{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T17:03:39Z","timestamp":1774976619592,"version":"3.50.1"},"reference-count":59,"publisher":"Elsevier BV","issue":"6","license":[{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/100008986","name":"University of Guelph","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100008986","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Information Processing & Management"],"published-print":{"date-parts":[[2026,9]]},"DOI":"10.1016\/j.ipm.2026.104768","type":"journal-article","created":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T13:42:49Z","timestamp":1774964569000},"page":"104768","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"title":["Beyond the prompt: Log-based threat detection and attribution for multi-Agent LLMs"],"prefix":"10.1016","volume":"63","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-7730-9065","authenticated-orcid":false,"given":"Elnaz","family":"Rabieinejad","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2102-9190","authenticated-orcid":false,"given":"Fattane","family":"Zarrinkalam","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9294-7554","authenticated-orcid":false,"given":"Ali","family":"Dehghantanha","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.ipm.2026.104768_bib0001","series-title":"Southeastcon 2025","first-page":"143","article-title":"Cyberattacks on large language models-attack detection and architecture adaptability","author":"Alla","year":"2025"},{"key":"10.1016\/j.ipm.2026.104768_bib0002","unstructured":"Balashov, A., Ponomarova, O., & Zhai, X. (2025). Multi-stage prompt inference attacks on enterprise LLM systems. arXiv preprint arXiv: 2507.15613,."},{"key":"10.1016\/j.ipm.2026.104768_bib0003","series-title":"Proceedings of the AAAI conference on artificial intelligence","first-page":"23669","article-title":"Security attacks on llm-based code completion tools","volume":"vol. 39","author":"Cheng","year":"2025"},{"key":"10.1016\/j.ipm.2026.104768_sbref0004","series-title":"Proceedings of the IEEE symposium on security and privacy (s&p)","article-title":"Kairos: Practical intrusion detection and investigation using whole-system provenance","author":"Cheng","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_bib0005","unstructured":"Derczynski, L., Galinkin, E., Martin, J., Majumdar, S., & Inie, N. (2024). garak: A framework for security probing large language models. arXiv preprint arXiv: 2406.11036,."},{"key":"10.1016\/j.ipm.2026.104768_bib0006","series-title":"2016\u202fIEEE 16Th international conference on data mining (ICDM)","first-page":"859","article-title":"Spell: Streaming parsing of system event logs","author":"Du","year":"2016"},{"key":"10.1016\/j.ipm.2026.104768_bib0007","series-title":"Proceedings of the ACM SIGSAC conference on computer and communications security (CCS)","first-page":"1285","article-title":"Deeplog: Anomaly detection and diagnosis from system logs through deep learning","author":"Du","year":"2017"},{"key":"10.1016\/j.ipm.2026.104768_bib0008","doi-asserted-by":"crossref","unstructured":"Guo, H., Li, G., Li, J., Ding, Z., & Liu, J. (2021). LogBERT: Log anomaly detection via BERT. arXiv preprint arXiv: 2103.04475.","DOI":"10.1109\/IJCNN52387.2021.9534113"},{"key":"10.1016\/j.ipm.2026.104768_bib0009","doi-asserted-by":"crossref","DOI":"10.1016\/j.compeleceng.2024.109215","article-title":"Enhancing user prompt confidentiality in large language models through advanced differential encryption","volume":"116","author":"Gupta","year":"2024","journal-title":"Computers and Electrical Engineering"},{"key":"10.1016\/j.ipm.2026.104768_bib0010","series-title":"Proceedings of the first workshop on LLM security (LLMSEC)","first-page":"101","article-title":"Bypassing LLM guardrails: An empirical analysis of evasion attacks against prompt injection and jailbreak detection systems","author":"Hackett","year":"2025"},{"key":"10.1016\/j.ipm.2026.104768_bib0011","series-title":"Proceedings of the IEEE symposium on security and privacy (s&p)","first-page":"1137","article-title":"Holmes: Real-time apt detection through correlation of suspicious information flows","author":"Han","year":"2019"},{"issue":"5","key":"10.1016\/j.ipm.2026.104768_bib0012","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3712003","article-title":"Llm-based multi-agent systems for software engineering: Literature review, vision, and the road ahead","volume":"34","author":"He","year":"2025","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"10.1016\/j.ipm.2026.104768_bib0013","unstructured":"He, X., Wu, D., Zhai, Y., & Sun, K. (2025b). Sentinelagent: Graph-based anomaly detection in multi-agent systems. arXiv preprint arXiv: 2505.24201,."},{"key":"10.1016\/j.ipm.2026.104768_bib0014","unstructured":"Hossain, S. M., Shayoni, R. K., Ameen, M. R., Islam, A., Mridha, M. F., & Shin, J. (2025). A multi-agent LLM defense pipeline against prompt injection attacks. arXiv preprint arXiv: 2509.14285,."},{"key":"10.1016\/j.ipm.2026.104768_sbref0015","series-title":"Findings of the association for computational linguistics: NAACL","article-title":"Attention tracker: Detecting prompt injection attacks in LLMs","author":"Hung","year":"2025"},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0016","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"Hutchins","year":"2011","journal-title":"Leading Issues in Information Warfare & Security Research"},{"key":"10.1016\/j.ipm.2026.104768_bib0017","unstructured":"IDC (2023). Idc forecasts worldwide spending on generative ai to reach $143 billion in 2027. Press releasehttps:\/\/www.businesswire.com\/news\/home\/20231016330764\/en\/IDC-Forecasts-Worldwide-Spending-on-\/Generative-AI-to-Reach-143-Billion-in-2027."},{"key":"10.1016\/j.ipm.2026.104768_bib0018","unstructured":"Inan, H., Upasani, K., Chi, J., Rungta, R., Iyer, K., Mao, Y., Tontchev, M., Hu, Q., Fuller, B., Testuggine, D., & Khabsa, M. (2023). Llama guard: LLM-based input-output safeguard for human-AI conversations. arXiv preprint arXiv: 2312.06674."},{"key":"10.1016\/j.ipm.2026.104768_bib0019","doi-asserted-by":"crossref","DOI":"10.1016\/j.iot.2024.101162","article-title":"A comparative analysis of various machine learning methods for anomaly detection in cyber attacks on iot networks","volume":"26","author":"Inuwa","year":"2024","journal-title":"Internet of Things"},{"issue":"6","key":"10.1016\/j.ipm.2026.104768_bib0020","doi-asserted-by":"crossref","DOI":"10.1016\/j.ipm.2025.104239","article-title":"Red teaming large language models: A comprehensive review and critical analysis","volume":"62","author":"Jabbar","year":"2025","journal-title":"Information Processing & Management"},{"issue":"14","key":"10.1016\/j.ipm.2026.104768_bib0021","doi-asserted-by":"crossref","first-page":"6421","DOI":"10.3390\/app11146421","article-title":"What disease does this patient have? a large-scale open domain question answering dataset from medical exams","volume":"11","author":"Jin","year":"2021","journal-title":"Applied Sciences"},{"key":"10.1016\/j.ipm.2026.104768_bib0022","series-title":"Proceedings of the 8th workshop on online abuse and harms (WOAH 2024)","first-page":"159","article-title":"Robust safety classifier against jailbreaking attacks: Adversarial prompt shield","author":"Kim","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_bib0023","doi-asserted-by":"crossref","unstructured":"Kim, J., Jung, J., Kim, S., Park, S., & Cho, S. (2024b). Safe-embed: Unveiling the safety-critical knowledge of sentence encoders. arXiv preprint arXiv: 2407.06851.","DOI":"10.18653\/v1\/2024.knowllm-1.13"},{"key":"10.1016\/j.ipm.2026.104768_bib0024","first-page":"79410","article-title":"Mdagents: An adaptive collaboration of llms for medical decision-making","volume":"37","author":"Kim","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0025","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1007\/s44336-024-00009-2","article-title":"A survey on LLM-based multi-agent systems: workflow, infrastructure, and challenges","volume":"1","author":"Li","year":"2024","journal-title":"Vicinagearth"},{"key":"10.1016\/j.ipm.2026.104768_bib0026","unstructured":"Lin, Y., Zhang, Z., Han, S., Chen, J. et al. (2021). Logrobust: A robust transformer-based system log anomaly detection method. arXiv preprint arXiv: 2108.11031."},{"key":"10.1016\/j.ipm.2026.104768_bib0027","article-title":"A unified approach to interpreting model predictions","volume":"30","author":"Lundberg","year":"2017","journal-title":"Advances in Neural Information Processing Systems"},{"issue":"3","key":"10.1016\/j.ipm.2026.104768_bib0028","doi-asserted-by":"crossref","DOI":"10.1016\/j.ipm.2022.102914","article-title":"SecureCPS: Cognitive inspired framework for detection of cyber attacks in cyber\u2013physical systems","volume":"59","author":"Makkar","year":"2022","journal-title":"Information Processing & Management"},{"key":"10.1016\/j.ipm.2026.104768_bib0029","series-title":"Proceedings of the international joint conference on artificial intelligence (IJCAI)","first-page":"4739","article-title":"Loganomaly: Unsupervised detection of anomalies in log data via sequential and quantitative modeling","author":"Meng","year":"2019"},{"key":"10.1016\/j.ipm.2026.104768_bib0030","unstructured":"Meta (2024). Prompt-guard. https:\/\/www.llama.com\/docs\/model-cards-and-prompt-formats\/prompt-guard. Accessed 2026-01-20."},{"key":"10.1016\/j.ipm.2026.104768_bib0031","unstructured":"News, T. H. (2025). Salesforce patches critical forcedleak bug exposing CRM data via AI prompt injection. https:\/\/thehackernews.com\/2025\/09\/salesforce-patches-critical-forcedleak.html."},{"key":"10.1016\/j.ipm.2026.104768_bib0032","series-title":"Proceedings of the IEEE international conference on computer vision","first-page":"1071","article-title":"Attribute-graph: A graph based approach to image ranking","author":"Prabhu","year":"2015"},{"key":"10.1016\/j.ipm.2026.104768_bib0033","unstructured":"Protect AI (2024). deberta-v3-base-prompt-injection-v2. https:\/\/huggingface.co\/protectai\/deberta-v3-base-prompt-injection-v2. Hugging Face model card; accessed 2026-01-20."},{"key":"10.1016\/j.ipm.2026.104768_bib0034","series-title":"2024\u202fIEEE International conference on big data (bigdata)","first-page":"5392","article-title":"Sok: Prompt hacking of large language models","author":"Rababah","year":"2024"},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0035","doi-asserted-by":"crossref","first-page":"4258","DOI":"10.1109\/TCE.2024.3349490","article-title":"Two-level privacy-preserving framework: Federated learning for attack detection in the consumer internet of things","volume":"70","author":"Rabieinejad","year":"2024","journal-title":"IEEE Transactions on Consumer Electronics"},{"key":"10.1016\/j.ipm.2026.104768_sbref0036","series-title":"Proceedings of the IEEE symposium on security and privacy (s&p)","article-title":"Flash: A comprehensive approach to intrusion detection via provenance graph representation learning","author":"Rehman","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_bib0037","first-page":"5898","article-title":"Evaluating attribution for graph neural networks","volume":"33","author":"Sanchez-Lengeling","year":"2020","journal-title":"Advances in Neural Information Processing Systems"},{"key":"10.1016\/j.ipm.2026.104768_bib0038","series-title":"Proceedings of the 2024 on ACM SIGSAC conference on computer and communications security","first-page":"1671","article-title":"\u201d Do anything now\u201d: Characterizing and evaluating in-the-wild jailbreak prompts on large language models","author":"Shen","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_bib0039","series-title":"Proceedings of the 2024 on ACM SIGSAC conference on computer and communications security","first-page":"660","article-title":"Optimization-based prompt injection attack to llm-as-a-judge","author":"Shi","year":"2024"},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0040","doi-asserted-by":"crossref","DOI":"10.1016\/j.ipm.2023.103531","article-title":"Robust scientific text classification using prompt tuning based on data augmentation with l2 regularization","volume":"61","author":"Shi","year":"2024","journal-title":"Information Processing & Management"},{"key":"10.1016\/j.ipm.2026.104768_bib0041","unstructured":"Touvron, H., Martin, L., Stone, K., Albert, P., Almahairi, A., Babaei, Y., Bashlykov, N., Batra, S., Bhargava, P., Bhosale, S. et al. (2023). Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv: 2307.09288."},{"key":"10.1016\/j.ipm.2026.104768_bib0042","first-page":"841","article-title":"Counterfactual explanations without opening the black box: Automated decisions and the GDPR","volume":"31","author":"Wachter","year":"2017","journal-title":"Harv. JL & Tech."},{"key":"10.1016\/j.ipm.2026.104768_bib0043","doi-asserted-by":"crossref","unstructured":"Wang, Y., Xue, D., Zhang, S., & Qian, S. (2024). Badagent: Inserting and activating backdoor attacks in llm agents. arXiv preprint arXiv: 2406.03007.","DOI":"10.18653\/v1\/2024.acl-long.530"},{"key":"10.1016\/j.ipm.2026.104768_bib0044","doi-asserted-by":"crossref","DOI":"10.1109\/TNSM.2024.3400283","article-title":"Contexlog: Non-parsing log anomaly detection with all information preservation and enhanced contextual representation","author":"Xiao","year":"2024","journal-title":"IEEE Transactions on Network and Service Management (TNSM)"},{"key":"10.1016\/j.ipm.2026.104768_sbref0045","series-title":"Proceedings of the 62nd annual meeting of the association for computational linguistics (ACL)","article-title":"Gradsafe: Detecting jailbreak prompts for LLMs via safety-critical gradient analysis","author":"Xie","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_bib0046","series-title":"Proceedings of the ACM conference on computer and communications security (CCS)","article-title":"Entente: Cross-silo intrusion detection on network log graphs with federated learning","author":"Xu","year":"2025"},{"key":"10.1016\/j.ipm.2026.104768_bib0047","series-title":"Proceedings of the ACM SIGOPS symposium on operating systems principles (SOSP)","first-page":"147","article-title":"Detecting large-scale system problems using system logs and PCA","author":"Xu","year":"2009"},{"key":"10.1016\/j.ipm.2026.104768_bib0048","first-page":"32219","article-title":"Bag of tricks: Benchmarking of jailbreak attacks on llms","volume":"37","author":"Xu","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"key":"10.1016\/j.ipm.2026.104768_bib0049","unstructured":"Yang, X., Tang, X., Hu, S., & Han, J. (2024). Chain of attack: a semantic-driven contextual multi-turn attacker for llm. arXiv: 2405.05610,."},{"key":"10.1016\/j.ipm.2026.104768_bib0050","doi-asserted-by":"crossref","unstructured":"Ye, J., Li, S., Li, G., Huang, C., Gao, S., Wu, Y., Zhang, Q., Gui, T., & Huang, X. (2024). Toolsword: Unveiling safety issues of large language models in tool learning across three stages. arXiv: 2402.10753,.","DOI":"10.18653\/v1\/2024.acl-long.119"},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0051","doi-asserted-by":"crossref","DOI":"10.1016\/j.ipm.2025.104319","article-title":"A multi-agent framework with legal event logic graph for multi-defendant legal judgment prediction","volume":"63","author":"Yuan","year":"2026","journal-title":"Information Processing & Management"},{"key":"10.1016\/j.ipm.2026.104768_sbref0052","series-title":"Proceedings of the IEEE symposium on security and privacy (s&p)","first-page":"489","article-title":"Shadewatcher: Recommendation-guided cyber threat analysis using system audit records","author":"Zeng","year":"2022"},{"key":"10.1016\/j.ipm.2026.104768_sbref0053","series-title":"Proceedings of the network and distributed system security symposium (NDSS)","article-title":"Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics","author":"Zeng","year":"2021"},{"key":"10.1016\/j.ipm.2026.104768_bib0054","unstructured":"Zeng, Y., Wu, Y., Zhang, X., Wang, H., & Wu, Q. (2024). Autodefense: Multi-agent llm defense against jailbreak attacks. arXiv: 2403.04783,."},{"issue":"1","key":"10.1016\/j.ipm.2026.104768_bib0055","doi-asserted-by":"crossref","DOI":"10.1016\/j.ipm.2025.104344","article-title":"Zero-and few-shot chinese cybersecurity event detection via meta-distillation learning","volume":"63","author":"Zhang","year":"2026","journal-title":"Information Processing & Management"},{"key":"10.1016\/j.ipm.2026.104768_bib0056","series-title":"Companion proceedings of the 32nd ACM international conference on the foundations of software engineering","first-page":"502","article-title":"Human-imperceptible retrieval poisoning attacks in LLM-powered applications","author":"Zhang","year":"2024"},{"key":"10.1016\/j.ipm.2026.104768_sbref0057","series-title":"Proceedings of the 34th USENIX security symposium","article-title":"Jbshield: Defending large language models from jailbreak attacks through activated concept analysis and manipulation","author":"Zhang","year":"2025"},{"key":"10.1016\/j.ipm.2026.104768_bib0058","article-title":"Jailguard: A universal detection framework for prompt-based attacks on llm systems","author":"Zhang","year":"2025","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"10.1016\/j.ipm.2026.104768_bib0059","doi-asserted-by":"crossref","first-page":"3051","DOI":"10.1109\/TIFS.2022.3201379","article-title":"Deepsyslog: Deep anomaly detection on syslog using sentence embedding and metadata","volume":"17","author":"Zhou","year":"2022","journal-title":"IEEE Transactions on Information Forensics and Security"}],"container-title":["Information Processing & Management"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0306457326001597?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0306457326001597?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T15:58:03Z","timestamp":1774972683000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0306457326001597"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,9]]},"references-count":59,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2026,9]]}},"alternative-id":["S0306457326001597"],"URL":"https:\/\/doi.org\/10.1016\/j.ipm.2026.104768","relation":{},"ISSN":["0306-4573"],"issn-type":[{"value":"0306-4573","type":"print"}],"subject":[],"published":{"date-parts":[[2026,9]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Beyond the prompt: Log-based threat detection and attribution for multi-Agent LLMs","name":"articletitle","label":"Article Title"},{"value":"Information Processing & Management","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.ipm.2026.104768","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104768"}}