{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T16:20:31Z","timestamp":1783009231767,"version":"3.54.5"},"reference-count":81,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"Project SEcurity and Rights in the CyberSpace (SERICS) through the Ministero dell\u2019Universit\u00c3 e della Ricerca (MUR) National Recovery and Resilience Plan funded by the European Union-NextGenerationEU","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3619764","type":"journal-article","created":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:54:48Z","timestamp":1760032488000},"page":"176482-176500","source":"Crossref","is-referenced-by-count":6,"title":["A Lifecycle-Oriented Survey of Emerging Threats and Vulnerabilities in Large Language Models"],"prefix":"10.1109","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0641-4792","authenticated-orcid":false,"given":"Carmen","family":"de Maio","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Salerno, Fisciano, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-5434-5426","authenticated-orcid":false,"given":"Maria","family":"Di Gisi","sequence":"additional","affiliation":[{"name":"IMT School for Advanced Studies Lucca, Lucca, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4736-0113","authenticated-orcid":false,"given":"Giuseppe","family":"Fenza","sequence":"additional","affiliation":[{"name":"Department of Management and Innovation Systems, University of Salerno, Fisciano, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5474-2697","authenticated-orcid":false,"given":"Mariacristina","family":"Gallo","sequence":"additional","affiliation":[{"name":"Department of Management and Innovation Systems, University of Salerno, Fisciano, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4807-8942","authenticated-orcid":false,"given":"Vincenzo","family":"Loia","sequence":"additional","affiliation":[{"name":"Department of Management and Innovation Systems, University of Salerno, Fisciano, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/VCRIS63677.2024.10813382"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-97-1274-8_6"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/LT60077.2024.10469434"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2024.3378652"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1038\/s41586-024-07566-y"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/s00146-024-02173-x"},{"key":"ref7","first-page":"11165","article-title":"A tale of tails: Model collapse as a change of scaling laws","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","volume":"235","author":"Dohmatob"},{"key":"ref8","article-title":"Beyond model collapse: Scaling up with synthesized data requires verification","volume-title":"Proc. Int. Conf. Learn. Represent.","author":"Feng"},{"key":"ref9","article-title":"Is model collapse inevitable? breaking the curse of recursion by accumulating real and synthetic data","volume-title":"Proc. ICML Workshop Foundation Models Wild","author":"Gerstgrasser"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3701268.3701272"},{"key":"ref11","first-page":"87801","article-title":"Dager: Exact gradient inversion for large language models","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"37","author":"Petrov"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v39i26.34985"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.emnlp-main.303"},{"key":"ref14","first-page":"7641","article-title":"Lamp: Extracting text from gradients with language model priors","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"35","author":"Balunovic"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00981"},{"key":"ref16","article-title":"ReCIT: Reconstructing full private data from gradient in parameter-efficient fine-tuning of large language models","author":"Xie","year":"2025","journal-title":"arXiv:2504.20570"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3703155"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2025.110307"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.155"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-naacl.85"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.397"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1016\/j.websem.2024.100844"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.findings-acl.61"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.emnlp-main.168"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i11.26596"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.eacl-main.156"},{"key":"ref27","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref28","article-title":"Can LLM-generated misinformation be detected?","volume-title":"Proc. NeurIPS Workshop Regulatable ML","author":"Chen"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.793"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1016\/j.mlwa.2024.100545"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3406644"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616679"},{"issue":"93","key":"ref33","first-page":"64","article-title":"Large language models, propaganda and security challenges","volume":"4","author":"Diana-Cristiana","year":"2024","journal-title":"Strategic Impact"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1093\/pnasnexus\/pgae034"},{"key":"ref35","first-page":"4693","article-title":"Malla: Demystifying real-world large language model integrated malicious services","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Lin"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3300381"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3531146.3533088"},{"key":"ref38","article-title":"Large language models can be used to effectively scale spear phishing campaigns","author":"Hazell","year":"2023","journal-title":"arXiv:2305.06972"},{"key":"ref39","first-page":"1669","article-title":"DeepPhish: Understanding user trust towards artificially generated profiles in online social networks","volume-title":"Proc. 31st USENIX Secur. Symp. (USENIX Secur.)","author":"Mink"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-96-1624-4_11"},{"key":"ref41","article-title":"Llama guard: LLM-based input\u2013output safeguard for human-AI conversations","author":"Inan","year":"2023","journal-title":"arXiv:2312.06674"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-demo.40"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i12.26752"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.emnlp-main.656"},{"key":"ref45","first-page":"2633","article-title":"Extracting training data from large language models","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Secur.)","author":"Carlini"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2023-0070"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SoutheastCon56624.2025.10971722"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/IS61756.2024.10705238"},{"key":"ref49","article-title":"Denial-of-service poisoning attacks against large language models","author":"Gao","year":"2024","journal-title":"arXiv:2410.10760"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3583780.3615211"},{"key":"ref51","article-title":"Prompt injection attack against LLM-integrated applications","author":"Liu","year":"2023","journal-title":"arXiv:2306.05499"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690338"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE55347.2025.00007"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3634737.3659433"},{"key":"ref56","article-title":"Data extraction attacks in retrieval-augmented generation via backdoors","author":"Peng","year":"2024","journal-title":"arXiv:2411.01705"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.161"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3663529.3663786"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-024-10896-y"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.61"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/Allerton63246.2024.10735305"},{"key":"ref62","article-title":"A systematic review of poisoning attacks against large language models","author":"Fendley","year":"2025","journal-title":"arXiv:2506.06518"},{"key":"ref63","article-title":"Scalable extraction of training data from (production) language models","author":"Nasr","year":"2023","journal-title":"arXiv:2311.17035"},{"key":"ref64","first-page":"1831","article-title":"Formalizing and benchmarking prompt injection attacks and defenses","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Liu"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.443"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-85240-4_14"},{"key":"ref67","article-title":"Membership inference attacks on large-scale models: A survey","author":"Wu","year":"2025","journal-title":"arXiv:2503.19338"},{"key":"ref68","first-page":"91","article-title":"Modelleeching: An extraction attack targeting LLMs","volume-title":"Proc. Conf. Appl. Mach. Learn. Inf. Secur. (CAMLIS)","volume":"3652","author":"Birch"},{"key":"ref69","first-page":"5680","article-title":"Stealing part of a production language model","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","author":"Carlini"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2024.109698"},{"key":"ref71","article-title":"Code security vulnerability repair using reinforcement learning with large language models","author":"Islam","year":"2024","journal-title":"arXiv:2401.07031"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-58687-3_6"},{"key":"ref73","first-page":"239","article-title":"Person-of-interest detection on mobile forensics data\u2014AI-driven roadmap","volume":"3654","author":"Mykhaylova","year":"2024","journal-title":"Cybersecurity Providing Inf. Telecommun. Syst."},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1016\/j.hcc.2024.100211"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-024-10824-0"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3712001"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1016\/j.hcc.2025.100300"},{"key":"ref78","article-title":"Cognitive filter bubble: Investigating bias and neutrality vulnerabilities of LLMs in sensitive contexts","volume-title":"Proc. Joint Nat. Conf. Cybersecurity (ITASEC & SERICS 2025)","volume":"3962","author":"Di Gisi"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2024.09.653"},{"key":"ref80","first-page":"17","article-title":"Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing","volume-title":"Proc. 23rd USENIX Conf. Secur. Symp.","author":"Fredrikson"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/11197479.pdf?arnumber=11197479","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T17:42:08Z","timestamp":1760722928000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11197479\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":81,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3619764","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}