{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T07:56:10Z","timestamp":1764834970443,"version":"3.46.0"},"reference-count":81,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,8,26]],"date-time":"2025-08-26T00:00:00Z","timestamp":1756166400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,8,26]],"date-time":"2025-08-26T00:00:00Z","timestamp":1756166400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,8,26]]},"DOI":"10.1109\/pst65910.2025.11268824","type":"proceedings-article","created":{"date-parts":[[2025,12,3]],"date-time":"2025-12-03T18:40:04Z","timestamp":1764787204000},"page":"1-12","source":"Crossref","is-referenced-by-count":0,"title":["G-STAR: A Threat Modeling Framework for General-Purpose AI Systems"],"prefix":"10.1109","author":[{"given":"Pulei","family":"Xiong","sequence":"first","affiliation":[{"name":"Cybersecurity, Digital Technologies Research Center National Research Council Canada,Ottawa,Canada"}]},{"given":"Saeedeh","family":"Lohrasbi","sequence":"additional","affiliation":[{"name":"Cybersecurity, Digital Technologies Research Center National Research Council Canada,Ottawa,Canada"}]},{"given":"Prini","family":"Kotian","sequence":"additional","affiliation":[{"name":"Cybersecurity, Digital Technologies Research Center National Research Council Canada,Ottawa,Canada"}]},{"given":"Scott","family":"Buffett","sequence":"additional","affiliation":[{"name":"Cybersecurity, Digital Technologies Research Center National Research Council Canada,Ottawa,Canada"}]}],"member":"263","reference":[{"article-title":"International ai safety report","year":"2025","author":"Bengio","key":"ref1"},{"key":"ref2","article-title":"Badrag: Identifying vulnerabilities in retrieval augmented generation of large language models","author":"Xue","year":"2024","journal-title":"arXiv preprint arXiv:2406.00083"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-88717-8_18"},{"key":"ref4","first-page":"80 079","article-title":"Jailbroken: How does llm safety training fail?","volume":"36","author":"Wei","year":"2023","journal-title":"Advances in Neural Information Processing Systems"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670388"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.272"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SPW63631.2024.00018"},{"key":"ref8","article-title":"Masterkey: Automated jailbreak across multiple large language model chatbots","author":"Deng","year":"2023","journal-title":"arXiv preprint arXiv:2307.08715"},{"key":"ref9","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv preprint arXiv:2307.15043"},{"key":"ref10","article-title":"Effective prompt extraction from language models","author":"Zhang","year":"2023","journal-title":"arXiv preprint arXiv:2307.06865"},{"key":"ref11","article-title":"Ignore previous prompt: Attack techniques for language models","author":"Perez","year":"2022","journal-title":"arXiv preprint arXiv:2211.09527"},{"key":"ref12","article-title":"Prompt injection attack against llm-integrated applications","author":"Liu","year":"2023","journal-title":"arXiv preprint arXiv:2306.05499"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref15","article-title":"Risk taxonomy, mitigation, and assessment benchmarks of large language model systems","author":"Cui","year":"2024","journal-title":"arXiv preprint arXiv:2401.05778"},{"key":"ref16","doi-asserted-by":"crossref","first-page":"103121","DOI":"10.1016\/j.jisa.2022.103121","article-title":"Towards a robust and trustworthy machine learning system development: An engineering perspective","volume":"65","author":"Xiong","year":"2022","journal-title":"Journal of Information Security and Applications"},{"key":"ref17","article-title":"Attention is all you need","author":"Vaswani","year":"2017","journal-title":"Advances in Neural Information Processing Systems"},{"key":"ref18","article-title":"A survey of large language models","author":"Zhao","year":"2023","journal-title":"arXiv preprint arXiv:2303.18223"},{"key":"ref19","first-page":"1877","article-title":"Language models are few-shot learners","volume":"33","author":"Brown","year":"2020","journal-title":"Advances in neural information processing systems"},{"key":"ref20","article-title":"Bert: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018","journal-title":"arXiv preprint arXiv:1810.04805"},{"issue":"140","key":"ref21","first-page":"1","article-title":"Exploring the limits of transfer learning with a unified text-to-text transformer","volume":"21","author":"Raffel","year":"2020","journal-title":"Journal of machine learning research"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/cvpr52734.2025.02319"},{"key":"ref23","article-title":"Vall-e 2: Neural codec language models are human parity zero-shot text to speech synthesizers","author":"Chen","year":"2024","journal-title":"arXiv preprint arXiv:2406.05370"},{"key":"ref24","article-title":"Gpt-4 technical report","volume-title":"arXiv preprint arXiv:2303.08774","author":"Achiam","year":"2023"},{"key":"ref25","article-title":"Gemini: a family of highly capable multimodal models","author":"Team","year":"2023","journal-title":"arXiv preprint arXiv:2312.11805"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2019-1873"},{"key":"ref27","first-page":"36 479","article-title":"Photorealistic text-to-image diffusion models with deep language understanding","volume":"35","author":"Saharia","year":"2022","journal-title":"Advances in neural information processing systems"},{"volume-title":"Improving language understanding by generative pretraining","year":"2018","author":"Radford","key":"ref28"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/AICT59525.2023.10313167"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ICCA59364.2023.10401518"},{"key":"ref31","article-title":"Retrieval-augmented generation for large language models: A survey","volume":"2","author":"Gao","year":"2023","journal-title":"arXiv preprint arXiv:2312.10997"},{"key":"ref32","first-page":"9459","article-title":"Retrieval-augmented generation for knowledge-intensive nlp tasks","volume":"33","author":"Lewis","year":"2020","journal-title":"Advances in neural information processing systems"},{"volume-title":"What is retrieval augmented generation (rag)?","year":"2024","key":"ref33"},{"volume-title":"Llamaindex documentation","year":"2025","key":"ref34"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/TAI.2024.3444742"},{"volume-title":"Ai knowledge base: Everything you need to know","year":"2024","key":"ref36"},{"volume-title":"The role of artificial intelligence in knowledge management","year":"2024","key":"ref37"},{"volume-title":"Ai knowledge base","year":"2024","key":"ref38"},{"volume-title":"Knowledge store in azure ai search","year":"2024","author":"Learn","key":"ref39"},{"volume-title":"Generative ai knowledge base","year":"2023","author":"Cloud","key":"ref40"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/MedAI59581.2023.00044"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3196347"},{"volume-title":"Github copilot","year":"2025","key":"ref43"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1126\/science.abq1158"},{"key":"ref45","article-title":"Evaluating large language models trained on code","author":"Chen","year":"2021","journal-title":"arXiv preprint arXiv:2107.03374"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3697012"},{"key":"ref47","article-title":"Starcoder: may the source be with you!","author":"Li","year":"2023","journal-title":"arXiv preprint arXiv:2305.06161"},{"key":"ref48","article-title":"Codegen: An open large language model for code with multi-turn program synthesis","author":"Nijkamp","year":"2022","journal-title":"arXiv preprint arXiv:2203.13474"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.68"},{"key":"ref50","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013","journal-title":"arXiv preprint arXiv:1312.6199"},{"volume-title":"Explaining and harnessing adversarial examples","year":"2014","author":"Goodfellow","key":"ref51"},{"volume-title":"Adversarial attacks on neural network policies","year":"2017","author":"Huang","key":"ref52"},{"key":"ref53","article-title":"Survey of vulnerabilities in large language models revealed by adversarial attacks","author":"Shayegani","year":"2023","journal-title":"arXiv preprint arXiv:2310.10844"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2022.04.020"},{"key":"ref55","article-title":"Towards trustworthy and aligned machine learning: A data-centric survey with causality perspectives","author":"Liu","year":"2023","journal-title":"arXiv preprint arXiv:2307.16851"},{"key":"ref56","article-title":"Training a helpful and harmless assistant with reinforcement learning from human feedback","author":"Bai","year":"2022","journal-title":"arXiv preprint arXiv:2204.05862"},{"key":"ref57","first-page":"27 730","article-title":"Training language models to follow instructions with human feedback","volume":"35","author":"Ouyang","year":"2022","journal-title":"Advances in neural information processing systems"},{"key":"ref58","first-page":"61 836","article-title":"On the exploitability of instruction tuning","volume":"36","author":"Shu","year":"2023","journal-title":"Advances in Neural Information Processing Systems"},{"key":"ref59","article-title":"Poisonbench: Assessing large language model vulnerability to data poisoning","author":"Fu","year":"2024","journal-title":"arXiv preprint arXiv:2410.08811"},{"key":"ref60","article-title":"Data poisoning in llms: Jailbreak-tuning and scaling laws","author":"Bowen","year":"2024","journal-title":"arXiv preprint arXiv:2408.02946"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.naacl-main.13"},{"key":"ref62","article-title":"Attention hijacking in trojan transformers","author":"Lyu","year":"2022","journal-title":"arXiv preprint arXiv:2208.04946"},{"key":"ref63","article-title":"Jailbreaking chatgpt via prompt engineering: An empirical study","author":"Liu","year":"2023","journal-title":"arXiv preprint arXiv:2305.13860"},{"key":"ref64","article-title":"Inverse scaling: When bigger isn\u2019t better","author":"McKenzie","year":"2023","journal-title":"arXiv preprint arXiv:2306.09479"},{"key":"ref65","article-title":"Gpt-4 is too smart to be safe: Stealthy chat with llms via cipher","author":"Yuan","year":"2023","journal-title":"arXiv preprint arXiv:2308.06463"},{"key":"ref66","first-page":"51 008","article-title":"Hard prompts made easy: Gradient-based discrete optimization for prompt tuning and discovery","volume":"36","author":"Wen","year":"2023","journal-title":"Advances in Neural Information Processing Systems"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.346"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.emnlp-main.464"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/p18-2006"},{"key":"ref70","first-page":"15 307","article-title":"Automatically auditing large language models via discrete optimization","volume-title":"International Conference on Machine Learning","author":"Jones"},{"journal-title":"Medium","article-title":"Named entity recognition: A comprehensive guide to nlp\u2019s key technology","year":"2023","key":"ref71"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/TBDATA.2019.2921572"},{"key":"ref73","article-title":"Knowledge graph modeling-driven large language model operating system (llm os) for task automation in process engineering problem-solving","author":"Srinivas","year":"2024","journal-title":"arXiv preprint arXiv:2408.14494"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3447772"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.14778\/1687553.1687609"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1016\/j.aiopen.2021.03.001"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i17.29946"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.emnlp-industry.23"},{"key":"ref79","article-title":"Context-augmented code generation using programming knowledge graphs","author":"Saberi","year":"2024","journal-title":"arXiv preprint arXiv:2410.18251"},{"key":"ref80","article-title":"Genaudit: Fixing factual errors in language model outputs with evidence","author":"Krishna","year":"2024","journal-title":"arXiv preprint arXiv:2402.12566"},{"key":"ref81","article-title":"Ragreward: Optimizing rag with reward modeling and rlhf","author":"Zhang","year":"2025","journal-title":"arXiv preprint arXiv:2501.13264"}],"event":{"name":"2025 22nd Annual International Conference on Privacy, Security, and Trust (PST)","start":{"date-parts":[[2025,8,26]]},"location":"Fredericton, NB, Canada","end":{"date-parts":[[2025,8,28]]}},"container-title":["2025 22nd Annual International Conference on Privacy, Security, and Trust (PST)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11268482\/11268814\/11268824.pdf?arnumber=11268824","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T07:51:17Z","timestamp":1764834677000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11268824\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,26]]},"references-count":81,"URL":"https:\/\/doi.org\/10.1109\/pst65910.2025.11268824","relation":{},"subject":[],"published":{"date-parts":[[2025,8,26]]}}}