{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T14:15:45Z","timestamp":1778163345773,"version":"3.51.4"},"reference-count":63,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T00:00:00Z","timestamp":1778112000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T00:00:00Z","timestamp":1778112000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007782","name":"Tshwane University of Technology","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100007782","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100007782","name":"Tshwane University of Technology","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007782","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Large Language Model (LLM)-based agents integrate various models, including planning loops, memory, tool use, and multi-agent systems, enabling autonomous decision-making through natural-language interfaces. This autonomy also expands the cyberattack surface from model-only failures to agent compromise, where untrusted text can exfiltrate data or trigger malicious actions. This survey presents a taxonomy-driven synthesis of security threats targeting LLM-based agents and a structured review of various studies, summarizing each work\u2019s aims, methods, results, and limitations and mapping them to the proposed taxonomy. Attacks, including context and prompt manipulation, jailbreak and cognition attacks, privacy attacks, agentic action induction and availability, and reconnaissance threats, were categorized. The widely adopted defenses are classified into prompt\/input sanitization, adversarial training and alignment tuning, architectural safeguards, monitoring and guardrails, and watermarking\/provenance mechanisms for source verification. The persistent gaps were a weak generalization of defense under attacker adaptation and a limited evaluation of agent-tool interaction risk. Since real deployments increasingly rely on agents that can remember and act, security must shift from single-model filtering to system-level, benchmarked, and continuously tested controls that measure resilience under adaptive attackers. Open challenges and research directions include robust detection of covert prompt attacks, continuous red-teaming, measurable security utility trade-offs, provenance-aware agent pipelines, and standardized protocols for evaluating secure LLM agents in real deployments.<\/jats:p>","DOI":"10.1007\/s11416-026-00622-3","type":"journal-article","created":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T13:53:12Z","timestamp":1778161992000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Securing LLM-based agents against cyberattacks: a comprehensive survey on  attack techniques and defense strategies"],"prefix":"10.1007","volume":"22","author":[{"given":"Nyashadzashe","family":"Tamuka","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Topside Ehleketani","family":"Mathonsi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Olwal Thomas","family":"Otieno","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Solly","family":"Maswikaneng","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tonderai","family":"Muchenje","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tshimangadzo Mavin","family":"Tshilongamulenzhe","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,5,7]]},"reference":[{"key":"622_CR1","unstructured":"Li, A., Zhou, Y., Raghuram, V.C., Goldstein, T., Goldblum, M.: Commercial LLM agents are already vulnerable to straightforward yet dangerous attacks.\u00a0arXiv preprint arXiv:2502.08586 (2025)"},{"issue":"5","key":"622_CR2","doi-asserted-by":"publisher","first-page":"e295","DOI":"10.1002\/spy2.295","volume":"6","author":"IH Sarker","year":"2023","unstructured":"Sarker, I.H.: Multi-aspects AI-based modeling and adversarial learning for cybersecurity intelligence and robustness: a comprehensive overview. Secur. Privacy 6(5), e295 (2023)","journal-title":"Secur. Privacy"},{"key":"622_CR3","doi-asserted-by":"crossref","unstructured":"Suo, X.: Signed-prompt: a new approach to prevent prompt injection attacks against LLM-integrated applications. In:\u00a0AIP Conference Proceedings,\u00a0vol. 3194, No. 1, p. 040013. AIP Publishing LLC (2024)","DOI":"10.1063\/5.0222987"},{"key":"622_CR4","unstructured":"Pedro, R., Castro, D., Carreira, P., Santos, N.: From prompt injections to SQL injection attacks: How protected is your LLM-integrated web application?.\u00a0arXiv preprint arXiv:2308.01990 (2023)"},{"key":"622_CR5","doi-asserted-by":"crossref","unstructured":"Nascimento, N., Alencar, P., Cowan, D.: Self-adaptive large language model (LLM)-based multi-agent systems. In:\u00a02023 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C), pp. 104\u2013109. IEEE (2023)","DOI":"10.1109\/ACSOS-C58168.2023.00048"},{"key":"622_CR6","doi-asserted-by":"crossref","unstructured":"Tamuka, N., Sibanda, K.: Empowering healthcare queries: a chatbot for converting text to SQL. In: Pan-African Artificial Intelligence and Smart Systems Conference, pp. 72\u201382. Springer Nature Switzerland, Cham (2024)","DOI":"10.1007\/978-3-031-94442-0_5"},{"key":"622_CR7","unstructured":"Fang, R., Bindu, R., Gupta, A., Zhan, Q., Kang, D.: LLM agents can autonomously hack websites.\u00a0arXiv preprint arXiv:2402.06664 (2024)"},{"key":"622_CR8","doi-asserted-by":"crossref","unstructured":"Ji, W., Yuan, W., Getzen, E., Cho, K., Jordan, M.I., Mei, S., Weston, J.E., Su, W.J., Xu, J., Zhang, L.: An overview of large language models for statisticians.\u00a0arXiv preprint arXiv:2502.17814 (2025)","DOI":"10.1080\/00031305.2026.2657480"},{"key":"622_CR9","unstructured":"Prompt injection (no date) OWASP Foundation. Available at: https:\/\/owasp.org\/www-community\/attacks\/PromptInjection#:~:text=modify%20the%20original%20intent%20of,language%20text%20strings. Accessed 15 Jan 2026"},{"issue":"6","key":"622_CR10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3773080","volume":"58","author":"F He","year":"2025","unstructured":"He, F., Zhu, T., Ye, D., Liu, B., Zhou, W., Yu, P.S.: Emerging security and Privacy of LLM agents: a survey with case studies. ACM Comput. Surv. 58(6), 1\u201336 (2025)","journal-title":"ACM Comput. Surv."},{"issue":"8","key":"622_CR11","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3719341","volume":"57","author":"Z Zhang","year":"2025","unstructured":"Zhang, Z., Yao, Y., Zhang, A., Tang, X., Ma, X., He, Z., Wang, Y., Gerstein, M., Wang, R., Liu, G., Zhao, H.: Igniting language intelligence: the Hitchhiker\u2019s guide from chain-of-thought reasoning to language agents. ACM Comput. Surv. 57(8), 1\u201339 (2025)","journal-title":"ACM Comput. Surv."},{"key":"622_CR12","doi-asserted-by":"crossref","unstructured":"Mei, Y., Nie, T., Sun, J., Tian, Y.: LLM-attacker: enhancing closed-loop adversarial scenario generation for autonomous driving with large language models.\u00a0arXiv preprint arXiv:2501.15850 (2025)","DOI":"10.1109\/TITS.2025.3578383"},{"key":"622_CR13","doi-asserted-by":"crossref","unstructured":"Leung, D., Tsai, O., Hashemi, K., Tayebi, B., Tayebi, M.A.: XploitSQL: Advancing Adversarial SQL Injection Attack Generation with Language Models and Reinforcement Learning. In: Proceedings of the 33rd ACM International Conference on Information and Knowledge Management, pp. 4653\u20134660 (2024)","DOI":"10.1145\/3627673.3680102"},{"issue":"6","key":"622_CR14","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3771090","volume":"58","author":"Z Yi","year":"2025","unstructured":"Yi, Z., Ouyang, J., Xu, Z., Liu, Y., Liao, T., Luo, H., Shen, Y.: A survey on recent advances in LLM-based multi-turn dialogue systems. ACM Comput. Surv. 58(6), 1\u201338 (2025)","journal-title":"ACM Comput. Surv."},{"key":"622_CR15","first-page":"80079","volume":"36","author":"A Wei","year":"2023","unstructured":"Wei, A., Haghtalab, N., Steinhardt, J.: Jailbroken: How does LLM safety training fail? Adv. Neural Inf. Process. Syst. 36, 80079\u201380110 (2023)","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"622_CR16","unstructured":"Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J.Z., Fredrikson, M.: Universal and transferable adversarial attacks on aligned language models.\u00a0arXiv preprint arXiv:2307.15043 (2023)"},{"key":"622_CR17","first-page":"32856","volume":"37","author":"X Zheng","year":"2024","unstructured":"Zheng, X., Pang, T., Du, C., Liu, Q., Jiang, J., Lin, M.: Improved few-shot jailbreaking can circumvent aligned language models and their defenses. Adv. Neural Inf. Process. Syst. 37, 32856\u201332887 (2024)","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"622_CR18","unstructured":"Liu, Y., Deng, G., Li, Y., Wang, K., Wang, Z., Wang, X., Zhang, T., Liu, Y., Wang, H., Zheng, Y., Liu, Y.: Prompt injection attack against LLM-integrated applications.\u00a0arXiv preprint arXiv:2306.05499 (2023)"},{"key":"622_CR19","unstructured":"Carlini, N., Tramer, F., Wallace, E., Jagielski, M., Herbert-Voss, A., Lee, K., Roberts, A., Brown, T., Song, D., Erlingsson, U., Oprea, A.: Extracting training data from large language models. In:\u00a0The 30th USENIX Security Symposium (USENIX Security 21, pp. 2633\u20132650) (2021)"},{"key":"622_CR20","unstructured":"Lee, D., Tiwari, M.: Prompt infection: LLM-to-LLM prompt injection within multi-agent systems.\u00a0arXiv preprint arXiv:2410.07283 (2024)"},{"key":"622_CR21","unstructured":"Liu, Y., Jia, Y., Jia, J., Gong, N.Z.: Evaluating {LLM-based} Personal Information Extraction and Countermeasures. In:\u00a034th USENIX Security Symposium (USENIX Security 25), pp. 1669\u20131688 (2025)"},{"key":"622_CR22","doi-asserted-by":"crossref","unstructured":"Jelodar, H., Bai, S., Hamedi, P., Mohammadian, H., Razavi-Far, R., Ghorbani, A.: Large Language Model (LLM) for Software Security: Code Analysis, Malware Analysis, Reverse Engineering.\u00a0arXiv preprint arXiv:2504.07137 (2025)","DOI":"10.1016\/j.jisa.2026.104390"},{"key":"622_CR23","unstructured":"Yi, S., Liu, Y., Sun, Z., Cong, T., He, X., Song, J., Xu, K., Li, Q.: Jailbreak attacks and defenses against large language models: a survey.\u00a0arXiv preprint arXiv:2407.04295 (2024)"},{"key":"622_CR24","unstructured":"Kumarage, T., Johnson, C., Adams, J., Ai, L., Kirchner, M., Hoogs, A., Garland, J., Hirschberg, J., Basharat, A., Liu, H.: Personalized Attacks of Social Engineering in Multi-turn Conversations\u2014LLM Agents for Simulation and Detection.\u00a0arXiv preprint arXiv:2503.15552 (2025)"},{"key":"622_CR25","doi-asserted-by":"crossref","unstructured":"Nascimento, E.R., Garc\u00eda, G., Izquierdo, Y.T., Feij\u00f3, L., Coelho, G.M., de Oliveira, A.R., Lemos, M., Garcia, R.L., Leme, L.A.P. e Casanova, M.A.: LLM-based text-to-SQL for real-world databases.\u00a0SN Comput. Sci.\u00a06(2), 130 (2025)","DOI":"10.1007\/s42979-025-03662-6"},{"key":"622_CR26","unstructured":"Li, Y., Wang, J., Zhu, H., Lin, J., Chang, S., Guo, M.: ThinkTrap: Denial-of-Service Attacks against Black-box LLM Services via Infinite Thinking.\u00a0arXiv preprint arXiv:2512.07086 (2025)"},{"key":"622_CR27","unstructured":"Kong, D., Lin, S., Xu, Z., Wang, Z., Li, M., Li, Y., Zhang, Y., Peng, H., Chen, X., Sha, Z., Li, Y.: A survey of LLM-driven AI agent communication: protocols, security risks, and defense countermeasures.\u00a0arXiv preprint arXiv:2506.19676 (2025)"},{"issue":"1","key":"622_CR28","doi-asserted-by":"publisher","first-page":"54","DOI":"10.3390\/info17010054","volume":"17","author":"S Gulyamov","year":"2026","unstructured":"Gulyamov, S., Gulyamov, S., Rodionov, A., Khursanov, R., Mekhmonov, K., Babaev, D., Rakhimjonov, A.: Prompt injection attacks in large language models and AI agent systems: a comprehensive review of vulnerabilities, attack vectors, and defense mechanisms. Information 17(1), 54 (2026)","journal-title":"Information"},{"key":"622_CR29","unstructured":"Yuan, Y., Jiao, W., Wang, W., Huang, J.T., He, P., Shi, S., Tu, Z.: GPT-4 is too smart to be safe: Stealthy chat with LLMs via cipher.\u00a0arXiv preprint arXiv:2308.06463 (2023)"},{"key":"622_CR30","doi-asserted-by":"crossref","unstructured":"Woodbridge, J., Anderson, H.S., Ahuja, A., Grant, D.: Detecting homoglyph attacks with a Siamese neural network. In:\u00a02018 IEEE Security and Privacy Workshops (SPW), pp. 22\u201328. IEEE (2018)","DOI":"10.1109\/SPW.2018.00012"},{"key":"622_CR31","doi-asserted-by":"crossref","unstructured":"Upadhayay, B., Behzadan, V.: Tongue-Tied: Breaking LLMs\u2019 Safety Through New Language Learning. In:\u00a0Proceedings of the 7th Workshop on Computational Approaches to Linguistic Code-Switching, pp. 32\u201347 (2025)","DOI":"10.18653\/v1\/2025.calcs-1.5"},{"key":"622_CR32","doi-asserted-by":"crossref","unstructured":"Yi, J., Xie, Y., Zhu, B., Kiciman, E., Sun, G., Xie, X., Wu, F.: Benchmarking and defending against indirect prompt injection attacks on large language models. In:\u00a0Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining, vol. 1, pp. 1809\u20131820 (2025)","DOI":"10.1145\/3690624.3709179"},{"key":"622_CR33","doi-asserted-by":"crossref","unstructured":"Le, K.G., Luong, N.H.: Black-Box Adversarial Attack on Dialogue Generation via Multi-Objective Optimization. In:\u00a0Proceedings of the Genetic and Evolutionary Computation Conference, pp. 397\u2013406 (2025)","DOI":"10.1145\/3712256.3726431"},{"key":"622_CR34","doi-asserted-by":"crossref","unstructured":"Naser, M.Z.: A review of prompt engineering techniques for large language models.\u00a0Int. J. Hum.\u2013Comput. Interact. 1\u201335 (2025)","DOI":"10.1080\/10447318.2025.2607553"},{"key":"622_CR35","doi-asserted-by":"crossref","unstructured":"Zhan, Q., Liang, Z., Ying, Z., Kang, D.: Injecagent: benchmarking indirect prompt injections in tool-integrated large language model agents. In:\u00a0Findings of the Association for Computational Linguistics: ACL 2024, pp. 10471\u201310506 (2024)","DOI":"10.18653\/v1\/2024.findings-acl.624"},{"key":"622_CR36","unstructured":"Ruan, Y., Dong, H., Wang, A., Pitis, S., Zhou, Y., Ba, J., Dubois, Y., Maddison, C.J., Hashimoto, T.: Identifying the risks of LM agents with an LM-emulated sandbox.\u00a0arXiv preprint arXiv:2309.15817 (2023)"},{"key":"622_CR37","first-page":"82895","volume":"37","author":"E Debenedetti","year":"2024","unstructured":"Debenedetti, E., Zhang, J., Balunovic, M., Beurer-Kellner, L., Fischer, M., Tram\u00e8r, F.: AgentDojo: a dynamic environment to evaluate prompt injection attacks and defenses for LLM agents. Adv. Neural Inf. Process. Syst. 37, 82895\u201382920 (2024)","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"622_CR38","doi-asserted-by":"crossref","unstructured":"Ghahremani, M., Podshyvalin, A., Taheri, R.: Evaluating and Defending Against Adversarial Attacks on LLM-Generated LSTM Models. In:\u00a0Adversarial Example Detection and Mitigation Using Machine Learning, pp. 183\u2013194. Springer Nature Switzerland, Cham (2026)","DOI":"10.1007\/978-3-031-99447-0_13"},{"key":"622_CR39","doi-asserted-by":"publisher","first-page":"111473","DOI":"10.1016\/j.comnet.2025.111473","volume":"269","author":"H Rezaei","year":"2025","unstructured":"Rezaei, H., Taheri, R., Shojafar, M.: FedLLMGuard: a federated large language model for anomaly detection in 5G networks. Comput. Netw. 269, 111473 (2025)","journal-title":"Comput. Netw."},{"key":"622_CR40","doi-asserted-by":"crossref","unstructured":"Cheng, W., Sun, K., Zhang, X., Wang, W.: Security attacks on LLM-based code completion tools. In:\u00a0Proceedings of the AAAI Conference on Artificial Intelligence,\u00a0vol. 39, No. 22, pp. 23669\u201323677 (2025)","DOI":"10.1609\/aaai.v39i22.34537"},{"key":"622_CR41","unstructured":"Amchaar, H.: Top 10 techniques to secure your LLM prompt in 2025 | by Hicham Amchaar | Medium, Top 10 Techniques to Secure Your LLM Prompt in 2025. Available at: https:\/\/chamoncode.medium.com\/top-10-techniques-to-secure-your-llm-prompt-in-2025-c9cc2db2f0a2. Accessed 22 Jan 2026 (2025)"},{"key":"622_CR42","doi-asserted-by":"crossref","unstructured":"Chen, B., Zhang, Z., Langren\u00e9, N., Zhu, S.: Unleashing the potential of prompt engineering for large language models.\u00a0Patterns (2025)","DOI":"10.1016\/j.patter.2025.101260"},{"issue":"6","key":"622_CR43","doi-asserted-by":"publisher","first-page":"1060","DOI":"10.3102\/10769986241279927","volume":"50","author":"KL Anglin","year":"2025","unstructured":"Anglin, K.L., Ventura, C.: Automatic text classification with large language models: a review of OpenAI for zero-and few-shot classification. J. Educ. Behav. Stat. 50(6), 1060\u20131082 (2025)","journal-title":"J. Educ. Behav. Stat."},{"key":"622_CR44","doi-asserted-by":"crossref","unstructured":"Wang, T., Xie, X., Zhang, L., Wang, C., Zhang, L., Cui, Y.: Shieldgpt: an LLM-based framework for DDoS mitigation. In: Proceedings of the 8th Asia-Pacific Workshop on Networking, pp. 108\u2013114 (2024)","DOI":"10.1145\/3663408.3663424"},{"key":"622_CR45","doi-asserted-by":"crossref","unstructured":"Barek, M.A., Riad, A.M.K.I., Rashid, M.B., Francia, G., Shahriar, H., Ahamed, S.I.: Analyzing the Behavior of LLM Under Concurrency and Token-Based DoS Attacks. In: 2025 IEEE Conference on Dependable, Autonomic and Secure Computing (DASC), (pp. 72\u201381). IEEE (2025).","DOI":"10.1109\/DASC68382.2025.00017"},{"key":"622_CR46","unstructured":"Wang, K., Zhang, G., Zhou, Z., Wu, J., Yu, M., Zhao, S., Yin, C., Fu, J., Yan, Y., Luo, H., Lin, L.: A comprehensive survey in LLM (-agent) full-stack safety: data, training, and deployment.\u00a0arXiv preprint arXiv:2504.15585 (2025)"},{"key":"622_CR47","unstructured":"Kumar, A., Agarwal, C., Srinivas, S., Li, A.J., Feizi, S., Lakkaraju, H.: Certifying LLM safety against adversarial prompting.\u00a0arXiv preprint arXiv:2309.02705 (2023)"},{"key":"622_CR48","doi-asserted-by":"crossref","unstructured":"Liu, Y., Zhang, W., Chen, H., Wang, L., Jia, X., Lin, Z., Wang, W.: AutoPrompt: Automated Red-Teaming of Text-to-Image Models via LLM-Driven Adversarial Prompts. In:\u00a0Proceedings of the IEEE\/CVF International Conference on Computer Vision, pp. 17557\u201317566 (2025)","DOI":"10.1109\/ICCV51701.2025.01631"},{"key":"622_CR49","unstructured":"Khanna, D., Kumar, G.M.K., Ghosh, B., Narsupalli, Y., Jain, V., Sharma, V., Chadha, A., Das, A.: Adversarial Attack Safety Alignment (ALKALI): Safeguarding LLMs through GRACE: Geometric Representation-Aware Contrastive Enhancement-Introducing Adversarial Vulnerability Quality Index (AVQI).\u00a0arXiv preprint arXiv:2506.08885 (2025)"},{"key":"622_CR50","unstructured":"Foerster, H., Mullins, R., Blanchard, T., Papernot, N., Nikoli\u0107, K., Tram\u00e8r, F., Shumailov, I., Zhang, C., Zhao, Y.: CaMeLs Can Use Computers Too: System-Level Security for Computer-Use Agents.\u00a0arXiv preprint arXiv:2601.09923 (2026)"},{"key":"622_CR51","unstructured":"Wei, Q., Yang, T., Wang, Y., Li, X., Li, L., Yin, Z., Zhan, Y., Holz, T., Lin, Z., Wang, X.: A-MemGuard: a proactive defense framework for LLM-based agent memory.\u00a0arXiv preprint arXiv:2510.02373 (2025)"},{"key":"622_CR52","unstructured":"Maninger, D., Chemnitz, L., Sharifloo, A.M., Lamba, T., Brugger, J., Mezini, M.: Evaluating and Mitigating Errors in LLM-Generated Web API Integrations.\u00a0arXiv preprint arXiv:2509.20172 (2025)"},{"key":"622_CR53","unstructured":"Syed, T.A., Almutairi, M.A., Moaty, M.A.: Toward Trustworthy Agentic AI: A Multimodal Framework for Preventing Prompt Injection Attacks.\u00a0arXiv preprint arXiv:2512.23557 (2025)"},{"key":"622_CR54","doi-asserted-by":"crossref","unstructured":"Panchumarthi, S., Sakamuri, D.: Securing Inter-Agent Communication: A Framework for Trusted and Secure AI-to-AI Collaboration.\u00a0Authorea Preprints (2025)","DOI":"10.36227\/techrxiv.175321895.56143977\/v1"},{"key":"622_CR55","doi-asserted-by":"crossref","unstructured":"Phanireddy, S.: LLM security and guardrail defense techniques in web applications.\u00a0Int. J. Emerg. Trends Comput. Sci. Inf. Technol. 221\u2013224 (2025)","DOI":"10.2139\/ssrn.5258606"},{"key":"622_CR56","doi-asserted-by":"crossref","unstructured":"Renze, M., Guven, E.: Self-reflection in LLM agents: effects on problem-solving performance.\u00a0arXiv preprint arXiv:2405.06682 (2024)","DOI":"10.1109\/FLLM63129.2024.10852426"},{"issue":"12","key":"622_CR57","doi-asserted-by":"publisher","first-page":"382","DOI":"10.1007\/s10462-025-11389-2","volume":"58","author":"Y DonG","year":"2025","unstructured":"Dong, Y., Mu, R., Zhang, Y., Sun, S., Zhang, T., Wu, C., Jin, G., Qi, Y., Hu, J., Meng, J., Bensalem, S.: Safeguarding large language models: a survey. Artif. Intell. Rev. 58(12), 382 (2025).","journal-title":"Artif. Intell. Rev."},{"key":"622_CR58","doi-asserted-by":"crossref","unstructured":"Otal, H.T., Canbaz, M.A.: LLM honeypot: leveraging large language models as advanced interactive honeypot systems. In:\u00a02024 IEEE Conference on Communications and Network Security (CNS), pp. 1\u20136. IEEE (2024)","DOI":"10.1109\/CNS62487.2024.10735607"},{"key":"622_CR59","doi-asserted-by":"crossref","unstructured":"Cao, D., Liu, S., Zhang, J., Xiang, Y.: Robustness analysis of watermarking techniques for LLM-generated code.\u00a0IEEE Netw. Lett. (2025)","DOI":"10.1109\/LNET.2025.3616325"},{"key":"622_CR60","doi-asserted-by":"crossref","unstructured":"Liang, Y., Xiao, J., Gan, W., Yu, P.S.: Watermarking techniques for large language models: a survey.\u00a0Artif. Intell. Rev. (2026)","DOI":"10.1007\/s10462-025-11474-6"},{"key":"622_CR61","doi-asserted-by":"crossref","unstructured":"Almuntashiri, A.H., Ib\u00e1\u00f1ez, L.D., Chapman, A.: Using LLMs to infer provenance information. In Proceedings of the ProvenanceWeek (2025), pp. 1\u201310.","DOI":"10.1145\/3736229.3736261"},{"issue":"6","key":"622_CR62","doi-asserted-by":"publisher","first-page":"801","DOI":"10.1007\/s10207-019-00442-1","volume":"18","author":"E Toreini","year":"2019","unstructured":"Toreini, E., Shahandashti, S.F., Mehrnezhad, M., and Hao, F.: DOMtegrity: ensuring web page integrity against malicious browser extension. Int. J.  Inf. Secur., 18(6), 801\u2013814 (2019).","journal-title":"Int. J. Inf. Secur."},{"key":"622_CR63","doi-asserted-by":"crossref","unstructured":"Zhao, X., Gunn, S., Christ, M., Fairoze, J., Fabrega, A., Carlini, N., Garg, S., Hong, S., Nasr, M., Tramer, F., Jha, S.: SoK: watermarking for AI-generated content. In:\u00a02025 IEEE Symposium on Security and Privacy (SP), pp. 2621\u20132639. IEEE (2025)","DOI":"10.1109\/SP61157.2025.00178"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-026-00622-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-026-00622-3","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-026-00622-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T13:54:25Z","timestamp":1778162065000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-026-00622-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,7]]},"references-count":63,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["622"],"URL":"https:\/\/doi.org\/10.1007\/s11416-026-00622-3","relation":{},"ISSN":["2263-8733"],"issn-type":[{"value":"2263-8733","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,7]]},"assertion":[{"value":"11 February 2026","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 April 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 May 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"Not applicable.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}}],"article-number":"38"}}