{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,25]],"date-time":"2026-05-25T20:07:31Z","timestamp":1779739651490,"version":"3.53.1"},"reference-count":52,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2026]]},"DOI":"10.1109\/access.2026.3693560","type":"journal-article","created":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T19:58:44Z","timestamp":1778788724000},"page":"76200-76221","source":"Crossref","is-referenced-by-count":0,"title":["Temporal Dynamics of Memory Poisoning in Web3-Style LLM Agents"],"prefix":"10.1109","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8669-9777","authenticated-orcid":false,"given":"Abbas","family":"Yazdinejad","sequence":"first","affiliation":[{"name":"Department of Computer Science, Decentralized Cybersecurity &#x0026; Artificial Intelligence Laboratory (DCAILab), University of Regina, Regina, SK, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7948-4033","authenticated-orcid":false,"given":"Hadis","family":"Karimipour","sequence":"additional","affiliation":[{"name":"Department of Electrical and Software Engineering, Smart Cyber-Physical (SCPS) Laboratory, University of Calgary, Calgary, AB, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3748302"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2026.3665230"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/3777446"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/MCE.2024.3353178"},{"key":"ref5","first-page":"2383","article-title":"StruQ: Defending against prompt injection with structured queries","volume-title":"Proc. 34th USENIX Secur. Symp. (USENIX Secur.)","author":"Chen"},{"key":"ref6","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2025.130643"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/TCSVT.2025.3526248"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3748239.3748242"},{"key":"ref10","article-title":"Real AI agents with fake memories: Fatal context manipulation attacks on web3 agents","author":"Singh Patlan","year":"2025","journal-title":"arXiv:2503.16248"},{"key":"ref11","first-page":"3827","article-title":"PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models","volume-title":"Proc. 34th USENIX Secur. Symp. (USENIX Secur.)","author":"Zou"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.52202\/079017-4136"},{"key":"ref13","first-page":"1849","article-title":"Instruction backdoor attacks against customized LLMs","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Zhang"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.52202\/075280-2997"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2025.3596092"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241089"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-024-4222-0"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.52202\/075280-0377"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102901"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3162397"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00030"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2024.3367788"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104220"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1800"},{"key":"ref25","first-page":"2633","article-title":"Extracting training data from large language models","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Secur.)","author":"Carlini"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3663529.3663786"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2025.107994"},{"key":"ref28","article-title":"ReSLC: Defending backdoor attacks on intelligent vulnerability detection via redundant semantic LLM compression","volume":"100","author":"Zhang","year":"2026","journal-title":"J. Inf. Secur. Appl."},{"key":"ref29","article-title":"Sleeper agents: Training deceptive LLMs that persist through safety training","author":"Hubinger","year":"2024","journal-title":"arXiv:2401.05566"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2636"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.624"},{"key":"ref32","article-title":"Locks tested without burglars: Using coding assistants to break prompt injection defenses","volume-title":"Proc. NeurIPS Workshop, Reliable ML Unreliable Data","author":"Patlan"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-025-01185-y"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3439363"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2026.3675554"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3773080"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2025.3540303"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2026.3656466"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2026.104420"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3711896.3736561"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2025.3555410"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3719027.3744836"},{"key":"ref43","article-title":"WASP: Benchmarking Web agent security against prompt injection attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"38","author":"Evtimov"},{"key":"ref44","article-title":"React: Synergizing reasoning and acting in language models","volume-title":"Proc. 11th Int. Conf. Learn. Represent.","author":"Yao"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3586183.3606763"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3719027.3765122"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2026.131100"},{"key":"ref48","volume-title":"GPT-4o Mini","year":"2024"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/SaTML64287.2025.00010"},{"key":"ref51","first-page":"2441","article-title":"SelfDefend: LLMs can defend themselves against jailbreaking in a practical manner","volume-title":"Proc. 34th USENIX Secur. Symp. (USENIX Secur.)","author":"Wang"},{"key":"ref52","article-title":"Eliza: A web3 friendly AI agent operating system","author":"Walters","year":"2025","journal-title":"arXiv:2501.06781"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/11323511\/11520232.pdf?arnumber=11520232","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,25]],"date-time":"2026-05-25T19:55:48Z","timestamp":1779738948000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11520232\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"references-count":52,"URL":"https:\/\/doi.org\/10.1109\/access.2026.3693560","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]}}}