{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:27:09Z","timestamp":1766442429989,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":54,"publisher":"ACM","funder":[{"name":"Shanghai Sailing Program","award":["23YF1427500"],"award-info":[{"award-number":["23YF1427500"]}]},{"name":"NSFC Program","award":["62302304"],"award-info":[{"award-number":["62302304"]}]},{"name":"ShanghaiTech Startup Funding"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765064","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:37:25Z","timestamp":1763854645000},"page":"3535-3549","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-6803-0314","authenticated-orcid":false,"given":"Haitao","family":"Hu","sequence":"first","affiliation":[{"name":"ShanghaiTech University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-7482-1359","authenticated-orcid":false,"given":"Peng","family":"Chen","sequence":"additional","affiliation":[{"name":"Independent Researcher, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1048-7030","authenticated-orcid":false,"given":"Yanpeng","family":"Zhao","sequence":"additional","affiliation":[{"name":"Independent Researcher, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2988-6012","authenticated-orcid":false,"given":"Yuqi","family":"Chen","sequence":"additional","affiliation":[{"name":"ShanghaiTech University, Shanghai, China"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"AIbase. 2025. Manus AI System Prompt Leakage: Official Response. https:\/\/www.aibase.com\/news\/16138."},{"key":"e_1_3_2_1_2_1","unstructured":"Anthropic. 2024a. Claude 3.7 Sonnet and Claude Code. https:\/\/www.anthropic.com\/news\/claude-3-7-sonnet."},{"key":"e_1_3_2_1_3_1","unstructured":"Anthropic. 2024b. Introducing computer use a new Claude 3.5 Sonnet and Claude 3.5 Haiku. https:\/\/www.anthropic.com\/news\/3-5-models-and-computer-use."},{"key":"e_1_3_2_1_4_1","unstructured":"Anthropic. 2024c. Introducing the Model Context Protocol. https:\/\/www.anthropic.com\/news\/model-context-protocol."},{"key":"e_1_3_2_1_5_1","unstructured":"AutoGPT. 2023. AutoGPT. https:\/\/github.com\/Significant-Gravitas\/AutoGPT."},{"key":"e_1_3_2_1_6_1","volume-title":"AgentGuard: Repurposing Agentic Orchestrator for Safety Evaluation of Tool Orchestration. arXiv preprint arXiv:2502.09809","author":"Chen Jizhou","year":"2025","unstructured":"Jizhou Chen and Samuel Lee Cong. 2025. AgentGuard: Repurposing Agentic Orchestrator for Safety Evaluation of Tool Orchestration. arXiv preprint arXiv:2502.09809 (2025)."},{"key":"e_1_3_2_1_7_1","volume-title":"The Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https:\/\/openreview.net\/forum?id=m1YYAQjO3w","author":"Debenedetti Edoardo","year":"2024","unstructured":"Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tram\u00e8r. 2024. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. In The Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track. https:\/\/openreview.net\/forum?id=m1YYAQjO3w"},{"key":"e_1_3_2_1_8_1","unstructured":"eBPF. 2025. eBPF. https:\/\/ebpf.io\/."},{"key":"e_1_3_2_1_9_1","volume-title":"Privacy preserving prompt engineering: A survey. arXiv preprint arXiv:2404.06001","author":"Edemacu Kennedy","year":"2024","unstructured":"Kennedy Edemacu and Xintao Wu. 2024. Privacy preserving prompt engineering: A survey. arXiv preprint arXiv:2404.06001 (2024)."},{"key":"e_1_3_2_1_10_1","unstructured":"Freedesktop. 2005. Poppler. https:\/\/poppler.freedesktop.org\/."},{"key":"e_1_3_2_1_11_1","volume-title":"Imprompter: Tricking LLM Agents into Improper Tool Use. arXiv preprint arXiv:2410.14923","author":"Fu Xiaohan","year":"2024","unstructured":"Xiaohan Fu, Shuheng Li, Zihan Wang, Yihao Liu, Rajesh K Gupta, Taylor Berg-Kirkpatrick, and Earlence Fernandes. 2024. Imprompter: Tricking LLM Agents into Improper Tool Use. arXiv preprint arXiv:2410.14923 (2024)."},{"key":"e_1_3_2_1_12_1","unstructured":"GNU. 2025. Coreutils - GNU core utilities. https:\/\/www.gnu.org\/software\/coreutils\/."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"e_1_3_2_1_14_1","volume-title":"Security of AI Agents. In 2025 IEEE\/ACM International Workshop on Responsible AI Engineering (RAIE). IEEE Computer Society, 45-52","author":"He Yifeng","year":"2025","unstructured":"Yifeng He, Ethan Wang, Yuyang Rong, Zifei Cheng, and Hao Chen. 2025. Security of AI Agents. In 2025 IEEE\/ACM International Workshop on Responsible AI Engineering (RAIE). IEEE Computer Society, 45-52."},{"key":"e_1_3_2_1_15_1","volume-title":"The Dawn of GUI Agent: A Preliminary Case Study with Claude 3.5 Computer Use. arXiv preprint arXiv:2411.10323","author":"Hu Siyuan","year":"2024","unstructured":"Siyuan Hu, Mingyu Ouyang, Difei Gao, and Mike Zheng Shou. 2024. The Dawn of GUI Agent: A Preliminary Case Study with Claude 3.5 Computer Use. arXiv preprint arXiv:2411.10323 (2024)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3703155"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670370"},{"key":"e_1_3_2_1_18_1","volume-title":"Improved techniques for optimization-based jailbreaking on large language models. arXiv preprint arXiv:2405.21018","author":"Jia Xiaojun","year":"2024","unstructured":"Xiaojun Jia, Tianyu Pang, Chao Du, Yihao Huang, Jindong Gu, Yang Liu, Xiaochun Cao, and Min Lin. 2024. Improved techniques for optimization-based jailbreaking on large language models. arXiv preprint arXiv:2405.21018 (2024)."},{"key":"e_1_3_2_1_19_1","volume-title":"Prompt Flow Integrity to Prevent Privilege Escalation in LLM Agents. arXiv preprint arXiv:2503.15547","author":"Kim Juhee","year":"2025","unstructured":"Juhee Kim, Woohyuk Choi, and Byoungyoung Lee. 2025. Prompt Flow Integrity to Prevent Privilege Escalation in LLM Agents. arXiv preprint arXiv:2503.15547 (2025)."},{"key":"e_1_3_2_1_20_1","volume-title":"Soheil Feizi, and Himabindu Lakkaraju.","author":"Kumar Aounon","year":"2023","unstructured":"Aounon Kumar, Chirag Agarwal, Suraj Srinivas, Aaron Jiaxun Li, Soheil Feizi, and Himabindu Lakkaraju. 2023. Certifying llm safety against adversarial prompting. arXiv preprint arXiv:2309.02705 (2023)."},{"key":"e_1_3_2_1_21_1","unstructured":"Learn Prompting. 2023a. Instruction defense. https:\/\/learnprompting.org\/docs\/prompt_hacking\/defensive_measures\/instruction."},{"key":"e_1_3_2_1_22_1","unstructured":"Learn Prompting. 2023b. Random sequence enclosure. https:\/\/learnprompting.org\/docs\/prompt_hacking\/defensive_measures\/random_sequence."},{"key":"e_1_3_2_1_23_1","volume-title":"sudo rm-rf agentic_security. arXiv preprint arXiv:2503.20279","author":"Lee Sejin","year":"2025","unstructured":"Sejin Lee, Jian Kim, Haon Park, Ashkan Yousefpour, Sangyoon Yu, and Min Song. 2025. sudo rm-rf agentic_security. arXiv preprint arXiv:2503.20279 (2025)."},{"key":"e_1_3_2_1_24_1","volume-title":"Nl2bash: A corpus and semantic parser for natural language interface to the linux operating system. arXiv preprint arXiv:1802.08979","author":"Lin Xi Victoria","year":"2018","unstructured":"Xi Victoria Lin, Chenglong Wang, Luke Zettlemoyer, and Michael D Ernst. 2018. Nl2bash: A corpus and semantic parser for natural language interface to the linux operating system. arXiv preprint arXiv:1802.08979 (2018)."},{"key":"e_1_3_2_1_25_1","volume-title":"Agentbench: Evaluating llms as agents. arXiv preprint arXiv:2308.03688","author":"Liu Xiao","year":"2023","unstructured":"Xiao Liu, Hao Yu, Hanchen Zhang, Yifan Xu, Xuanyu Lei, Hanyu Lai, Yu Gu, Hangliang Ding, Kaiwen Men, Kejuan Yang, et al., 2023. Agentbench: Evaluating llms as agents. arXiv preprint arXiv:2308.03688 (2023)."},{"key":"e_1_3_2_1_26_1","unstructured":"Yadong Lu Jianwei Yang Yelong Shen and Ahmed Awadallah. 2024. OmniParser for Pure Vision Based GUI Agent. arXiv:2408.00203 [cs.CV] https:\/\/arxiv.org\/abs\/2408.00203"},{"key":"e_1_3_2_1_27_1","unstructured":"Manus. 2024. Introducing Manus. https:\/\/manus.im\/."},{"key":"e_1_3_2_1_28_1","volume-title":"Membership inference attacks against language models via neighbourhood comparison. arXiv preprint arXiv:2305.18462","author":"Mattern Justus","year":"2023","unstructured":"Justus Mattern, Fatemehsadat Mireshghallah, Zhijing Jin, Bernhard Sch\u00f6lkopf, Mrinmaya Sachan, and Taylor Berg-Kirkpatrick. 2023. Membership inference attacks against language models via neighbourhood comparison. arXiv preprint arXiv:2305.18462 (2023)."},{"key":"e_1_3_2_1_29_1","unstructured":"Meta. 2025a. Llama Guard 4. https:\/\/www.llama.com\/docs\/model-cards-and-prompt-formats\/llama-guard-4."},{"key":"e_1_3_2_1_30_1","unstructured":"Meta. 2025b. Prompt Guard 2. https:\/\/www.llama.com\/docs\/model-cards-and-prompt-formats\/prompt-guard."},{"key":"e_1_3_2_1_31_1","volume-title":"Guoqing Zheng, Shweti Mahajan, Dany Rouhana, Andres Codas, Yadong Lu, Wei-ge Chen, Olga Vrousgos, Corby Rosset, et al.","author":"Mitra Arindam","year":"2024","unstructured":"Arindam Mitra, Luciano Del Corro, Guoqing Zheng, Shweti Mahajan, Dany Rouhana, Andres Codas, Yadong Lu, Wei-ge Chen, Olga Vrousgos, Corby Rosset, et al., 2024. Agentinstruct: Toward generative teaching with agentic flows. arXiv preprint arXiv:2407.03502 (2024)."},{"key":"e_1_3_2_1_32_1","unstructured":"OpenAI. 2024. Hello GPT-4o. https:\/\/openai.com\/index\/hello-gpt-4o\/."},{"key":"e_1_3_2_1_33_1","unstructured":"OpenAI. 2025. Introducing Operator. https:\/\/openai.com\/index\/introducing-operator\/."},{"key":"e_1_3_2_1_34_1","volume-title":"The Twelfth International Conference on Learning Representations.","author":"Ruan Yangjun","year":"2024","unstructured":"Yangjun Ruan, Honghua Dong, Andrew Wang, Silviu Pitis, Yongchao Zhou, Jimmy Ba, Yann Dubois, Chris J Maddison, and Tatsunori Hashimoto. 2024. Identifying the Risks of LM Agents with an LM-Emulated Sandbox. In The Twelfth International Conference on Learning Representations."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW61312.2024.00054"},{"key":"e_1_3_2_1_36_1","volume-title":"We have a package for you! A comprehensive analysis of package hallucinations by code generating llms. arXiv preprint arXiv:2406.10279","author":"Spracklen Joseph","year":"2024","unstructured":"Joseph Spracklen, Raveen Wijewickrama, AHM Sakib, Anindya Maiti, Bimal Viswanath, and Murtuza Jadliwala. 2024. We have a package for you! A comprehensive analysis of package hallucinations by code generating llms. arXiv preprint arXiv:2406.10279 (2024)."},{"key":"e_1_3_2_1_37_1","unstructured":"swisskyrepo. 2025. Internal All The Things. https:\/\/github.com\/swisskyrepo\/InternalAllTheThings."},{"key":"e_1_3_2_1_38_1","unstructured":"The Linux Kernel documentation. 2025. LSM BPF Programs. https:\/\/docs.kernel.org\/bpf\/prog_lsm.html."},{"key":"e_1_3_2_1_39_1","unstructured":"Tookmund. 2022. The Unexpected Importance of the Trailing Slash. https:\/\/tookmund.com\/2022\/04\/importance-of-the-trailing-slash."},{"key":"e_1_3_2_1_40_1","volume-title":"International Conference on Machine Learning. PMLR, 35413-35425","author":"Wan Alexander","year":"2023","unstructured":"Alexander Wan, Eric Wallace, Sheng Shen, and Dan Klein. 2023. Poisoning language models during instruction tuning. In International Conference on Machine Learning. PMLR, 35413-35425."},{"key":"e_1_3_2_1_41_1","volume-title":"Badagent: Inserting and activating backdoor attacks in llm agents. arXiv preprint arXiv:2406.03007","author":"Wang Yifei","year":"2024","unstructured":"Yifei Wang, Dizhan Xue, Shengjie Zhang, and Shengsheng Qian. 2024b. Badagent: Inserting and activating backdoor attacks in llm agents. arXiv preprint arXiv:2406.03007 (2024)."},{"key":"e_1_3_2_1_42_1","volume-title":"AttnGCG: Enhancing jailbreaking attacks on LLMs with attention manipulation. arXiv preprint arXiv:2410.09040","author":"Wang Zijun","year":"2024","unstructured":"Zijun Wang, Haoqin Tu, Jieru Mei, Bingchen Zhao, Yisen Wang, and Cihang Xie. 2024a. AttnGCG: Enhancing jailbreaking attacks on LLMs with attention manipulation. arXiv preprint arXiv:2410.09040 (2024)."},{"key":"e_1_3_2_1_43_1","unstructured":"Wikipedia. 2025. Data masking. https:\/\/en.wikipedia.org\/wiki\/Data_masking."},{"key":"e_1_3_2_1_44_1","unstructured":"Simon Willison. 2022. Prompt injection attacks against GPT-3. https:\/\/simonwillison.net\/2022\/Sep\/12\/prompt-injection\/."},{"key":"e_1_3_2_1_45_1","volume-title":"IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems. arXiv preprint arXiv:2403.04960","author":"Wu Yuhao","year":"2024","unstructured":"Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal. 2024. IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems. arXiv preprint arXiv:2403.04960 (2024)."},{"key":"e_1_3_2_1_46_1","volume-title":"Guardagent: Safeguard llm agents by a guard agent via knowledge-enabled reasoning. arXiv preprint arXiv:2406.09187","author":"Xiang Zhen","year":"2024","unstructured":"Zhen Xiang, Linzhi Zheng, Yanjie Li, Junyuan Hong, Qinbin Li, Han Xie, Jiawei Zhang, Zidi Xiong, Chulin Xie, Carl Yang, et al., 2024. Guardagent: Safeguard llm agents by a guard agent via knowledge-enabled reasoning. arXiv preprint arXiv:2406.09187 (2024)."},{"key":"e_1_3_2_1_47_1","first-page":"52040","article-title":"Osworld: Benchmarking multimodal agents for open-ended tasks in real computer environments","volume":"37","author":"Xie Tianbao","year":"2024","unstructured":"Tianbao Xie, Danyang Zhang, Jixuan Chen, Xiaochuan Li, Siheng Zhao, Ruisheng Cao, Toh J Hua, Zhoujun Cheng, Dongchan Shin, Fangyu Lei, et al., 2024. Osworld: Benchmarking multimodal agents for open-ended tasks in real computer environments. Advances in Neural Information Processing Systems, Vol. 37 (2024), 52040-52094.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_48_1","unstructured":"Miao Yu Fanci Meng Xinyun Zhou Shilong Wang Junyuan Mao Linsey Pang Tianlong Chen Kun Wang Xinfeng Li Yongfeng Zhang et al. 2025. A Survey on Trustworthy LLM Agents: Threats and Countermeasures. arXiv preprint arXiv:2503.09648 (2025)."},{"key":"e_1_3_2_1_49_1","volume-title":"The Thirteenth International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=V4y0CpX4hK","author":"Zhang Hanrong","year":"2025","unstructured":"Hanrong Zhang, Jingyuan Huang, Kai Mei, Yifei Yao, Zhenting Wang, Chenlu Zhan, Hongwei Wang, and Yongfeng Zhang. 2025. Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents. In The Thirteenth International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=V4y0CpX4hK"},{"key":"e_1_3_2_1_50_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Zhang Rui","year":"2024","unstructured":"Rui Zhang, Hongwei Li, Rui Wen, Wenbo Jiang, Yuan Zhang, Michael Backes, Yun Shen, and Yang Zhang. 2024a. Instruction backdoor attacks against customized {LLMs}. In 33rd USENIX Security Symposium (USENIX Security 24). 1849-1866."},{"key":"e_1_3_2_1_51_1","unstructured":"Yue Zhang Yafu Li Leyang Cui Deng Cai Lemao Liu Tingchen Fu Xinting Huang Enbo Zhao Yu Zhang Yulong Chen et al. 2023. Siren's song in the AI ocean: a survey on hallucination in large language models. arXiv preprint arXiv:2309.01219 (2023)."},{"key":"e_1_3_2_1_52_1","volume-title":"Attacking Vision-Language Computer Agents via Pop-ups. arXiv preprint arXiv:2411.02391","author":"Zhang Yanzhe","year":"2024","unstructured":"Yanzhe Zhang, Tao Yu, and Diyi Yang. 2024b. Attacking Vision-Language Computer Agents via Pop-ups. arXiv preprint arXiv:2411.02391 (2024)."},{"key":"e_1_3_2_1_53_1","volume-title":"A Survey on Backdoor Threats in Large Language Models (LLMs): Attacks, Defenses, and Evaluations. arXiv preprint arXiv:2502.05224","author":"Zhou Yihe","year":"2025","unstructured":"Yihe Zhou, Tao Ni, Wei-Bin Lee, and Qingchuan Zhao. 2025. A Survey on Backdoor Threats in Large Language Models (LLMs): Attacks, Defenses, and Evaluations. arXiv preprint arXiv:2502.05224 (2025)."},{"key":"e_1_3_2_1_54_1","volume-title":"Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043","author":"Zou Andy","year":"2023","unstructured":"Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J Zico Kolter, and Matt Fredrikson. 2023. Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043 (2023)."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765064","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:23:25Z","timestamp":1766442205000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765064"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":54,"alternative-id":["10.1145\/3719027.3765064","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765064","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}