year": 2023, 367 "relevance": "Proposes SVEN for controlling LLMs to generate secure code via continuous prompts, relevant to LLM code generation quality." 368 }, 369 { 370 "title": "Examining Zero-Shot Vulnerability Repair with Large Language Models", 371 "authors": ["H. Pearce", "B. Tan", "B. Ahmad", "R. Karri", "B. Dolan-Gavitt"], 372 "year": 2023, 373 "relevance": "Evaluates LLMs for zero-shot vulnerability repair across synthetic and real-world scenarios at IEEE S&P 2023." 374 }, 375 { 376 "title": "Universal Fuzzing via Large Language Models", 377 "authors": ["C. S. Xia", "M. Paltenghi", "J. L. Tian", "M. Pradel", "L. Zhang"], 378 "year": 2023, 379 "arxiv_id": "2308.04748", 380 "relevance": "Fuzz4All: uses LLMs for input generation and mutation in fuzzing, relevant to LLM-assisted testing." 381 }, 382 { 383 "title": "PentestGPT: An LLM-Empowered Automatic Penetration Testing Tool", 384 "authors": ["G. Deng", "Y. Liu", "V. Mayoral-Vilches"], 385 "year": 2023, 386 "arxiv_id": "2308.06782", 387 "relevance": "Automated penetration testing using LLM domain knowledge, relevant to agentic AI security applications." 388 }, 389 { 390 "title": "Jailbroken: How Does LLM Safety Training Fail?", 391 "authors": ["A. Wei", "N. Haghtalab", "J. Steinhardt"], 392 "year": 2023, 393 "arxiv_id": "2307.02483", 394 "relevance": "Analysis of how LLM alignment can be manipulated, directly relevant to AI safety evaluation." 395 }, 396 { 397 "title": "Extracting Training Data from Large Language Models", 398 "authors": ["N. Carlini", "F. Tramer", "E. Wallace"], 399 "year": 2021, 400 "relevance": "Foundational work on training data extraction from LLMs, relevant to LLM privacy and data leakage." 401 }, 402 { 403 "title": "MASTERKEY: Automated Jailbreaking of Large Language Model Chatbots", 404 "authors": ["G. Deng", "Y. Liu", "Y. Li"], 405 "year": 2024, 406 "relevance": "Automated jailbreak prompt generation at NDSS 2024, relevant to LLM safety evaluation methodology." 407 }, 408 { 409 "title": "More Than You've Asked For: A Comprehensive Analysis of Novel Prompt Injection Threats", 410 "authors": ["K. Greshake", "S. Abdelnabi", "S. Mishra"], 411 "year": 2023, 412 "arxiv_id": "2302.12173", 413 "relevance": "Comprehensive analysis of prompt injection threats to application-integrated LLMs." 414 }, 415 { 416 "title": "Safety-Tuned LLaMAs: Lessons from Improving the Safety of Large Language Models that Follow Instructions", 417 "authors": ["F. Bianchi", "M. Suzgun", "G. Attanasio"], 418 "year": 2023, 419 "arxiv_id": "2309.07875", 420 "relevance": "Shows that incorporating 3% safe examples during fine-tuning substantially improves LLM safety." 421 }, 422 { 423 "title": "ChatGPT for Vulnerability Detection, Classification, and Repair: How Far Are We?", 424 "authors": ["M. Fu", "C. Tantithamthavorn", "V. Nguyen", "T. Le"], 425 "year": 2023, 426 "relevance": "Evaluates ChatGPT on vulnerability-related tasks over 190,000 C/C++ functions, relevant to LLM code security capability." 427 }, 428 { 429 "title": "Large Language Models for Software Engineering: Survey and Open Problems", 430 "authors": ["A. Fan", "B. Gokkaya", "M. Harman"], 431 "year": 2023, 432 "relevance": "Broad survey on LLMs for software engineering, relevant as a comparison survey in the same space." 433 } 434 ] 435 }