{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T07:43:06Z","timestamp":1772610186609,"version":"3.50.1"},"reference-count":162,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/100030807","name":"Commonwealth Cyber Initiative","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100030807","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3567195","type":"journal-article","created":{"date-parts":[[2025,5,5]],"date-time":"2025-05-05T17:57:11Z","timestamp":1746467831000},"page":"84057-84080","source":"Crossref","is-referenced-by-count":3,"title":["Exploring Research and Tools in AI Security: A Systematic Mapping Study"],"prefix":"10.1109","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-7998-7183","authenticated-orcid":false,"given":"Sidhant","family":"Narula","sequence":"first","affiliation":[{"name":"Department of Computer Science, Old Dominion University, Norfolk, VA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6661-0942","authenticated-orcid":false,"given":"Mohammad","family":"Ghasemigol","sequence":"additional","affiliation":[{"name":"School of Cybersecurity, Old Dominion University, Norfolk, VA, USA"}]},{"given":"Javier","family":"Carnerero-Cano","sequence":"additional","affiliation":[{"name":"IBM Research Europe, Dublin, Ireland"}]},{"given":"Amanda","family":"Minnich","sequence":"additional","affiliation":[{"name":"Microsoft AI Red Team, Redmond, WA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2844-3917","authenticated-orcid":false,"given":"Emil","family":"Lupu","sequence":"additional","affiliation":[{"name":"Department of Computing, Imperial College London, London, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0447-3641","authenticated-orcid":false,"given":"Daniel","family":"Takabi","sequence":"additional","affiliation":[{"name":"School of Cybersecurity, Old Dominion University, Norfolk, VA, USA"}]}],"member":"263","reference":[{"issue":"2","key":"ref1","first-page":"71","article-title":"Ensuring trust and security in AI: Challenges and solutions for safe integration","volume":"3","author":"Konda","year":"2019","journal-title":"Int. J. Comput. Sci. Technol."},{"key":"ref2","volume-title":"A Brief History of Artificial Intelligence: What it is, Where We Are, and Where We Are Going","author":"Wooldridge","year":"2021"},{"key":"ref3","article-title":"Security and privacy for artificial intelligence: Opportunities and challenges","author":"Oseni","year":"2021","journal-title":"arXiv:2102.04661"},{"key":"ref4","volume-title":"What is Ai Security?","year":"2023"},{"key":"ref5","volume-title":"Joint Guidance on Deploying AI Systems Securely","year":"2024"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3442167.3442177"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.3390\/s22176662"},{"key":"ref8","doi-asserted-by":"crossref","DOI":"10.2139\/ssrn.4922592","volume-title":"Systematic overview of AI security standards","author":"Gnitko","year":"2024"},{"key":"ref9","volume-title":"Enterprises\u2019 Best Bet for the Future: Securing Generative AI"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC57700.2023.00284"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2023.122442"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/CAIN58948.2023.00027"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2015.03.007"},{"key":"ref14","article-title":"Threats, vulnerabilities, and controls of machine learning based systems: A survey and taxonomy","author":"Kawamoto","year":"2023","journal-title":"arXiv:2301.07474"},{"key":"ref15","article-title":"AI product security: A primer for developers","author":"Isaac","year":"2023","journal-title":"arXiv:2304.11087"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.4018\/IJSPPC.325475"},{"key":"ref17","article-title":"Threat assessment in machine learning based systems","author":"Nganyewou Tidjon","year":"2022","journal-title":"arXiv:2207.00091"},{"key":"ref18","volume-title":"X-Force Threat Intelligence Index 2023","year":"2023"},{"key":"ref19","volume-title":"ENISA Threat Landscape 2023"},{"key":"ref20","volume-title":"Vulnerability disclosure and management for AI\/ML systems: A working paper with policy recommendations","author":"Grotto","year":"2021"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3487890"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.3389\/fdata.2020.00023"},{"key":"ref24","doi-asserted-by":"crossref","DOI":"10.31219\/osf.io\/npm3d","article-title":"Multidisciplinary collaboration: Key players in successful implementation of ChatGPT and similar generative artificial intelligence in manufacturing, finance, retail, transportation, and construction industry","author":"Rane","year":"2023"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/s42979-021-00557-0"},{"key":"ref26","volume-title":"Microsoft Responsible AI Impact Assessment Template","year":"2022"},{"key":"ref27","volume-title":"Saif","year":"2021"},{"key":"ref28","volume-title":"Snowflake AI Security Framework","author":"Inc","year":"2023"},{"key":"ref29","volume-title":"AI Risk Management Framework","year":"2022"},{"key":"ref30","volume-title":"OWASP AI Security and Privacy Guide","author":"Foundation","year":"2023"},{"key":"ref31","volume-title":"Counterfit","year":"2022"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.30574\/wjarr.2024.21.1.0287"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.3390\/app9050909"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.3390\/electronics11081283"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/3551636"},{"key":"ref36","article-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review","author":"Gao","year":"2020","journal-title":"arXiv:2007.10760"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.001.1900091"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/TAI.2021.3111139"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1007\/s11023-018-9482-5"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3326410"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-019-0027-x"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3600211.3604700"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2023.121220"},{"key":"ref44","article-title":"Evaluating the vulnerabilities in ML systems in terms of adversarial attacks","author":"Harshith","year":"2023","journal-title":"arXiv:2308.12918"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.2172\/1846969"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3964084"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1201\/9781003261247-13"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1609\/aies.v7i1.31635"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1007\/s10489-022-03350-5"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3287195"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3627106.3627196"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1098\/rsos.230859"},{"key":"ref55","article-title":"Robust and secure AI","author":"Barmer","year":"2021"},{"key":"ref56","article-title":"Supporting AI\/ML security workers through an adversarial techniques, tools, and common knowledge (AI\/ML ATT&CK) framework","author":"Fazelnia","year":"2022","journal-title":"arXiv:2211.05075"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/MITP.2022.3180330"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3385107"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1155\/2023\/9308909"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3385003.3410920"},{"key":"ref61","article-title":"Poisoning attacks and defenses on artificial intelligence: A survey","author":"Ramirez","year":"2022","journal-title":"arXiv:2202.10276"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.4236\/jcc.2021.912007"},{"key":"ref63","volume-title":"LLM AI Cybersecurity & Governance Checklist","author":"Dunn Team","year":"2024"},{"key":"ref64","article-title":"Mapping LLM security landscapes: A comprehensive stakeholder risk assessment proposal","author":"Pankajakshan","year":"2024","journal-title":"arXiv:2403.13309"},{"key":"ref65","article-title":"A new era in LLM security: Exploring security concerns in real-world LLM-based systems","author":"Wu","year":"2024","journal-title":"arXiv:2402.18649"},{"key":"ref66","article-title":"The ethics of interaction: Mitigating security threats in LLMs","author":"Kumar","year":"2024","journal-title":"arXiv:2401.12273"},{"key":"ref67","article-title":"Security issues in large language models such as ChatGPT","author":"Kanamugire","year":"2024"},{"key":"ref68","article-title":"SecureLLM: Using compositionality to build provably secure language models for private, sensitive, and secret data","author":"Alabdulkareem","year":"2024","journal-title":"arXiv:2405.09805"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/3712001"},{"key":"ref70","article-title":"Causality analysis for evaluating the security of large language models","author":"Zhao","year":"2023","journal-title":"arXiv:2312.07876"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1016\/j.jiixd.2023.10.007"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-54252-7_4"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3381611"},{"key":"ref74","article-title":"Generative AI security: Challenges and countermeasures","author":"Zhu","year":"2024","journal-title":"arXiv:2402.12617"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.773"},{"key":"ref76","article-title":"Tree of attacks: Jailbreaking black-box LLMs automatically","author":"Mehrotra","year":"2023","journal-title":"arXiv:2312.02119"},{"key":"ref77","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref78","article-title":"Jailbreaking black box large language models in twenty queries","author":"Chao","year":"2023","journal-title":"arXiv:2310.08419"},{"key":"ref79","article-title":"Defending against indirect prompt injection attacks with spotlighting","author":"Hines","year":"2024","journal-title":"arXiv:2403.14720"},{"key":"ref80","article-title":"A LLM assisted exploitation of AI-guardian","author":"Carlini","year":"2023","journal-title":"arXiv:2307.15008"},{"key":"ref81","article-title":"Mission impossible: A statistical perspective on jailbreaking LLMs","author":"Su","year":"2024","journal-title":"arXiv:2408.01420"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref83","article-title":"Aligning large multi-modal model with robust instruction tuning","author":"Liu","year":"2023","journal-title":"arXiv:2306.14565"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/bxae124"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/3661167.3661263"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnlest.2025.100301"},{"key":"ref87","first-page":"32856","article-title":"Improved few-shot jailbreaking can circumvent aligned language models and their defenses","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"37","author":"Pang"},{"key":"ref88","article-title":"Covert malicious finetuning: Challenges in safeguarding LLM adaptation","author":"Halawi","year":"2024","journal-title":"arXiv:2406.20053"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.679"},{"key":"ref90","first-page":"1","article-title":"Fight back against jailbreaking via prompt adversarial tuning","volume-title":"Proc. 38th Annu. Conf. Neural Inf. Process. Syst.","author":"Mo"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.948"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.emnlp-main.1022"},{"key":"ref93","article-title":"LLM jailbreak attack versus defense techniques\u2014A comprehensive study","author":"Xu","year":"2024","journal-title":"arXiv:2402.13457"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v39i22.34537"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.51483\/IJAIML.4.1.2024.48-60"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1093\/oxfordhb\/9780197579329.013.39"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3346187"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/MWC.001.2100479"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/3512899"},{"key":"ref100","article-title":"A framework for fairness: A systematic review of existing fair AI solutions","author":"Richardson","year":"2021","journal-title":"arXiv:2112.05700"},{"key":"ref101","article-title":"Eur. Commission High-Level Expert Group Artif. Intell","volume-title":"The Assessment List for Trustworthy Artificial Intelligence","year":"2020"},{"key":"ref102","volume-title":"Model AI Governance Framework","year":"2020"},{"key":"ref103","volume-title":"NSW Artificial Intelligence Assurance Framework","year":"2022"},{"key":"ref104","volume-title":"Algorithm Impact Assessment Tool","year":"2022"},{"key":"ref105","volume-title":"Fundamental Rights and Algorithm Impact Assessment","year":"2021"},{"key":"ref106","volume-title":"Ethics & Algorithms Toolkit","year":"2020"},{"key":"ref107","volume-title":"Python Risk Identification Tool for Generative AI (PyRIT)","year":"2023"},{"key":"ref108","volume-title":"Adversarial Robustness Toolbox (Art)","author":"Research","year":"2024"},{"key":"ref109","volume-title":"Rebuff","year":"2024"},{"key":"ref110","volume-title":"Modelscan","year":"2022"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670388"},{"key":"ref112","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014","journal-title":"arXiv:1412.6572"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.06083"},{"key":"ref114","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Bagdasaryan"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1049\/cit2.12028"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref117","article-title":"Towards more practical threat models in artificial intelligence security","author":"Grosse","year":"2023","journal-title":"arXiv:2311.09994"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1103\/PhysRevResearch.2.033212"},{"key":"ref119","article-title":"Quantum adversarial machine learning and defense strategies: Challenges and opportunities","author":"Yocam","year":"2024","journal-title":"arXiv:2412.12373"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-023-00661-1"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1109\/MCE.2024.3424513"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.4018\/979-8-3373-1102-9.ch010"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1109\/SSE60056.2023.00037"},{"key":"ref124","article-title":"Autonomous threat hunting: A future paradigm for AI-driven threat intelligence","author":"Raja Sindiramutty","year":"2023","journal-title":"arXiv:2401.00286"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3294090"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.naacl-main.43"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-45009-0_75"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1126\/science.aaw4399"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.3390\/ai4010003"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-818438-7.00012-5"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00407"},{"key":"ref132","volume-title":"Building Trustworthy AI","year":"2021"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.1109\/ICMNWC52512.2021.9688490"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/3626234"},{"key":"ref135","article-title":"Towards AI safety: A taxonomy for AI system evaluation","author":"Xia","year":"2024","journal-title":"arXiv:2404.05388"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP.2019.00042"},{"key":"ref137","article-title":"AutoDefense: Multi-agent LLM defense against jailbreak attacks","author":"Zeng","year":"2024","journal-title":"arXiv:2403.04783"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1145\/3485133"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1109\/ICHMS59971.2024.10555871"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1145\/3457607"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1561\/3300000041"},{"key":"ref142","article-title":"LLM security","author":"Authors","year":"2023"},{"key":"ref143","article-title":"A security risk taxonomy for prompt-based interaction with large language models","author":"Derner","year":"2023","journal-title":"arXiv:2311.11415"},{"key":"ref144","article-title":"Privacy in large language models: Attacks, defenses and future directions","author":"Li","year":"2023","journal-title":"arXiv:2310.10383"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1609\/aies.v7i1.31664"},{"key":"ref146","article-title":"Baseline defenses for adversarial attacks against aligned language models","author":"Jain","year":"2023","journal-title":"arXiv:2309.00614"},{"key":"ref147","article-title":"A systematic literature review of human-centered, ethical, and responsible AI","author":"Tahaei","year":"2023","journal-title":"arXiv:2302.05284"},{"key":"ref148","first-page":"393","article-title":"Trust and ethics in AI","volume":"35","author":"Hagendorff","year":"2020","journal-title":"AI Soc."},{"key":"ref149","article-title":"Ethics of AI: A systematic literature review of principles and challenges","author":"Ali Khan","year":"2021","journal-title":"arXiv:2109.07906"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3029280"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.AI.100-2e2023.ipd"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1109\/MWC.017.2100714"},{"issue":"4","key":"ref153","first-page":"1","article-title":"Adversarial artificial intelligence","volume":"18","author":"Fink","year":"2019","journal-title":"J. Inf. Warfare"},{"key":"ref154","volume-title":"Atlas","year":"2021"},{"key":"ref155","article-title":"Insights and current gaps in open-source LLM vulnerability scanners: A comparative analysis","author":"Brokman","year":"2024","journal-title":"arXiv:2410.16527"},{"key":"ref156","article-title":"Insights and current gaps in open-source LLM vulnerability scanners: A comparative analysis","author":"Brokman","year":"2024","journal-title":"arXiv:2410.16527"},{"key":"ref157","article-title":"Garak: A framework for security probing large language models","author":"Derczynski","year":"2024","journal-title":"arXiv:2406.11036"},{"key":"ref158","volume-title":"Gaurdrails","author":"AI","year":"2023"},{"key":"ref159","article-title":"AI fairness 360: An extensible toolkit for detecting, understanding, and mitigating unwanted algorithmic bias","author":"Bellamy","year":"2018","journal-title":"arXiv:1810.01943"},{"key":"ref160","volume-title":"Purple Llama: Towards Safe and Responsible AI Development","year":"2023"},{"key":"ref161","volume-title":"Prompt Fuzzer: Open-Source Tool for Strengthening GenAI Apps","author":"Security","year":"2024"},{"key":"ref162","doi-asserted-by":"publisher","DOI":"10.51593\/2020ca015"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/10988535.pdf?arnumber=10988535","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,19]],"date-time":"2025-05-19T17:58:38Z","timestamp":1747677518000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10988535\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":162,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3567195","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}