{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T06:59:52Z","timestamp":1782975592066,"version":"3.54.5"},"reference-count":72,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00142","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"4301-4319","source":"Crossref","is-referenced-by-count":0,"title":["PromptCOS: Towards Content-Only System Prompt Copyright Auditing for LLMs"],"prefix":"10.1109","author":[{"given":"Yuchen","family":"Yang","sequence":"first","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yiming","family":"Li","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hongwei","family":"Yao","sequence":"additional","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Enhao","family":"Huang","sequence":"additional","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shuo","family":"Shao","sequence":"additional","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yuyi","family":"Wang","sequence":"additional","affiliation":[{"name":"CRRC Zhuzhou Institute &#x0026; Tengen Intelligence Institute"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhibo","family":"Wang","sequence":"additional","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dacheng","family":"Tao","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhan","family":"Qin","sequence":"additional","affiliation":[{"name":"Zhejiang University,State Key Laboratory of Blockchain and Data Security"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Prompt leakage effect and mitigation strategies for multi-turn 1lm applications","volume-title":"EMNLP","author":"Agarwal","year":"2024"},{"key":"ref2","volume-title":"Amazon. Quick suite","year":"2025"},{"key":"ref3","volume-title":"asgeirtj. Gpt-5 system prompt leakage","year":"2025"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/TAC.2022.3214474"},{"key":"ref5","article-title":"Training verifiers to solve math word problems","author":"Cobbe","year":"2021","journal-title":"arXiv preprint"},{"key":"ref6","article-title":"Deepseek-r1: Incentivizing reasoning capability in 11 ms via reinforcement learning","author":"DeepSeek-AI","year":"2025","journal-title":"arXiv preprint"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623116"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.52202\/075280-1205"},{"key":"ref9","volume-title":"Nat Friedman. Introducing github copilot: your ai pair programmer","year":"2021"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3626772.3657672"},{"key":"ref11","article-title":"On benchmarking code 11 ms for android malware analysis","volume-title":"ISSTA Workshop","author":"He","year":"2025"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690316"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3695988"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00117"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.77"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670370"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00324"},{"key":"ref18","article-title":"A watermark for large language models","volume-title":"ICML","author":"Kirchenbauer","year":"2023"},{"key":"ref19","article-title":"Clearstamp: A human-visible and robust model-ownership proof based on transposed model training","author":"Krau\u00df","year":"2024","journal-title":"USENIX Security"},{"key":"ref20","article-title":"Robust distortion-free watermarks for language models","author":"Kuditipudi","year":"2023","journal-title":"Transactions on Machine Learning Research"},{"key":"ref21","article-title":"Governing open vocabulary data leaks using an edge 11 m through programming by example","volume-title":"MobiCom","author":"Li","year":"2024"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.79"},{"key":"ref23","article-title":"Rethinking data protection in the (generative) artificial intelligence era","author":"Li","year":"2025","journal-title":"arXiv preprint"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623120"},{"key":"ref25","article-title":"Parrot: Efficient serving of {LLM-based} applications with semantic variable","volume-title":"OSDI","author":"Lin","year":"2024"},{"issue":"2","key":"ref26","first-page":"1","article-title":"A survey of text watermarking in the era of large language models","volume":"57","author":"Liu","year":"2024","journal-title":"ACM Computing Surveys"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.52202\/075280-0943"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3560815"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3664647.3681418"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3691405"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690298"},{"key":"ref32","volume-title":"OpenAI. Chatgpt","year":"2025"},{"key":"ref33","author":"Achiam","year":"2024","journal-title":"Gpt-4 technical report"},{"key":"ref34","article-title":"Teach 11 ms to phish: Stealing private information from language models","volume-title":"ICLR","author":"Panda","year":"2024"},{"key":"ref35","volume-title":"PromptBase","year":"2025"},{"key":"ref36","article-title":"Sok: On the role and future of aigc watermarking in the era of gen-ai","author":"Ren","year":"2024","journal-title":"arXiv preprint"},{"key":"ref37","article-title":"Code llama: Open foundation models for code","author":"Rozi\u00e8re","year":"2024","journal-title":"arXiv preprint"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3331184.3331326"},{"key":"ref39","volume-title":"2025 llm top-10 risks","author":"Schulhoff","year":"2025"},{"key":"ref40","volume-title":"Microsoft bing system prompt leakage","author":"Schulhoff","year":"2025"},{"key":"ref41","article-title":"The prompt report: a systematic survey of prompt engineering techniques","author":"Schulhoff","year":"2024","journal-title":"arXiv preprint"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230338"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3613904.3642459"},{"key":"ref44","article-title":"Prompt stealing attacks against text-to-image generation models","author":"Shen","year":"2024","journal-title":"USENIX Security"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.346"},{"key":"ref46","article-title":"Why so toxic? measuring and triggering toxic behavior in open-domain chatbots","volume-title":"CCS","author":"Si","year":"2022"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.naacl-main.290"},{"key":"ref48","article-title":"Autohint: Automatic prompt optimization with hint generation","author":"Sun","year":"2023","journal-title":"arXiv preprint"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00161"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00120"},{"key":"ref51","article-title":"Codegemma: Open code models based on gemma","author":"Team","year":"2024","journal-title":"arXiv preprint"},{"key":"ref52","article-title":"Gemma: Open models based on gemini research and technology","author":"Team","year":"2024","journal-title":"arXiv preprint"},{"key":"ref53","article-title":"Llama: Open and efficient foundation language models","author":"Touvron","year":"2023","journal-title":"arXiv preprint"},{"key":"ref54","article-title":"Attention is all you need","author":"Vaswani","year":"2017","journal-title":"NeurIPS"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1800"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.52202\/075280-2219"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.180"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.52202\/068431-0223"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3431035"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i10.21415"},{"key":"ref61","article-title":"Prsa: Prompt stealing attacks against real-world prompt services","author":"Yang","year":"2025","journal-title":"USENIX Security"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00209"},{"key":"ref63","article-title":"Probe before you talk: Towards black-box defense against backdoor unalignment for large language models","volume-title":"ICLR","author":"Yi","year":"2025"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-acl.858"},{"key":"ref65","article-title":"Remark-llm: A robust and efficient watermarking framework for generative large language models","author":"Zhang","year":"2024","journal-title":"USENIX Security"},{"key":"ref66","article-title":"Automatic chain of thought prompting in large language models","volume-title":"ICLR","author":"Zhang","year":"2022"},{"key":"ref67","article-title":"Parden, can you repeat that? defending against jailbreaks via repetition","volume-title":"ICML","author":"Zhang","year":"2024"},{"key":"ref68","article-title":"Provable robust watermarking for ai-generated text","volume-title":"ICLR","author":"Zhao","year":"2024"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00178"},{"key":"ref70","article-title":"Calibrate before use: Improving few-shot performance of language models","volume-title":"ICML","author":"Zhao","year":"2021"},{"key":"ref71","article-title":"Large language models are human-level prompt engineers","volume-title":"ICLR","author":"Zhou","year":"2023"},{"key":"ref72","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv preprint"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573401.pdf?arnumber=11573401","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:27:19Z","timestamp":1782970039000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573401\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":72,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00142","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}