{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T23:24:20Z","timestamp":1782343460397,"version":"3.54.5"},"publisher-location":"Cham","reference-count":39,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032078834","type":"print"},{"value":"9783032078841","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T00:00:00Z","timestamp":1760313600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T00:00:00Z","timestamp":1760313600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-07884-1_25","type":"book-chapter","created":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T16:22:49Z","timestamp":1760286169000},"page":"488-507","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["StructTransform: A Scalable Attack Surface for\u00a0Safety-Aligned Large Language Models"],"prefix":"10.1007","author":[{"given":"Shehel","family":"Yoosuf","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Temoor","family":"Ali","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ahmed","family":"Lekssays","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mashael","family":"AlSabah","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Issa","family":"Khalil","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,10,13]]},"reference":[{"key":"25_CR1","unstructured":"Claude\u2019s constituion AI (2023)"},{"key":"25_CR2","unstructured":"Anil, C., et\u00a0al.: Many-shot jailbreaking. In: The Thirty-eighth Annual Conference on Neural Information Processing Systems (2024)"},{"key":"25_CR3","unstructured":"Arditi, A., et al.: Refusal in language models is mediated by a single direction. In: The Thirty-Eighth Annual Conference on Neural Information Processing Systems (2024)"},{"key":"25_CR4","unstructured":"El Atillah, I.: Man ends his life after an ai chatbot \u2019encouraged\u2019 him to sacrifice himself to stop climate change (2023)"},{"key":"25_CR5","unstructured":"Bailey, L., et al.: Obfuscated activations bypass LLM latent-space defenses. arXiv preprint arXiv:2412.09565 (2024)"},{"key":"25_CR6","unstructured":"Casper, S., Schulze, L., Patel, O., Hadfield-Menell, D.: Defending against unforeseen failure modes with latent adversarial training. arXiv preprint arXiv:2403.05030 (2024)"},{"key":"25_CR7","doi-asserted-by":"crossref","unstructured":"Chao, P., Robey, A., Dobriban, E., Hassani, H., Pappas, G.J., Wong, E.: Jailbreaking black box large language models in twenty queries. In: R0-FoMo: Robustness of Few-shot and Zero-shot Learning in Large Foundation Models (2024)","DOI":"10.1109\/SaTML64287.2025.00010"},{"key":"25_CR8","unstructured":"Deng, Y., Zhang, W., Pan, S.J., Bing, L.: Multilingual jailbreak challenges in large language models. In: The Twelfth International Conference on Learning Representations (2024)"},{"key":"25_CR9","unstructured":"Dubey, A., et\u00a0al.: The llama 3 herd of models. arXiv preprint arXiv:2407.21783 (2024)"},{"key":"25_CR10","unstructured":"Ganguli, D., et\u00a0al.: Red teaming language models to reduce harms: methods, scaling behaviors, and lessons learned. arXiv preprint arXiv:2209.07858 (2022)"},{"key":"25_CR11","doi-asserted-by":"crossref","unstructured":"Guan, M.Y., et\u00a0al.: Deliberative alignment: reasoning enables safer language models. arXiv preprint arXiv:2412.16339 (2024)","DOI":"10.70777\/si.v2i3.15159"},{"key":"25_CR12","unstructured":"Han, S., et al.: WildGuard: open one-stop moderation tools for safety risks, jailbreaks, and refusals of LLMs (2024)"},{"key":"25_CR13","unstructured":"Handa, D., Chirmule, A., Gajera, B., Baral, C.: When \u201ccompetency\u201d in reasoning opens the door to vulnerability: jailbreaking LLMs via novel complex ciphers (2024)"},{"key":"25_CR14","unstructured":"Jaech, A., et\u00a0al.: OpenAI o1 system card. arXiv preprint arXiv:2412.16720 (2024)"},{"key":"25_CR15","doi-asserted-by":"crossref","unstructured":"Jiang, F., et al.: ArtPrompt: ASCII art-based jailbreak attacks against aligned LLMs. In: ICLR 2024 Workshop on Secure and Trustworthy Large Language Models (2024)","DOI":"10.18653\/v1\/2024.acl-long.809"},{"key":"25_CR16","unstructured":"Jiang, L., et\u00a0al.: Wildteaming at scale: from in-the-wild jailbreaks to (adversarially) safer language models. In: ICML 2024 Next Generation of AI Safety Workshop (2024)"},{"key":"25_CR17","doi-asserted-by":"crossref","unstructured":"Kang, D., Li, X., Stoica, I., Guestrin, C., Zaharia, M., Hashimoto, T.: Exploiting programmatic behavior of LLMs: dual-use through standard security attacks. In: 2024 IEEE Security and Privacy Workshops (SPW), pp. 132\u2013143. IEEE (2024)","DOI":"10.1109\/SPW63631.2024.00018"},{"key":"25_CR18","unstructured":"Liu, X., Xu, N., Chen, M., Xiao, C.: AutoDAN: generating stealthy jailbreak prompts on aligned large language models. arXiv preprint arXiv:2310.04451 (2023)"},{"key":"25_CR19","unstructured":"Mazeika, M., et\u00a0al.: HarmBench: a standardized evaluation framework for automated red teaming and robust refusal. In: Forty-first International Conference on Machine Learning (2024)"},{"key":"25_CR20","doi-asserted-by":"crossref","unstructured":"Nahapetyan, A., et al.: On SMS phishing tactics and infrastructure. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 169\u2013169. IEEE Computer Society (2024)","DOI":"10.1109\/SP54263.2024.00169"},{"key":"25_CR21","doi-asserted-by":"crossref","unstructured":"Oswald, C., Simon, S.E., Bhattacharya, A.: SpotSpam: intention analysis\u2013driven SMS spam detection using BERT embeddings. ACM Trans. Web (TWEB), 16(3), 1\u201327 (2022)","DOI":"10.1145\/3538491"},{"key":"25_CR22","doi-asserted-by":"crossref","unstructured":"Perez, E., et al.: Red teaming language models with language models. In: Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing, pp. 3419\u20133448 (2022)","DOI":"10.18653\/v1\/2022.emnlp-main.225"},{"key":"25_CR23","first-page":"11437","volume":"2024","author":"Q Ren","year":"2024","unstructured":"Ren, Q., et al.: CodeAttack: revealing safety generalization challenges of large language models via code completion. Findings Assoc. Comput. Linguist. ACL 2024, 11437\u201311452 (2024)","journal-title":"Findings Assoc. Comput. Linguist. ACL"},{"key":"25_CR24","unstructured":"De Rosa, N.: How the new version of ChatGPT generates hate and disinformation on command (2024)"},{"key":"25_CR25","unstructured":"Saha, P.: Cybercriminals are using ChatGPT to create malware, says OpenAI; here\u2019s how, (2024)"},{"key":"25_CR26","unstructured":"Samvelyan, M., et al.: Rainbow teaming: open-ended generation of diverse adversarial prompts. In: ICLR 2024 Workshop on Secure and Trustworthy Large Language Models (2024)"},{"key":"25_CR27","unstructured":"Schwartz, J.: How to weaponize microsoft copilot for cyberattackers (2024)"},{"key":"25_CR28","doi-asserted-by":"crossref","unstructured":"Shang, S., et al.: IntentObfuscator: a jailbreaking method via confusing LLM with prompts. In: Computer Security \u2013 ESORICS 2024, pp. 146\u2013165. Springer Nature Switzerland, Cham (2024)","DOI":"10.1007\/978-3-031-70903-6_8"},{"key":"25_CR29","doi-asserted-by":"crossref","unstructured":"Silverstein, M.: Linguistic theory: syntax, semantics, pragmatics. Ann. Rev. Anthropol., 349\u2013382 (1972)","DOI":"10.1146\/annurev.an.01.100172.002025"},{"key":"25_CR30","doi-asserted-by":"crossref","unstructured":"Timko, D., Rahman, M.L.: Smishing dataset i: Phishing SMS dataset from smishtank.com. In: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, pp. 289\u2013294 (2024)","DOI":"10.1145\/3626232.3653282"},{"key":"25_CR31","unstructured":"Wei, A., Haghtalab, N., Steinhardt, J.: JailBroken: how does LLM safety training fail? In: Advances in Neural Information Processing Systems, vol. 36 (2024)"},{"key":"25_CR32","doi-asserted-by":"crossref","unstructured":"Welbl, J., et al.: Challenges in detoxifying language models. In: Findings of the Association for Computational Linguistics: EMNLP 2021, pp. 2447\u20132469 (2021)","DOI":"10.18653\/v1\/2021.findings-emnlp.210"},{"key":"25_CR33","unstructured":"Wu, Z., Gao, H., He, J., Wang, P.: The dark side of function calling: pathways to jailbreaking large language models. In: Proceedings of the 31st International Conference on Computational Linguistics, pp. 584\u2013592 (2025)"},{"key":"25_CR34","unstructured":"Yu, J., Lin, X., Yu, Z., Xing, X.: GPTFUZZER: red teaming large language models with auto-generated jailbreak prompts. arXiv preprint arXiv:2309.10253 (2023)"},{"key":"25_CR35","doi-asserted-by":"crossref","unstructured":"Zeng, Y., Lin, H., Zhang, J., Yang, D., Jia, R., Shi, W.: How johnny can persuade LLMs to jailbreak them: rethinking persuasion to challenge AI safety by humanizing LLMs. In: Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 14322\u201314350, Bangkok, Thailand (2024)","DOI":"10.18653\/v1\/2024.acl-long.773"},{"key":"25_CR36","unstructured":"Zhou, W., et al.: A unified framework for jailbreaking large language models, Easyjailbreak (2024)"},{"key":"25_CR37","doi-asserted-by":"crossref","unstructured":"Zhuo, S., Biddle, R., Koh, Y.S., Lottridge, D., Russello, G.: SOK: human-centered phishing susceptibility. ACM Trans. Priv. Secur. 26(3), 1\u201327 (2023)","DOI":"10.1145\/3575797"},{"key":"25_CR38","unstructured":"Zou, A., et al.: Improving alignment and robustness with circuit breakers. In: The Thirty-eighth Annual Conference on Neural Information Processing Systems (2024)"},{"key":"25_CR39","unstructured":"Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J.Z., Fredrikson, M.: Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043 (2023)"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2025"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-07884-1_25","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T16:23:02Z","timestamp":1760286182000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-07884-1_25"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"ISBN":["9783032078834","9783032078841"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-07884-1_25","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"13 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Toulouse","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 September 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 September 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.esorics2025.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}