{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,2]],"date-time":"2025-07-02T04:05:29Z","timestamp":1751429129174,"version":"3.41.0"},"reference-count":85,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3582519","type":"journal-article","created":{"date-parts":[[2025,6,23]],"date-time":"2025-06-23T17:28:39Z","timestamp":1750699719000},"page":"109607-109623","source":"Crossref","is-referenced-by-count":0,"title":["Broken Bags: Disrupting Service Through the Contamination of Large Language Models With Misinformation"],"prefix":"10.1109","volume":"13","author":[{"given":"Yonghua","family":"Mo","sequence":"first","affiliation":[{"name":"School of Information Engineering, Guilin Institute of Information Technology, Guilin, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-2785-7268","authenticated-orcid":false,"given":"Maoyang","family":"Tang","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Guilin Institute of Information Technology, Guilin, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ruohan","family":"Lin","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Guilin Institute of Information Technology, Guilin, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bohao","family":"Zhou","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Guilin Institute of Information Technology, Guilin, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-0583-7043","authenticated-orcid":false,"given":"Xiaojian","family":"Li","sequence":"additional","affiliation":[{"name":"School of Electronic Engineering, Guilin Institute of Information Technology, Guilin, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Gpt-4 technical report","volume-title":"arXiv:2303.08774","author":"OpenAI","year":"2023"},{"volume-title":"Meta Ai","year":"2025","key":"ref2"},{"key":"ref3","article-title":"PaLM 2 technical report","volume-title":"arXiv:2305.10403","author":"Anil","year":"2023"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3604237.3626891"},{"key":"ref5","article-title":"AutoLAW: Augmented legal reasoning through legal precedent prediction","author":"Zev Mahari","year":"2021","journal-title":"arXiv:2106.16034"},{"key":"ref6","first-page":"47","article-title":"Chain of reference prompting helps LLM to think like a lawyer","volume-title":"Proc. Generative AI+ Law Workshop","author":"Kuppa"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/s10439-023-03327-6"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.397"},{"key":"ref9","article-title":"Evaluating the susceptibility of pre-trained language models via handcrafted adversarial examples","author":"Branch","year":"2022","journal-title":"arXiv:2209.02128"},{"key":"ref10","first-page":"80079","article-title":"Jailbroken: How does LLM safety training fail?","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Wei"},{"key":"ref11","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24188"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30150"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.272"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833579"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179451"},{"key":"ref17","first-page":"1831","article-title":"Formalizing and benchmarking prompt injection attacks and defenses","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Liu"},{"key":"ref18","article-title":"Ignore previous prompt: Attack techniques for language models","author":"Perez","year":"2022","journal-title":"arXiv:2211.09527"},{"key":"ref19","article-title":"Prompt injection attack against LLM-integrated applications","author":"Liu","year":"2023","journal-title":"arXiv:2306.05499"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref21","article-title":"From prompt injections to SQL injection attacks: How protected is your LLM-integrated Web application?","author":"Pedro","year":"2023","journal-title":"arXiv:2308.01990"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670388"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00179"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.849"},{"key":"ref25","first-page":"2633","article-title":"Extracting training data from large language models","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Carlini"},{"key":"ref26","article-title":"Backdoor attacks for in-context learning with language models","author":"Kandpal","year":"2023","journal-title":"arXiv:2307.14692"},{"key":"ref27","first-page":"35413","article-title":"Poisoning language models during instruction tuning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Wan"},{"key":"ref28","article-title":"Quantifying memorization across neural language models","author":"Carlini","year":"2022","journal-title":"arXiv:2202.07646"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-acl.719"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00095"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.550"},{"key":"ref32","first-page":"9459","article-title":"Retrieval-augmented generation for knowledge-intensive NLP tasks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Lewis"},{"key":"ref33","first-page":"2206","article-title":"Improving language models by retrieving from trillions of tokens","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Borgeaud"},{"key":"ref34","article-title":"LaMDA: Language models for dialog applications","author":"Thoppilan","year":"2022","journal-title":"arXiv:2201.08239"},{"volume-title":"Cohere","year":"2025","key":"ref35"},{"volume-title":"Google Cloud","year":"2025","author":"Guidance","key":"ref36"},{"key":"ref37","article-title":"Retrieval-augmented generation for AI-generated content: A survey","author":"Zhao","year":"2024","journal-title":"arXiv:2402.19473"},{"volume-title":"Nvidia","year":"2025","author":"ChatRTX","key":"ref38"},{"volume-title":"GITHUB","year":"2025","key":"ref39"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D18-1259"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00276"},{"key":"ref42","article-title":"Unsupervised dense information retrieval with contrastive learning","author":"Izacard","year":"2021","journal-title":"arXiv:2112.09118"},{"key":"ref43","article-title":"Self-RAG: Learning to retrieve, generate, and critique through self-reflection","author":"Asai","year":"2023","journal-title":"arXiv:2310.11511"},{"key":"ref44","article-title":"Approximate nearest neighbor negative contrastive learning for dense text retrieval","author":"Xiong","year":"2020","journal-title":"arXiv:2007.00808"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2024.112758"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.307"},{"key":"ref47","article-title":"Rag and roll: An end-to-end evaluation of indirect prompt manipulations in LLM-based application frameworks","author":"De Stefano","year":"2024","journal-title":"arXiv:2408.05025"},{"key":"ref48","article-title":"Phantom: General trigger attacks on retrieval augmented language generation","author":"Chaudhari","year":"2024","journal-title":"arXiv:2405.20485"},{"key":"ref49","article-title":"PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models","author":"Zou","year":"2024","journal-title":"arXiv:2402.07867"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.161"},{"key":"ref51","article-title":"Machine against the RAG: Jamming retrieval-augmented generation with blocker documents","author":"Shafran","year":"2024","journal-title":"arXiv:2406.05870"},{"key":"ref52","article-title":"Black-box opinion manipulation attacks to retrieval-augmented generation of large language models","author":"Chen","year":"2024","journal-title":"arXiv:2407.13757"},{"key":"ref53","article-title":"Backdoored retrievers for prompt injection attacks on retrieval augmented generation of large language models","author":"Clop","year":"2024","journal-title":"arXiv:2410.14479"},{"key":"ref54","article-title":"Unleashing worms and extracting data: Escalating the outcome of attacks against RAG-based inference in scale and severity using jailbreaking","author":"Cohen","year":"2024","journal-title":"arXiv:2409.08045"},{"key":"ref55","first-page":"3520","article-title":"Certified defenses for data poisoning attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Steinhardt"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"ref57","first-page":"8011","article-title":"Spectral signatures in backdoor attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Tran"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1002\/9781119875437"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i9.16971"},{"key":"ref62","article-title":"Deep partition aggregation: Provable defense against general poisoning attacks","author":"Levine","year":"2020","journal-title":"arXiv:2006.14768"},{"key":"ref63","first-page":"1","article-title":"MS MARCO: A human generated MAchine reading COmprehension dataset","volume-title":"Proc. CoCo@NIPS","volume":"1773","author":"Nguyen"},{"key":"ref64","article-title":"Evaluating the performance of large language models for SDG mapping (Technical Report)","volume-title":"arXiv:2408.02201","author":"Yin","year":"2024"},{"volume-title":"Bigmodel.cn","year":"2025","key":"ref65"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.679"},{"key":"ref67","article-title":"Baseline defenses for adversarial attacks against aligned language models","author":"Jain","year":"2023","journal-title":"arXiv:2309.00614"},{"key":"ref68","article-title":"Detecting language model attacks with perplexity","author":"Alon","year":"2023","journal-title":"arXiv:2308.14132"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.6028\/nist.sp.500-331.news-overview"},{"key":"ref70","article-title":"BEIR: A heterogenous benchmark for zero-shot evaluation of information retrieval models","author":"Thakur","year":"2021","journal-title":"arXiv:2104.08663"},{"key":"ref71","article-title":"Fine-tuning or retrieval? Comparing knowledge injection in LLMs","author":"Ovadia","year":"2023","journal-title":"arXiv:2312.05934"},{"key":"ref72","first-page":"51008","article-title":"TrojLLM: A black-box trojan prompt attack on large language models","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Xue"},{"key":"ref73","article-title":"Test-time backdoor attacks on multimodal large language models","author":"Lu","year":"2024","journal-title":"arXiv:2402.08577"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.3233\/FAIA230254"},{"key":"ref75","article-title":"TrojText: Test-time invisible textual trojan insertion","author":"Lou","year":"2023","journal-title":"arXiv:2303.02242"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68887-5_14"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.624"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.031413.00127"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3393548"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3486034"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2025.3535943"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/ICFTSS61109.2024.10691328"},{"volume-title":"Microsoft.github.io","year":"2025","key":"ref83"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.7326\/M23-3389"},{"key":"ref85","article-title":"Llama 2: Open foundation and fine-tuned chat models","author":"Touvron","year":"2023","journal-title":"arXiv:2307.09288"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/11048579.pdf?arnumber=11048579","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T05:26:16Z","timestamp":1751347576000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11048579\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":85,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3582519","relation":{},"ISSN":["2169-3536"],"issn-type":[{"type":"electronic","value":"2169-3536"}],"subject":[],"published":{"date-parts":[[2025]]}}}