{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T07:01:07Z","timestamp":1782975667942,"version":"3.54.5"},"reference-count":95,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2550742,2450937,2519374,2414407"],"award-info":[{"award-number":["2550742,2450937,2519374,2414407"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00198","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"4320-4338","source":"Crossref","is-referenced-by-count":0,"title":["AttnTrace: Contextual Attribution of Prompt Injection and Knowledge Corruption"],"prefix":"10.1109","author":[{"given":"Yanting","family":"Wang","sequence":"first","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Runpeng","family":"Geng","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ying","family":"Chen","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jinyuan","family":"Jia","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Claude-Sonnet-4 System Card","volume-title":"Anthropic","year":"2025"},{"key":"ref2","article-title":"Gemini-2.5-Pro Technical Report","volume-title":"Google DeepMind","year":"2025"},{"key":"ref3","article-title":"Introducing GPT-4.1 in the API","volume-title":"OpenAI"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1800"},{"key":"ref5","article-title":"React: Synergizing reasoning and acting in language models","volume-title":"The Eleventh International Conference on Learning Representations","author":"Yao","year":"2023"},{"key":"ref6","article-title":"AutoGPT: Build, Deploy, and Run AI Agents","year":"2024"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.550"},{"key":"ref8","article-title":"Retrievalaugmented generation for knowledge-intensive nlp tasks","author":"Lewis","year":"2020","journal-title":"NeurIPS"},{"key":"ref9","article-title":"Prompt injection attacks against GPT-3","author":"Willison","year":"2022"},{"key":"ref10","article-title":"Prompt Injection Attacks: A New Frontier in Cybersecurity","author":"Fox","year":"2023"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref12","article-title":"Formalizing and benchmarking prompt injection attacks and defenses","volume-title":"USENIX Security Symposium","author":"Liu","year":"2024"},{"key":"ref13","article-title":"Poisonedrag: Knowledge corruption attacks to retrieval-augmented generation of large language models","author":"Zou","year":"2025","journal-title":"USENIX Security"},{"key":"ref14","article-title":"Machine against the rag: Jamming retrieval-augmented generation with blocker documents","author":"Shafran","year":"2025","journal-title":"USENIX Security"},{"key":"ref15","article-title":"Phantom: General trigger attacks on retrieval augmented language generation","author":"Chaudhari","year":"2024","journal-title":"arXiv"},{"key":"ref16","article-title":"Positive review only\u2019: Researchers hide ai prompts in papers","author":"Asia","year":"2025"},{"key":"ref17","article-title":"Data Exfiltration from Slack AI via indirect prompt injection","author":"Blog","year":"2025"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-70879-4_6"},{"key":"ref19","article-title":"Struq: Defending against prompt injection with structured queries","volume-title":"USENIX Security Symposium","author":"Chen","year":"2025"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3719027.3744836"},{"key":"ref21","article-title":"The instruction hierarchy: Training llms to prioritize privileged instructions","author":"Wallace","year":"2024","journal-title":"arXiv preprint"},{"key":"ref22","article-title":"Instructional segment embedding: Improving 11m safety with instruction hierarchy","volume-title":"ICLR","author":"Wu","year":"2025"},{"key":"ref23","article-title":"Defeating prompt injections by design","author":"Debenedetti","year":"2025","journal-title":"arXiv preprint"},{"key":"ref24","article-title":"Progent: Programmable privilege control for 11 m agents","author":"Shi","year":"2025","journal-title":"arXiv preprint"},{"key":"ref25","article-title":"Securing ai agents with information-flow control","author":"Costa","year":"2025","journal-title":"arXiv preprint"},{"key":"ref26","article-title":"Meta secalign: A secure foundation 11 m against prompt injection attacks","author":"Chen","year":"2025","journal-title":"arXiv preprint"},{"key":"ref27","article-title":"System-level defense against indirect prompt injection attacks: An information flow control perspective","author":"Wu","year":"2024","journal-title":"arXiv preprint"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3733799.3762982"},{"key":"ref29","article-title":"Certifiably robust rag against retrieval corruption","author":"Xiang","year":"2024","journal-title":"arXiv"},{"key":"ref30","article-title":"Formalizing and benchmarking prompt injection attacks and defenses","volume-title":"USENIX Security Symposium","author":"Liu","year":"2024"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00250"},{"key":"ref32","article-title":"Attention tracker: Detecting prompt injection attacks in 11 ms","author":"Hung","year":"2024","journal-title":"arXiv"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3714393.3726501"},{"key":"ref34","article-title":"Tracllm: A generic framework for attributing outputs of long context 11 ms","volume-title":"USENIX Security Symposium","author":"Wang","year":"2025"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.52202\/079017-3035"},{"key":"ref36","article-title":"Webgpt: Browser-assisted question-answering with human feedback","author":"Nakano","year":"2021","journal-title":"arXiv"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.398"},{"key":"ref38","article-title":"Estimating training data influence by tracing gradient descent","author":"Pruthi","year":"2020","journal-title":"NeurIPS"},{"key":"ref39","article-title":"Poison forensics: Traceback of data poisoning attacks in neural networks","author":"Shan","year":"2022","journal-title":"USENIX Security"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.741"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2567"},{"key":"ref42","article-title":"Deep inside convolutional networks: Visualising image classification models and saliency maps","author":"Simonyan","year":"2013","journal-title":"arXiv preprint"},{"key":"ref43","article-title":"Learning important features through propagating activation differences","volume-title":"ICML","author":"Shrikumar","year":"2017"},{"key":"ref44","article-title":"Axiomatic attribution for deep networks","volume-title":"ICML","author":"Sundararajan","year":"2017"},{"key":"ref45","article-title":"A unified approach to interpreting model predictions","author":"Lundberg","year":"2017","journal-title":"arXiv"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/N16-3020"},{"key":"ref47","article-title":"Attention is all you need","author":"Vaswani","year":"2017","journal-title":"NeurIPS"},{"key":"ref48","volume-title":"Introducing Llama 3.1: Our most capable models to date"},{"key":"ref49","article-title":"Longbench: A bilingual, multitask benchmark for long context understanding","author":"Bai","year":"2023","journal-title":"arXiv"},{"key":"ref50","article-title":"Repoqa: Evaluating long context code understanding","author":"Liu","year":"2024","journal-title":"arXiv"},{"key":"ref51","article-title":"Leave no document behind: Benchmarking long-context llms with extended multi-doc qa, 2024b","author":"Wang","year":"2024","journal-title":"arXiv"},{"key":"ref52","article-title":"Reliable, adaptable, and attributable language models with retrieval","author":"Asai","year":"2024","journal-title":"arXiv"},{"key":"ref53","article-title":"Rise: Randomized input sampling for explanation of black-box models","author":"Petsiuk","year":"2018","journal-title":"arXiv preprint"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1080\/00401706.1980.10486199"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1016\/j.cor.2008.04.004"},{"issue":"209","key":"ref56","first-page":"1","article-title":"Explaining by removing: A unified framework for model explanation","volume":"22","author":"Covert","year":"2021","journal-title":"Journal of Machine Learning Research"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P19-1282"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/d19-1002"},{"key":"ref59","article-title":"Learning to attribute with attention","author":"Cohen-Wang","year":"2025","journal-title":"arXiv"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1074"},{"key":"ref61","article-title":"Gradient based feature attribution in explainable ai: A technical review","author":"Wang","year":"2024","journal-title":"arXiv"},{"key":"ref62","article-title":"Promptlocate: Localizing prompt injection attacks","author":"Jia","year":"2026","journal-title":"IEEE S&P"},{"key":"ref63","article-title":"Who taught the lie? responsibility attribution for poisoned knowledge in retrieval-augmented generation","author":"Zhang","year":"2026","journal-title":"IEEE S&P"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/3696410.3714756"},{"key":"ref65","article-title":"Mudjacking: Patching backdoor vulnerabilities in foundation models","volume-title":"USENIX Security Symposium","author":"Liu","year":"2024"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.849"},{"key":"ref67","article-title":"Efficient streaming language models with attention sinks","author":"Xiao","year":"2023","journal-title":"arXiv"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.52202\/075280-1506"},{"key":"ref69","article-title":"Flashattention-2: Faster attention with better parallelism and work partitioning","author":"Dao","year":"2023","journal-title":"arXiv"},{"key":"ref70","article-title":"Badrag: Identifying vulnerabilities in retrieval augmented generation of large language models","author":"Xue","year":"2024","journal-title":"arXiv"},{"key":"ref71","article-title":"Trojanrag: Retrieval-augmented generation can be backdoor driver in large language models","author":"Cheng","year":"2024","journal-title":"arXiv preprint"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00475"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00023"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.naacl-main.472"},{"key":"ref75","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv"},{"key":"ref76","article-title":"Evaluating the susceptibility of pre-trained language models via handcrafted adversarial examples","author":"Branch","year":"2022","journal-title":"arXiv preprint"},{"key":"ref77","article-title":"Ignore previous prompt: Attack techniques for language models","author":"Perez","year":"2022","journal-title":"arXiv"},{"key":"ref78","article-title":"Prompt injection attacks against gpt-3","author":"Willison","year":"2022"},{"key":"ref79","article-title":"Delimiters won\u2019t save you from prompt injection","author":"Willison","year":"2023"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/3689932.3694764"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00276"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D18-1259"},{"key":"ref83","first-page":"660","article-title":"Ms marco: A human generated machine reading comprehension dataset","volume":"2640","author":"Nguyen","year":"2016","journal-title":"choice"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.nlposs-1.19"},{"key":"ref85","article-title":"Open-prompt-injection: An open benchmark for prompt injection attacks","author":"Yupei"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1016\/S0031-3203(96)00142-2"},{"key":"ref87","article-title":"Llm agents for bargaining with utility-based feedback","author":"Oh","year":"2025","journal-title":"arXiv"},{"key":"ref88","article-title":"Pymupdf - python bindings for mupdf (version 1.26.3)","volume-title":"Artifex Software Inc. and contributors"},{"key":"ref89","article-title":"Automatic and universal prompt injection attacks against large language models","author":"Liu","year":"2024","journal-title":"arXiv"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/SPW63631.2024.00018"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.302"},{"key":"ref92","article-title":"Browsesafe: Understanding and preventing prompt injection within ai browser agents","author":"Zhang","year":"2025","journal-title":"arXiv preprint"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1435"},{"key":"ref94","article-title":"Who taught the lie? responsibility attribution for poisoned knowledge in retrieval-augmented generation","author":"Zhang","year":"2025","journal-title":"arXiv preprint"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1145\/3696410.3714756"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573479.pdf?arnumber=11573479","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:27:51Z","timestamp":1782970071000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573479\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":95,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00198","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}