{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T08:02:18Z","timestamp":1773734538584,"version":"3.50.1"},"reference-count":70,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2024YFF1401300"],"award-info":[{"award-number":["2024YFF1401300"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2026]]},"DOI":"10.1109\/tifs.2026.3666893","type":"journal-article","created":{"date-parts":[[2026,2,23]],"date-time":"2026-02-23T20:47:06Z","timestamp":1771879626000},"page":"2727-2741","source":"Crossref","is-referenced-by-count":0,"title":["PromptFuzz: Harnessing Fuzzing Techniques for Robust Testing of Prompt Injection in LLMs"],"prefix":"10.1109","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-7743-8096","authenticated-orcid":false,"given":"Yangguang","family":"Shao","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-4919-0967","authenticated-orcid":false,"given":"Jiahao","family":"Yu","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Northwestern University, Evanston, IL, USA"}]},{"given":"Hanwen","family":"Miao","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"given":"Gaopeng","family":"Gou","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"given":"Zhen","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4653-1686","authenticated-orcid":false,"given":"Junzheng","family":"Shi","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"GitHub Copilot: Your AI Pair Programmer","year":"2024"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3616855.3635736"},{"key":"ref3","article-title":"WebGPT: Browser-assisted question-answering with human feedback","author":"Nakano","year":"2021","journal-title":"arXiv:2112.09332"},{"key":"ref4","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref5","article-title":"Assessing prompt injection risks in 200+ custom GPTs","author":"Yu","year":"2023","journal-title":"arXiv:2311.11538"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24188"},{"key":"ref7","article-title":"Mind the inconspicuous: Revealing the hidden weakness in aligned LLMs\u2019 refusal boundaries","author":"Yu","year":"2024","journal-title":"arXiv:2405.20653"},{"key":"ref8","first-page":"61836","article-title":"On the exploitability of instruction tuning","volume-title":"Proc. NeurIPS","author":"Shu"},{"key":"ref9","article-title":"Learning to poison large language models for downstream manipulation","author":"Zhou","year":"2024","journal-title":"arXiv:2402.13459"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"ref11","article-title":"DecodingTrust: A comprehensive assessment of trustworthiness in GPT models","author":"Wang","year":"2023","journal-title":"arXiv:2306.11698"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/WACV57701.2024.00477"},{"key":"ref13","article-title":"TrustLLM: Trustworthiness in large language models","author":"Huang","year":"2024","journal-title":"arXiv:2401.05561"},{"key":"ref14","volume-title":"Prompt Injection","year":"2024"},{"key":"ref15","volume-title":"Microsoft Bing","year":"2024"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref17","article-title":"Ignore previous prompt: Attack techniques for language models","author":"Perez","year":"2022","journal-title":"arXiv:2211.09527"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1162\/99608f92.5317da47"},{"key":"ref19","article-title":"Automatic and universal prompt injection attacks against large language models","author":"Liu","year":"2024","journal-title":"arXiv:2403.04957"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670370"},{"key":"ref21","article-title":"Tensor trust: Interpretable prompt injection attacks from an online game","author":"Toyer","year":"2023","journal-title":"arXiv:2311.01011"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.03762"},{"key":"ref23","first-page":"1877","article-title":"Language models are few-shot learners","volume-title":"Proc. Adv. neural Inf. Process. Syst.","author":"Brown"},{"key":"ref24","article-title":"GPT-4 technical report","volume-title":"arXiv:2303.08774","author":"Achiam","year":"2023"},{"key":"ref25","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018","journal-title":"arXiv:1810.04805"},{"key":"ref26","article-title":"LLaMA: Open and efficient foundation language models","author":"Touvron","year":"2023","journal-title":"arXiv:2302.13971"},{"key":"ref27","article-title":"Llama 2: Open foundation and fine-tuned chat models","author":"Touvron","year":"2023","journal-title":"arXiv:2307.09288"},{"key":"ref28","first-page":"24824","article-title":"Chain-of-thought prompting elicits reasoning in large language models","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Wei"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/1375581.1375607"},{"key":"ref32","first-page":"151","article-title":"Automated whitebox fuzz testing","volume-title":"Proc. NDSS","author":"Godefroid"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464795"},{"key":"ref34","article-title":"DIAR: Removing uninteresting bytes from seeds in software fuzzing","author":"Hussain","year":"2021","journal-title":"arXiv:2112.13297"},{"key":"ref35","volume-title":"American Fuzzy Lop (AFL)","author":"Zalewski","year":"2024"},{"key":"ref36","volume-title":"Rebuff: Llm Prompt Injection Detector","year":"2025"},{"key":"ref37","first-page":"431","article-title":"NeMo guardrails: A toolkit for controllable and safe LLM applications with programmable rails","volume-title":"Proc. Conf. Empirical Methods Natural Lang. Processing: Syst. Demonstrations","author":"Rebedea"},{"key":"ref38","volume-title":"Prompt Guard (Prompt-Guard-86m) Model Card","year":"2024"},{"key":"ref39","volume-title":"Gandalf Ignore Instructions","author":"AI","year":"2023"},{"key":"ref40","article-title":"GPTFUZZER: Red teaming large language models with auto-generated jailbreak prompts","author":"Yu","year":"2023","journal-title":"arXiv:2309.10253"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.52202\/079017-0842"},{"key":"ref42","first-page":"2307","article-title":"EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit","volume-title":"Proc. USENIX Secur.","author":"Yue"},{"key":"ref43","first-page":"55","article-title":"BandFuzz: A practical framework for collaborative fuzzing with reinforcement learning","volume-title":"Proc. 17th ACM\/IEEE Int. Workshop Search-Based Fuzz Test.","author":"Shi"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24486"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"ref46","article-title":"Language model inversion","author":"Morris","year":"2023","journal-title":"arXiv:2311.13647"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3689932.3694764"},{"key":"ref48","first-page":"2401","article-title":"PAPILLON: Efficient and stealthy fuzz testing-powered jailbreaks for LLMs","volume-title":"Proc. 34th USENIX Secur. Symp. (USENIX Secur. 25)","author":"Gong"},{"key":"ref49","volume-title":"The Tensor Trust Game","year":"2024"},{"key":"ref50","article-title":"The instruction hierarchy: Training LLMs to prioritize privileged instructions","author":"Wallace","year":"2024","journal-title":"arXiv:2404.13208"},{"key":"ref51","article-title":"Instruction tuning with GPT-4","author":"Peng","year":"2023","journal-title":"arXiv:2304.03277"},{"key":"ref52","article-title":"Measuring massive multitask language understanding","author":"Hendrycks","year":"2020","journal-title":"arXiv:2009.03300"},{"key":"ref53","article-title":"Prompt injection attack against LLM-integrated applications","author":"Liu","year":"2023","journal-title":"arXiv:2306.05499"},{"key":"ref54","article-title":"From prompt injections to SQL injection attacks: How protected is your LLM-integrated web application?","author":"Pedro","year":"2023","journal-title":"arXiv:2308.01990"},{"key":"ref55","article-title":"StruQ: Defending against prompt injection with structured queries","author":"Chen","year":"2024","journal-title":"arXiv:2402. 06363"},{"key":"ref56","article-title":"SmoothLLM: Defending large language models against jailbreaking attacks","author":"Robey","year":"2023","journal-title":"arXiv:2310.03684"},{"key":"ref57","article-title":"Constitutional AI: Harmlessness from AI feedback","author":"Bai","year":"2022","journal-title":"arXiv:2212.08073"},{"key":"ref58","article-title":"Training a helpful and harmless assistant with reinforcement learning from human feedback","author":"Bai","year":"2022","journal-title":"arXiv:2204.05862"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.272"},{"key":"ref60","article-title":"Jailbreaking ChatGPT via prompt engineering: An empirical study","author":"Liu","year":"2023","journal-title":"arXiv:2305.13860"},{"key":"ref61","article-title":"Jailbroken: How does LLM safety training fail?","author":"Wei","year":"2023","journal-title":"arXiv:2307.02483"},{"key":"ref62","article-title":"CodeChameleon: Personalized encryption framework for jailbreaking large language models","author":"Lv","year":"2024","journal-title":"arXiv:2402. 16717"},{"key":"ref63","article-title":"GPT-4 is too smart to be safe: Stealthy chat with LLMs via cipher","author":"Yuan","year":"2023","journal-title":"arXiv:2308.06463"},{"key":"ref64","article-title":"Tree of attacks: Jailbreaking black-box LLMs automatically","author":"Mehrotra","year":"2023","journal-title":"arXiv:2312.02119"},{"key":"ref65","article-title":"Jailbreaking black box large language models in twenty queries","author":"Chao","year":"2023","journal-title":"arXiv:2310.08419"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-main.757"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.171"},{"key":"ref70","first-page":"5841","article-title":"Quantifying privacy risks of prompts in visual prompt learning","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Wu"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/10206\/11313711\/11405858.pdf?arnumber=11405858","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T05:45:51Z","timestamp":1773726351000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11405858\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"references-count":70,"URL":"https:\/\/doi.org\/10.1109\/tifs.2026.3666893","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]}}}