{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T07:49:21Z","timestamp":1782287361209,"version":"3.54.5"},"reference-count":276,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2026]]},"DOI":"10.1109\/access.2026.3675554","type":"journal-article","created":{"date-parts":[[2026,3,19]],"date-time":"2026-03-19T20:08:18Z","timestamp":1773950898000},"page":"49455-49482","source":"Crossref","is-referenced-by-count":3,"title":["Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges"],"prefix":"10.1109","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8463-3937","authenticated-orcid":false,"given":"Anshuman","family":"Chhabra","sequence":"first","affiliation":[{"name":"Bellini College of Artificial Intelligence, Cybersecurity and Computing, University of South Florida, Tampa, FL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-8375-9423","authenticated-orcid":false,"given":"Shrestha","family":"Datta","sequence":"additional","affiliation":[{"name":"Bellini College of Artificial Intelligence, Cybersecurity and Computing, University of South Florida, Tampa, FL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7979-1009","authenticated-orcid":false,"given":"Shahriar Kabir","family":"Nahin","sequence":"additional","affiliation":[{"name":"Bellini College of Artificial Intelligence, Cybersecurity and Computing, University of South Florida, Tampa, FL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2768-5308","authenticated-orcid":false,"given":"Prasant","family":"Mohapatra","sequence":"additional","affiliation":[{"name":"Bellini College of Artificial Intelligence, Cybersecurity and Computing, University of South Florida, Tampa, FL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-97-5656-8"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1016\/0004-3702(83)90008-5"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"ref4","first-page":"79","article-title":"A modern approach","volume-title":"Artificial Intelligence","volume":"25","author":"Russell","year":"1995"},{"key":"ref5","first-page":"1877","article-title":"Language models are few-shot learners","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Brown"},{"key":"ref6","article-title":"GPT-4 technical report","volume-title":"arXiv:2303.08774","author":"Achiam","year":"2023"},{"key":"ref7","article-title":"Llama 2: Open foundation and fine-tuned chat models","author":"Touvron","year":"2023","journal-title":"arXiv:2307.09288"},{"key":"ref8","article-title":"A survey of multimodal large language model from a data-centric perspective","author":"Bai","year":"2024","journal-title":"arXiv:2405.16640"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2025.3571946"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/s10916-024-02045-3"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.3390\/forecast5030030"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3744746"},{"key":"ref13","first-page":"1","article-title":"AI what do large language models \u2018understand","volume":"21","author":"Work","year":"2024","journal-title":"Image"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-54827-7_5"},{"key":"ref15","article-title":"Measuring AI ability to complete long software tasks","author":"Kwa","year":"2025","journal-title":"arXiv:2503.14499"},{"key":"ref16","volume-title":"AI Agents Are Here. So Are the Threats.","year":"2025"},{"key":"ref17","volume-title":"LangChain Documentation","year":"2024"},{"key":"ref18","volume-title":"AutoGPT: An Autonomous GPT Experiment","author":"Richards","year":"2024"},{"key":"ref19","article-title":"Voyager: An open-ended embodied agent with large language models","author":"Wang","year":"2023","journal-title":"arXiv:2305.16291"},{"key":"ref20","first-page":"1","article-title":"Three essentials for agentic AI security","author":"Dal Cin","year":"2025","journal-title":"MIT Sloan Manage. Rev."},{"key":"ref21","volume-title":"Just in time? Manufacturers Turn to AI to Weather Tariff Storm","year":"2025"},{"key":"ref22","volume-title":"Forget Chatbots. AI Agents are the Future","year":"2025"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3586183.3606763"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1016\/j.cell.2024.09.022"},{"key":"ref25","article-title":"Agentic AI for scientific discovery: A survey of progress, challenges, and future directions","author":"Gridach","year":"2025","journal-title":"arXiv:2503.08979"},{"key":"ref26","volume-title":"Inside the Automated Warehouse Where Robots Are Packing Your Groceries","year":"2025"},{"key":"ref27","article-title":"AutoAgents: A framework for automatic agent generation","author":"Chen","year":"2023","journal-title":"arXiv:2309.17288"},{"key":"ref28","volume-title":"Amazon\u2019s Delivery, Logistics Get AI Boost","year":"2025"},{"key":"ref29","article-title":"Towards a HIPAA compliant agentic AI system in healthcare","author":"Neupane","year":"2025","journal-title":"arXiv:2504.17669"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-90026-6_10"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1016\/j.infoh.2025.03.001"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1038\/s41551-025-01363-2"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1016\/S0140-6736(25)00202-8"},{"key":"ref34","volume-title":"Preventing Zero-Click AI Threats: Insights From EchoLeak","author":"Micro","year":"2025"},{"key":"ref35","volume-title":"AI: Advent of Agents Opens New Possibilities for Attackers","year":"2025"},{"key":"ref36","first-page":"10471","article-title":"InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents","volume-title":"Proc. Findings Assoc. Comput. Linguistics, ACL","author":"Zhan"},{"key":"ref37","article-title":"Prompt infection: LLM-to-LLM prompt injection within multi-agent systems","author":"Lee","year":"2024","journal-title":"arXiv:2410.07283"},{"key":"ref38","article-title":"The dark side of LLMs: Agent-based attacks for complete computer takeover","author":"Lupinacci","year":"2025","journal-title":"arXiv:2507.06850"},{"key":"ref39","article-title":"Agentic misalignment: How LLMs could be insider threats","author":"Lynch","year":"2025","journal-title":"arXiv:2510.05179"},{"key":"ref40","article-title":"Memory injection attacks on LLM agents via query-only interaction","author":"Dong","year":"2025","journal-title":"arXiv:2503.03704"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.52202\/079017-4136"},{"key":"ref42","article-title":"Commercial LLM agents are already vulnerable to simple yet dangerous attacks","author":"Li","year":"2025","journal-title":"arXiv:2502.08586"},{"key":"ref43","article-title":"Imprompter: Tricking LLM agents into improper tool use","author":"Fu","year":"2024","journal-title":"arXiv:2410.14923"},{"key":"ref44","article-title":"AgentHarm: A benchmark for measuring harmfulness of LLM agents","author":"Andriushchenko","year":"2024","journal-title":"arXiv:2410.09024"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.emnlp-main.1771"},{"key":"ref46","volume-title":"When Llms Autonomously Attack","year":"2025"},{"key":"ref47","article-title":"Generative to agentic AI: Survey, conceptualization, and challenges","author":"Schneider","year":"2025","journal-title":"arXiv:2504.18875"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3711896.3736570"},{"key":"ref49","article-title":"Advances and challenges in foundation agents: From brain-inspired intelligence to evolutionary, collaborative, and safe systems","author":"Liu","year":"2025","journal-title":"arXiv:2504.01990"},{"key":"ref50","article-title":"A survey of self-evolving agents: What, when, how, and where to evolve on the path to artificial super intelligence","author":"Gao","year":"2025","journal-title":"arXiv:2507.21046"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2025.3532853"},{"key":"ref52","article-title":"TRiSM for agentic AI: A review of trust, risk, and security management in LLM-based agentic multi-agent systems","author":"Raza","year":"2025","journal-title":"arXiv:2506.04133"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.6028\/nist.ai.600-1"},{"key":"ref54","article-title":"A prompt pattern catalog to enhance prompt engineering with ChatGPT","author":"White","year":"2023","journal-title":"arXiv:2302.11382"},{"key":"ref55","first-page":"79","article-title":"Not what You\u2019ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection","volume-title":"Proc. 16th ACM Workshop Artif. Intell. Secur.","author":"Greshake"},{"key":"ref56","article-title":"Ignore previous prompt: Attack techniques for language models","author":"Perez","year":"2022","journal-title":"arXiv:2211.09527"},{"key":"ref57","article-title":"Design patterns for securing LLM agents against prompt injections","author":"Beurer-Kellner","year":"2025","journal-title":"arXiv:2506.08837"},{"key":"ref58","volume-title":"OWASP GenAI LLM01: Prompt Injection","year":"2025"},{"key":"ref59","article-title":"Prompt injection 2.0: Hybrid AI threats","author":"McHugh","year":"2025","journal-title":"arXiv:2507.13169"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.890"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-naacl.395"},{"key":"ref62","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref63","article-title":"Automatic and universal prompt injection attacks against large language models","author":"Liu","year":"2024","journal-title":"arXiv:2403.04957"},{"key":"ref64","article-title":"Baseline defenses for adversarial attacks against aligned language models","author":"Jain","year":"2023","journal-title":"arXiv:2309.00614"},{"key":"ref65","article-title":"AutoDAN: Interpretable gradient-based adversarial attacks on large language models","author":"Zhu","year":"2023","journal-title":"arXiv:2310.15140"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.849"},{"key":"ref67","article-title":"EIA: Environmental injection attack on generalist web agents for privacy leakage","author":"Liao","year":"2024","journal-title":"arXiv:2409.11295"},{"key":"ref68","article-title":"AdvAgent: Controllable blackbox red-teaming on Web agents","author":"Xu","year":"2024","journal-title":"arXiv:2410.17401"},{"key":"ref69","article-title":"Dissecting adversarial robustness of multimodal lm agents","author":"Wu","year":"2024","journal-title":"arXiv:2406.12814"},{"key":"ref70","article-title":"MELON: Provable defense against indirect prompt injection attacks in AI agents","author":"Zhu","year":"2025","journal-title":"arXiv:2502.05174"},{"key":"ref71","article-title":"Attacking vision-language computer agents via pop-ups","author":"Zhang","year":"2024","journal-title":"arXiv:2411.02391"},{"key":"ref72","article-title":"Manipulating LLM web agents with indirect prompt injection attack via HTML accessibility tree","author":"Johnson","year":"2025","journal-title":"arXiv:2507.14799"},{"key":"ref73","article-title":"Examining identity drift in conversations of LLM agents","author":"Choi","year":"2025","journal-title":"arXiv:2412.00804"},{"key":"ref74","article-title":"System prompt poisoning: Persistent attacks on large language models beyond user injection","author":"Guo","year":"2025","journal-title":"arXiv:2505.06493"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3663529.3663786"},{"key":"ref76","article-title":"Backdoored retrievers for prompt injection attacks on retrieval augmented generation of large language models","author":"Clop","year":"2024","journal-title":"arXiv:2410.14479"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/3746027.3755211"},{"key":"ref78","volume-title":"Unveiling AI Agent Vulnerabilities Part II: Code Execution","author":"Park","year":"2025"},{"key":"ref79","article-title":"Abusing images and sounds for indirect instruction injection in multi-modal LLMs","author":"Bagdasaryan","year":"2023","journal-title":"arXiv:2307.10490"},{"key":"ref80","article-title":"From prompt injections to SQL injection attacks: How protected is your LLM-integrated web application?","author":"Pedro","year":"2023","journal-title":"arXiv:2308.01990"},{"key":"ref81","article-title":"LLM agents can autonomously hack websites","author":"Fang","year":"2024","journal-title":"arXiv:2402.06664"},{"key":"ref82","first-page":"1768","article-title":"Prompt-to-SQL injections in LLM-integrated web applications: Risks and defenses","volume-title":"Proc. IEEE\/ACM 47th Int. Conf. Softw. Eng. (ICSE)","author":"Pedro"},{"key":"ref83","volume-title":"CVE-2024-5565: Vanna.AI Remote Code Execution Vulnerability","year":"2024"},{"key":"ref84","article-title":"Towards fair video summarization","volume-title":"Proc. Trans. Mach. Learn. Res.","author":"Chhabra"},{"key":"ref85","article-title":"Transferable adversarial attacks for image and video object detection","author":"Wei","year":"2018","journal-title":"arXiv:1811.12641"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6918"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3343031.3351088"},{"key":"ref88","article-title":"AudioJailbreak: Jailbreak attacks against end-to-end large audio-language models","author":"Chen","year":"2025","journal-title":"arXiv:2505.14103"},{"key":"ref89","first-page":"3009","article-title":"Adversarial illusions in multi-modal embeddings","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Bagdasaryan"},{"key":"ref90","article-title":"Attacking multimodal OS agents with malicious image patches","author":"Aichberger","year":"2025","journal-title":"arXiv:2503.10809"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/HIS.2010.5600026"},{"key":"ref92","volume-title":"DeepSeek AI: From Prompt Injection To Account Takeover","author":"Rehberger","year":"2024"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.302"},{"key":"ref94","article-title":"Here comes the AI worm: Unleashing zero-click worms that target genai-powered applications","author":"Cohen","year":"2024","journal-title":"arXiv:2403.02817"},{"key":"ref95","article-title":"Prompt injection detection and mitigation via AI multi-agent NLP frameworks","author":"Gosmar","year":"2025","journal-title":"arXiv:2503.11517"},{"key":"ref96","article-title":"An early categorization of prompt injection attacks on large language models","author":"Rossi","year":"2024","journal-title":"arXiv:2402.00898"},{"key":"ref97","volume-title":"Technical Blog: Strengthening AI Agent Hijacking Evaluations","year":"2025"},{"key":"ref98","article-title":"Llm agents can autonomously exploit one-day vulnerabilities","author":"Fang","year":"2024","journal-title":"arXiv:2404.08144"},{"key":"ref99","article-title":"OWASP zed attack proxy","author":"Bennetts","year":"2013"},{"key":"ref100","volume-title":"Metasploit: Penetration Tester\u2019s Guide","author":"Kennedy","year":"2011"},{"key":"ref101","volume-title":"CSRF and XSS: Practical Examples Using Burp Suite","author":"Muehlberger","year":"2020"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.32628\/IJSRSET218318"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.31577\/cai_2023_2_480"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.624"},{"key":"ref105","article-title":"Toolgen: Unified tool retrieval and calling via generation","author":"Wang","year":"2024","journal-title":"arXiv:2410.03439"},{"key":"ref106","article-title":"Seven security challenges that must be solved in cross-domain multi-agent LLM systems","author":"Ko","year":"2025","journal-title":"arXiv:2505.23847"},{"key":"ref107","article-title":"From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows","author":"Ferrag","year":"2025","journal-title":"arXiv:2506.23260"},{"key":"ref108","volume-title":"Introduction To MCP. Model Context Protocol","year":"2025"},{"key":"ref109","volume-title":"A2A: A New Era of Agent Interoperability","author":"Surapaneni","year":"2025"},{"key":"ref110","volume-title":"AgentNetworkProtocol (ANP) GitHub Repository","author":"Chang","year":"2024"},{"key":"ref111","volume-title":"Agent Communication Protocol (Linux Foundation)","year":"2024"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.031413.00127"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484576"},{"key":"ref114","article-title":"PoisonedRAG: Knowledge poisoning attacks to retrieval-augmented generation of large language models","author":"Zou","year":"2024","journal-title":"arXiv:2402.07867"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2023.i2.587-613"},{"key":"ref117","first-page":"6848","article-title":"Privacy side channels in machine learning systems","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur. 24)","author":"Debenedetti"},{"key":"ref118","first-page":"135","article-title":"Spoof resilient coordination for distributed multi-robot systems","volume-title":"Proc. Int. Symp. Multi-Robot Multi-Agent Syst. (MRS)","author":"Renganathan"},{"key":"ref119","first-page":"186","article-title":"Inputs of coma: Static detection of denial-of-service vulnerabilities","volume-title":"Proc. 22nd IEEE Comput. Secur. Found. Symp.","author":"Chang"},{"key":"ref120","article-title":"DrunkAgent: Stealthy memory corruption in LLM-powered recommender agents","author":"Yang","year":"2025","journal-title":"arXiv:2503.23804"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2336"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.476"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.52202\/079017-1421"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1145\/3674399.3674445"},{"key":"ref125","article-title":"A dynamic LLM-powered agent network for task-oriented agent collaboration","volume-title":"Proc. 1st Conf. Lang. Model.","author":"Liu"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833644"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230478"},{"key":"ref129","volume-title":"JFrog and Hugging Face Join Forces to Expose Malicious ML Models","year":"2025"},{"key":"ref130","article-title":"Group-aware coordination graph for multi-agent reinforcement learning","author":"Duan","year":"2024","journal-title":"arXiv:2404.10976"},{"key":"ref131","article-title":"Why do multi-agent LLM systems fail?","author":"Cemri","year":"2025","journal-title":"arXiv:2503.13657"},{"key":"ref132","article-title":"Autogen: Enabling next-gen LLM applications via multi-agent conversations","volume-title":"Proc. 1st Conf. Lang. Model.","author":"Wu"},{"key":"ref133","first-page":"11225","article-title":"Adaptive reward-poisoning attacks against reinforcement learning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Zhang"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/501978.501980"},{"key":"ref135","first-page":"126332","article-title":"Huref: Human-readable fingerprint for large language models","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"37","author":"Zeng"},{"key":"ref136","article-title":"DP-rewrite: Towards reproducibility and transparency in differentially private text rewriting","author":"Igamberdiev","year":"2022","journal-title":"arXiv:2208.10400"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.emnlp-main.425"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.findings-emnlp.148"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1145\/3773080"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"ref141","article-title":"Permissive information-flow analysis for large language models","author":"Siddiqui","year":"2024","journal-title":"arXiv:2410.03055"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v39i26.34970"},{"key":"ref143","volume-title":"LLM-Based Agents: The Benefits and the Risks","author":"Singh","year":"2025"},{"key":"ref144","article-title":"Open challenges in multi-agent security: Towards secure systems of interacting AI agents","author":"de Witt","year":"2025","journal-title":"arXiv:2505.02077"},{"key":"ref145","article-title":"What data benefits my classifier? Enhancing model performance and interpretability through influence-based data selection","volume-title":"Proc. ICLR","author":"Chhabra"},{"key":"ref146","first-page":"10334","article-title":"Outlier gradient analysis: Efficiently identifying detrimental training samples for deep learning models","volume-title":"Proc. ICML","author":"Chhabra"},{"key":"ref147","first-page":"43","article-title":"Get my drift? Catching LLM task drift with activation deltas","volume-title":"Proc. IEEE Conf. Secure Trustworthy Mach. Learn. (SaTML)","author":"Abdelnabi"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.52202\/075280-0056"},{"key":"ref149","volume-title":"Advanced Interpretability Techniques for Tracing LLM Activations","author":"Petrovic","year":"2025"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.52202\/079017-0664"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1143"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-020-0186-1"},{"key":"ref153","article-title":"Application of homomorphic encryption in medical imaging","author":"Dutil","year":"2021","journal-title":"arXiv:2110.07768"},{"key":"ref154","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i11.21537"},{"key":"ref155","article-title":"Privacy-preserving large language model inference via gpu-accelerated fully homomorphic encryption","volume-title":"Proc. Neurips Safe Generative AI Workshop","author":"de Castro"},{"key":"ref156","article-title":"MPC-minimized secure LLM inference","author":"Rathee","year":"2024","journal-title":"arXiv:2408.03561"},{"key":"ref157","article-title":"An efficient and extensible zero-knowledge proof framework for neural networks","volume":"2024\/703","author":"Lu","year":"2024","journal-title":"Cryptol. ePrint Arch."},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1145\/3746027.3755646"},{"key":"ref159","article-title":"Webarena: A realistic web environment for building autonomous agents","author":"Zhou","year":"2023","journal-title":"arXiv:2307.13854"},{"key":"ref160","article-title":"The browsergym ecosystem for web agent research","author":"Chezelles","year":"2024","journal-title":"arXiv:2412.05467"},{"key":"ref161","article-title":"Agentoccam: A simple yet strong baseline for LLM-based web agents","author":"Yang","year":"2024","journal-title":"arXiv:2410.13825"},{"key":"ref162","doi-asserted-by":"publisher","DOI":"10.52202\/068431-2011"},{"key":"ref163","article-title":"Mind2Web: Towards a generalist agent for the web","author":"Deng","year":"2023","journal-title":"arXiv:2306.06070"},{"key":"ref164","article-title":"Open CaptchaWorld: A comprehensive web-based platform for testing and benchmarking multimodal LLM agents","author":"Luo","year":"2025","journal-title":"arXiv:2505.24878"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1145\/3593013.3594033"},{"key":"ref166","article-title":"Fully autonomous ai agents should not be developed","author":"Mitchell","year":"2025","journal-title":"arXiv:2502.02649"},{"key":"ref167","doi-asserted-by":"publisher","DOI":"10.1016\/j.tics.2024.08.007"},{"key":"ref168","article-title":"Ethical and technical challenges in the development, use, and governance of autonomous weapons systems","author":"Bloch","year":"2020"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1163\/2210-7975_hrd-9919-2016005"},{"key":"ref170","article-title":"Chilling autonomy: Policy enforcement for human oversight of AI agents","volume-title":"Proc. 41st Int. Conf. Mach. Learn., Workshop Generative AI Law","author":"Cihon"},{"key":"ref171","article-title":"AI agents that matter","author":"Kapoor","year":"2024","journal-title":"arXiv:2407.01502"},{"key":"ref172","article-title":"PromptArmor: Simple yet effective prompt injection defenses","author":"Shi","year":"2025","journal-title":"arXiv:2507.15219"},{"key":"ref173","article-title":"The instruction hierarchy: Training LLMs to prioritize privileged instructions","author":"Wallace","year":"2024","journal-title":"arXiv:2404.13208"},{"key":"ref174","first-page":"1809","article-title":"Benchmarking and defending against indirect prompt injection attacks on large language models","volume-title":"Proc. 31st ACM SIGKDD Conf. Knowl. Discovery Data Mining","author":"Yi"},{"key":"ref175","article-title":"Improving alignment and robustness with circuit breakers","author":"Zou","year":"2024","journal-title":"arXiv:2406.04313"},{"key":"ref176","article-title":"StruQ: Defending against prompt injection with structured queries","author":"Chen","year":"2024","journal-title":"arXiv:2402.06363"},{"key":"ref177","article-title":"Secalign: Defending against prompt injection with preference optimization","author":"Chen","year":"2024","journal-title":"arXiv:2410.05451"},{"key":"ref178","article-title":"Direct preference optimization: Your language model is secretly a reward model","author":"Rafailov","year":"2023","journal-title":"arXiv:2305.18290"},{"key":"ref179","article-title":"A critical evaluation of defenses against prompt injection attacks","author":"Jia","year":"2025","journal-title":"arXiv:2505.18333"},{"key":"ref180","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2025.241131","article-title":"IsolateGPT: An execution isolation architecture for LLM-based agentic systems","volume-title":"Proc. Netw. Distrib. Syst. Secur. (NDSS) Symp.","author":"Wu"},{"key":"ref181","article-title":"Defeating prompt injections by design","author":"Debenedetti","year":"2025","journal-title":"arXiv:2503.18813"},{"key":"ref182","doi-asserted-by":"publisher","DOI":"10.1063\/5.0222987"},{"key":"ref183","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013","journal-title":"arXiv:1312.6199"},{"key":"ref184","first-page":"10000","article-title":"TrustAgent: Towards safe and trustworthy LLM-based agents through agent constitution","volume-title":"Proc. Trustworthy Multi-Modal Found. Models AI Agents (TiFA)","author":"Hua"},{"key":"ref185","volume-title":"Fine-Tuned DeBERTa-V3-Base for Prompt Injection Detection","year":"2024"},{"key":"ref186","first-page":"2190","article-title":"DataSentinel: A game-theoretic detection of prompt injection attacks","volume-title":"Proc. IEEE Symp. Secur. Privacy (SP)","author":"Liu"},{"key":"ref187","first-page":"105","article-title":"Jatmo: Prompt injection defense by task-specific finetuning","volume-title":"Proc. Eur. Symp. Res. Comput. Secur.","author":"Piet"},{"key":"ref188","article-title":"AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents","author":"Debenedetti","year":"2024","journal-title":"arXiv:2406.13352"},{"key":"ref189","article-title":"Defending against indirect prompt injection attacks with spotlighting","author":"Hines","year":"2024","journal-title":"arXiv:2403.14720"},{"key":"ref190","article-title":"Robustness via referencing: Defending against prompt injection attacks by referencing the executed instruction","author":"Chen","year":"2025","journal-title":"arXiv:2504.20472"},{"key":"ref191","article-title":"Detecting language model attacks with perplexity","author":"Alon","year":"2023","journal-title":"arXiv:2308.14132"},{"key":"ref192","article-title":"Aligning LLMs to be robust against prompt injection","author":"Chen","year":"2024","journal-title":"arXiv:2410.05451"},{"key":"ref193","article-title":"Llama guard: LLM-based input\u2013output safeguard for human-AI conversations","author":"Inan","year":"2023","journal-title":"arXiv:2312.06674"},{"key":"ref194","first-page":"1831","article-title":"Formalizing and benchmarking prompt injection attacks and defenses","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Liu"},{"key":"ref195","article-title":"The task shield: Enforcing task alignment to defend against indirect prompt injection in LLM agents","author":"Jia","year":"2024","journal-title":"arXiv:2412.16682"},{"key":"ref196","article-title":"Current state of LLM risks and AI guardrails","author":"Ayyamperumal","year":"2024","journal-title":"arXiv:2406.12934"},{"key":"ref197","doi-asserted-by":"publisher","DOI":"10.1109\/CAIN66642.2025.00010"},{"key":"ref198","article-title":"GuardAgent: Safeguard LLM agents by a guard agent via knowledge-enabled reasoning","author":"Xiang","year":"2024","journal-title":"arXiv:2406.09187"},{"key":"ref199","article-title":"Agentspec: Customizable runtime enforcement for safe and reliable LLM agents","author":"Wang","year":"2025","journal-title":"arXiv:2503.18666"},{"key":"ref200","article-title":"Shieldagent: Shielding agents via verifiable safety policy reasoning","author":"Chen","year":"2025","journal-title":"arXiv:2503.22738"},{"key":"ref201","article-title":"R2-guard: Robust reasoning enabled LLM guardrail via knowledge-enhanced logical reasoning","author":"Kang","year":"2024","journal-title":"arXiv:2407.05557"},{"key":"ref202","first-page":"8322","article-title":"Llavaguard: VLM-based safeguard for vision dataset curation and safety assessment","volume-title":"Proc. IEEE\/CVF Conf. Comput. Vis. Pattern Recognit.","author":"Helff"},{"key":"ref203","article-title":"Safewatch: An efficient safety-policy following video guardrail model with transparent explanations","author":"Chen","year":"2024","journal-title":"arXiv:2412.06878"},{"key":"ref204","article-title":"SandboxEval: Towards securing test environment for untrusted code","author":"Rabin","year":"2025","journal-title":"arXiv:2504.00018"},{"key":"ref205","article-title":"Evaluating large language models trained on code","author":"Chen","year":"2021","journal-title":"arXiv:2107.03374"},{"key":"ref206","first-page":"54","article-title":"SALLM: Security assessment of generated code","volume-title":"Proc. 39th IEEE\/ACM Int. Conf. Automated Softw. Eng. Workshops","author":"Siddiq"},{"key":"ref207","doi-asserted-by":"publisher","DOI":"10.1609\/aies.v7i1.31664"},{"key":"ref208","article-title":"Identifying the risks of LM agents with an LM-emulated sandbox","author":"Ruan","year":"2023","journal-title":"arXiv:2309.15817"},{"key":"ref209","article-title":"Reinforcement learning for safe LLM code generation","author":"Huang","year":"2025"},{"key":"ref210","article-title":"A neural sandbox framework for discovering spurious concepts in LLM decisions","author":"Mushsharat","year":"2024"},{"key":"ref211","doi-asserted-by":"publisher","DOI":"10.1109\/CDC49753.2023.10384154"},{"key":"ref212","article-title":"A new era in LLM security: Exploring security concerns in real-world LLM-based systems","author":"Wu","year":"2024","journal-title":"arXiv:2402.18649"},{"key":"ref213","volume-title":"CloudImposer: Executing Code on Millions of Google Servers With a Single Malicious Package","year":"2024"},{"key":"ref214","article-title":"Pro2Guard: Proactive runtime enforcement of LLM agent safety via probabilistic model checking","author":"Wang","year":"2025","journal-title":"arXiv:2508.00500"},{"key":"ref215","doi-asserted-by":"publisher","DOI":"10.1109\/TCNS.2021.3061900"},{"key":"ref216","doi-asserted-by":"publisher","DOI":"10.1109\/RAID67961.2025.00015"},{"key":"ref217","volume-title":"NCCoE Cyber AI Profile","year":"2025"},{"key":"ref218","volume-title":"Agentic AI\u2014Threats & Mitigations","year":"2025"},{"key":"ref219","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-032-02130-4_2"},{"key":"ref220","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-naacl.123"},{"key":"ref221","article-title":"DoomArena: A framework for testing AI agents against evolving security threats","volume-title":"Proc. Conf. Lang. Model.","author":"Boisvert"},{"key":"ref222","article-title":"Reinforcement learning on web interfaces using workflow-guided exploration","volume-title":"Proc. Int. Conf. Learn. Represent.","author":"Liu"},{"key":"ref223","article-title":"\u03c4-bench: A benchmark for tool-agent-user interaction in real-world domains","author":"Yao","year":"2024","journal-title":"arXiv:2406.12045"},{"key":"ref224","article-title":"GTA: A benchmark for general tool agents","author":"Wang","year":"2024","journal-title":"arXiv:2407. 08713"},{"key":"ref225","doi-asserted-by":"publisher","DOI":"10.52202\/079017-1650"},{"key":"ref226","article-title":"OSWorld-human: Benchmarking the efficiency of computer-use agents","author":"Abhyankar","year":"2025","journal-title":"arXiv:2506.16042"},{"key":"ref227","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.50"},{"key":"ref228","article-title":"AndroidWorld: A dynamic benchmarking environment for autonomous agents","volume-title":"Proc. 13th Int. Conf. Learn. Represent.","author":"Rawles"},{"key":"ref229","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1508"},{"key":"ref230","article-title":"AgentBench: Evaluating LLMs as agents","volume-title":"Proc. 12th Int. Conf. Learn. Represent.","author":"Liu"},{"key":"ref231","article-title":"WebChoreArena: Evaluating web browsing agents on realistic tedious web tasks","author":"Miyai","year":"2025","journal-title":"arXiv:2506.01952"},{"key":"ref232","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-acl.1113"},{"key":"ref233","first-page":"8938","article-title":"AssistantBench: Can web agents solve realistic and time-consuming tasks?","volume-title":"Proc. Conf. Empirical Methods Natural Lang. Process.","author":"Yoran"},{"key":"ref234","article-title":"St-WebAgentBench: A benchmark for evaluating safety and trustworthiness in web agents","author":"Levy","year":"2024","journal-title":"arXiv:2410.06703"},{"key":"ref235","article-title":"OS-Harm: A benchmark for measuring safety of computer use agents","author":"Kuntz","year":"2025","journal-title":"arXiv:2506.14866"},{"key":"ref236","first-page":"1467","article-title":"R-judge: Benchmarking safety risk awareness for LLM agents","volume-title":"Proc. Findings Assoc. Comput. Linguistics, EMNLP","author":"Yuan"},{"key":"ref237","article-title":"Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents","volume-title":"Proc. 13th Int. Conf. Learn. Represent.","author":"Zhang"},{"key":"ref238","first-page":"89373","article-title":"Privacylens: Evaluating privacy norm awareness of language models in action","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"37","author":"Shao"},{"key":"ref239","article-title":"Agent-SafetyBench: Evaluating the safety of LLM agents","author":"Zhang","year":"2025","journal-title":"arXiv:2412.14470"},{"key":"ref240","article-title":"SafeAgentBench: A benchmark for safe task planning of embodied LLM agents","author":"Yin","year":"2024","journal-title":"arXiv:2412.13178"},{"key":"ref241","article-title":"Cybersecurity AI benchmark (CAIBench): A meta-benchmark for evaluating cybersecurity AI agents","author":"Sanz-G\u00f3mez","year":"2025","journal-title":"arXiv:2510.24317"},{"key":"ref242","article-title":"WASP: Benchmarking web agent security against prompt injection attacks","volume-title":"Proc. ICML Workshop Comput. Use Agents","author":"Evtimov"},{"key":"ref243","first-page":"60404","article-title":"SafeArena: Evaluating the safety of autonomous web agents","volume-title":"Proc. 42nd Int. Conf. Mach. Learn.","author":"Tur"},{"key":"ref244","article-title":"Openagentsafety: A comprehensive framework for evaluating real-world ai agent safety","author":"Vijayvargiya","year":"2025","journal-title":"arXiv preprint arXiv:2507.06134"},{"key":"ref245","article-title":"MCP-SafetyBench: A benchmark for safety evaluation of large language models with real-world MCP servers","author":"Zong","year":"2025","journal-title":"arXiv:2512.15163"},{"key":"ref246","article-title":"MCPSecBench: A systematic security benchmark and playground for testing model context protocols","author":"Yang","year":"2025","journal-title":"arXiv:2508.13220"},{"key":"ref247","article-title":"MAGPIE: A dataset for multi-AGent contextual privacy evaluation","author":"Juneja","year":"2025","journal-title":"arXiv:2506.20737"},{"key":"ref248","article-title":"Multimodal web navigation with instruction-finetuned foundation models","author":"Furuta","year":"2023","journal-title":"arXiv:2305.11854"},{"key":"ref249","doi-asserted-by":"publisher","DOI":"10.52202\/075280-1490"},{"key":"ref250","first-page":"35181","article-title":"HarmBench: A standardized evaluation framework for automated red teaming and robust refusal","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Mazeika"},{"key":"ref251","doi-asserted-by":"publisher","DOI":"10.52202\/079017-1745"},{"key":"ref252","article-title":"Large language model evaluation via multi ai agents: Preliminary results","author":"Rasheed","year":"2024","journal-title":"arXiv:2404.01023"},{"key":"ref253","article-title":"A survey on LLM-as-a-judge","author":"Gu","year":"2024","journal-title":"arXiv:2411.15594"},{"key":"ref254","article-title":"Agent-as-a-judge: Evaluate agents with agents","author":"Zhuge","year":"2024","journal-title":"arXiv:2410.10934"},{"key":"ref255","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-industry.75"},{"key":"ref256","article-title":"Agentrewardbench: Evaluating automatic evaluations of web agent trajectories","author":"L\u00f9","year":"2025","journal-title":"arXiv:2504.08942"},{"key":"ref257","article-title":"Can we rely on LLM agents to draft long-horizon plans? Let\u2019s take TravelPlanner as an example","author":"Chen","year":"2024","journal-title":"arXiv:2408.06318"},{"key":"ref258","article-title":"Long-context LLMs struggle with long in-context learning","author":"Li","year":"2024","journal-title":"arXiv:2404.02060"},{"key":"ref259","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1575"},{"key":"ref260","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-acl.332"},{"key":"ref261","article-title":"Sleeper agents: Training deceptive LLMs that persist through safety training","author":"Hubinger","year":"2024","journal-title":"arXiv:2401.05566"},{"key":"ref262","article-title":"On the resilience of LLM-based multi-agent collaboration with faulty agents","author":"Huang","year":"2024","journal-title":"arXiv:2408. 00989"},{"key":"ref263","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-acl.349"},{"key":"ref264","article-title":"BadJudge: Backdoor vulnerabilities of LLM-as-a-judge","volume-title":"Proc. ICLR","author":"Tong"},{"key":"ref265","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Athalye"},{"key":"ref266","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref267","doi-asserted-by":"publisher","DOI":"10.1002\/rob.21513"},{"key":"ref268","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046719"},{"key":"ref269","article-title":"Adversarial objects against LiDAR-based autonomous driving systems","author":"Cao","year":"2019","journal-title":"arXiv:1907.05418"},{"key":"ref270","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_22"},{"key":"ref271","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref272","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2019.00012"},{"key":"ref273","first-page":"2165","article-title":"RT-2: Vision-language-action models transfer web knowledge to robotic control","volume-title":"Proc. Conf. Robot Learn.","author":"Brohan"},{"key":"ref274","first-page":"2679","article-title":"OpenVLA: An open-source vision-language-action model","volume-title":"Proc. Conf. Robot Learn.","author":"Kim"},{"key":"ref275","doi-asserted-by":"publisher","DOI":"10.1002\/smb2.70003"},{"key":"ref276","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2024.3471904"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/11323511\/11447227.pdf?arnumber=11447227","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T19:58:16Z","timestamp":1775505496000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11447227\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"references-count":276,"URL":"https:\/\/doi.org\/10.1109\/access.2026.3675554","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]}}}