Tag
This paper introduces STEER, a gradient-guided attack that exploits LLMs' safety training distribution by translating high-attribution words into low-resource languages to bypass refusal mechanisms, achieving up to 96.7% attack success rate on AdvBench and transferring to GPT-4o-mini at 35.5% ASR.
This paper investigates whether LLMs can reliably self-report when their outputs have been compromised by adversarial prefills, finding that models often cannot distinguish between compromised and intentional outputs, and their limited recognition stems from normal refusal behavior rather than true self-awareness.
This paper introduces the Forced Deferral Attack (FDA), an adversarial image attack that manipulates confidence scores in multimodal LLM cascades, causing queries to be unnecessarily routed to stronger (more expensive) models, thereby shifting compute costs to the provider without degrading answer correctness.
This paper demonstrates that AI peer reviewers can be manipulated by modifying only presentation-level content (such as abstract, framing, and narrative) without changing any scientific evidence, achieving a 75.1% attack success rate. The authors introduce adversarial repackaging, a closed-loop attack that exploits AI reviewers' tendency to be impressed rather than convinced, and release a benchmark for testing robustness.
POISE is a stealthy skill-poisoning attack that embeds malicious triggers within benign-looking instructions, achieving high attack success rates while evading detection by LLM scanners.
This paper introduces a dual-layer caption poisoning attack on retrieval-augmented text-to-music systems, showing that an attacker can inject malicious captions into the knowledge database to steer generated music toward attacker-chosen intent without modifying user prompts or models.
This paper presents the first model extraction attack on graph classification under strict black-box constraints, exploiting subgraph explanations to estimate decision boundaries. The findings reveal that mandated explainability interfaces create exploitable security vulnerabilities in Graph Neural Network services.
This paper identifies three threat models for test-time training (TTT) that adversaries can exploit to bypass safety filters in LLMs, achieving high attack success rates. The findings reveal that TTT introduces new vulnerabilities that undermine existing safety guardrails.
Researchers have discovered that inaudible sounds can be embedded in YouTube videos, podcasts, or music to surreptitiously command AI voice assistants, enabling a new class of auditory prompt injection attacks.
This paper investigates jailbreak attacks on Large Reasoning Models (LRMs), revealing that attack success correlates with attention patterns. The authors propose a reinforcement learning-based jailbreak method that incorporates attention signals into the reward function and uses diverse persuasion strategies, achieving significantly higher attack success rates across multiple benchmarks.
This paper studies adversarial action masking in self-play reinforcement learning, where an attacker selectively removes legal actions from a victim's action set. The attack is shown to be significantly more damaging than random masking or perturbation baselines across multiple environments and algorithms, and victims do not recover under extended training.
This paper introduces AESOP, a framework for adversarial execution-path selection that significantly inflates FLOPs and latency in deep learning inference pipelines, revealing new efficiency-based vulnerabilities.
This paper introduces Semantic Representation Attack (SRA), a novel LLM-agnostic method that optimizes for malicious semantic representations rather than exact text, achieving high attack success rates across multiple open-source models.
MedFocusLeak introduces the first transferable black-box adversarial attack on medical vision-language models, using imperceptible background perturbations to mislead clinical diagnoses across six imaging modalities.