Challenge: Large language models (LLMs) are vulnerable to adversarial attacks even in strict black-box settings with only hard-label feedback.
Approach: They propose a black-box framework that leverages prompt-induced confidence as an auxiliary signal to guide attacks.
Outcome: The proposed framework improves the attack success rate and query efficiency while maintaining semantic fidelity.

Similar Papers

Bayesian Prompt Ensembles: Model Uncertainty Estimation for Black-Box Large Language Models (2024.findings-acl)

Copied to clipboard

Challenge: Existing approaches to quantify uncertainty of pre-trained large language models require specific architectures or retraining strategies.
Approach: They propose a Bayesian Prompts Ensemble approach to accurately quantify LLM uncertainty . they compute output probabilities through a weighted ensemble of different task instruction prompts .
Outcome: The proposed approach achieves significantly superior calibration over baselines over a range of natural language classification tasks.
Prompt as Triggers for Backdoor Attack: Examining the Vulnerability in Language Models (2023.emnlp-main)

Copied to clipboard

Challenge: ProAttack is a novel and efficient method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger.
Approach: They propose a method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger.
Outcome: The proposed method achieves state-of-the-art performance on several NLP tasks, particularly in few-shot settings.
Transferable Direct Prompt Injection via Activation-Guided MCMC Sampling (2025.emnlp-main)

Copied to clipboard

Challenge: Experimental results show superior cross-model transferability . Prompt injection attacks are among the most critical threats .
Approach: They propose an activations-guided prompt injection attack framework to address the impracticality of existing white-box/gray-box methods and the poor transferability of black-box approaches.
Outcome: The proposed framework achieves 49.6% success rate and 34.6% improvement over human-crafted prompts on five mainstream LLMs.
The TIP of the Iceberg: Revealing a Hidden Class of Task-in-Prompt Adversarial Attacks on LLMs (2025.acl-long)

Copied to clipboard

Challenge: cipher decoding, riddles, code execution embedded into model prompts bypass safety safeguards of large language models (LLMs) .
Approach: They introduce a novel class of adversarial jailbreak adversarials on large language models, termed Task-in-Prompt (TIP) attacks.
Outcome: The proposed techniques circumvent safeguards in six state-of-the-art language models, including GPT-4o and LLaMA 3.2, and consistently generate restricted content .
Conjunctive Prompt Attacks in Multi-Agent LLM Systems (2026.acl-long)

Copied to clipboard

Challenge: Existing defenses do not reliably stop the attack because no single component appears malicious in isolation.
Approach: They study conjunctive prompt attacks where trigger key and adversarial template appear benign alone but activate harmful behavior when routing brings them together.
Outcome: The proposed model significantly improves performance over baselines while keeping false activations low.
PromptKeeper: Safeguarding System Prompts for LLMs (2025.findings-emnlp)

Copied to clipboard

Challenge: PromptKeeper is a defense mechanism designed to safeguard system prompts . adversarial and regular queries can exploit LLM vulnerabilities to expose hidden prompts.
Approach: PromptKeeper is a defense mechanism designed to safeguard system prompts . it detects both explicit and subtle leakage and regenerates responses using a dummy prompt .
Outcome: PromptKeeper detects and mitigates side-channel vulnerabilities when prompts are exposed . it regenerates responses using a dummy prompt, ensuring outputs remain indistinguishable from typical interactions .
Attack Prompt Generation for Red Teaming and Defending Large Language Models (2023.findings-emnlp)

Copied to clipboard

Challenge: Existing studies construct attack prompts via manual or automatic methods, but these methods have limitations on cost and quality.
Approach: They propose an attack framework to instruct LLMs to mimic human-generated prompts through in-context learning and a defense framework that fine-tunes victim LLM's through iterative interactions with the attack framework.
Outcome: The proposed approach is based on experiments on different LLMs to evaluate their effectiveness against red teaming attacks.
Defense Against Prompt Injection Attack by Leveraging Attack Techniques (2025.acl-long)

Copied to clipboard

Challenge: Recent attacks leverage LLMs’ instruction-following abilities and their inabilities to distinguish instructions injected in the data content.
Approach: They invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods by repeating the attack process with the original input instruction rather than the injected instruction.
Outcome: The proposed methods outperform existing defense approaches, achieving state-of-the-art results.
Beyond Prompt Engineering: A Systematic Analysis of Prompt Lexical Sensitivity and Its Impacts on Quality (2026.findings-acl)

Copied to clipboard

Challenge: Existing studies on prompt engineering have focused on optimizing models for performance under stylistic perturbations.
Approach: They conduct the first analysis of n-gram token-level mechanisms . they find that higher average performance is inherently associated with lower variance and greater stability.
Outcome: The proposed model reduces the variance of the generated code by 40% . the proposed model is based on a large-scale dataset of 132,000 prompt variants .
Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs Through a Global Prompt Hacking Competition (2023.emnlp-main)

Copied to clipboard

Challenge: Large Language Models are increasingly being deployed in interactive contexts that involve direct user engagement.
Approach: They run a global prompt hacking competition to encourage research on prompt hacks . they elicit 600K+ adversarial prompts against three state-of-the-art LLMs based on a dataset .
Outcome: The results of the competition show that current LLMs can be manipulated via prompt hacking . the competition elicits 600K+ adversarial prompts against three state-of-the-art LLM models .

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations