Exploiting Prompt-induced Confidence for Black-Box Attacks on LLMs (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Large language models (LLMs) are vulnerable to adversarial attacks even in strict black-box settings with only hard-label feedback. |
| Approach: | They propose a black-box framework that leverages prompt-induced confidence as an auxiliary signal to guide attacks. |
| Outcome: | The proposed framework improves the attack success rate and query efficiency while maintaining semantic fidelity. |
Similar Papers
Bayesian Prompt Ensembles: Model Uncertainty Estimation for Black-Box Large Language Models (2024.findings-acl)
Copied to clipboard
| Challenge: | Existing approaches to quantify uncertainty of pre-trained large language models require specific architectures or retraining strategies. |
| Approach: | They propose a Bayesian Prompts Ensemble approach to accurately quantify LLM uncertainty . they compute output probabilities through a weighted ensemble of different task instruction prompts . |
| Outcome: | The proposed approach achieves significantly superior calibration over baselines over a range of natural language classification tasks. |
Prompt as Triggers for Backdoor Attack: Examining the Vulnerability in Language Models (2023.emnlp-main)
Copied to clipboard
| Challenge: | ProAttack is a novel and efficient method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger. |
| Approach: | They propose a method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger. |
| Outcome: | The proposed method achieves state-of-the-art performance on several NLP tasks, particularly in few-shot settings. |
Transferable Direct Prompt Injection via Activation-Guided MCMC Sampling (2025.emnlp-main)
Copied to clipboard
| Challenge: | Experimental results show superior cross-model transferability . Prompt injection attacks are among the most critical threats . |
| Approach: | They propose an activations-guided prompt injection attack framework to address the impracticality of existing white-box/gray-box methods and the poor transferability of black-box approaches. |
| Outcome: | The proposed framework achieves 49.6% success rate and 34.6% improvement over human-crafted prompts on five mainstream LLMs. |
The TIP of the Iceberg: Revealing a Hidden Class of Task-in-Prompt Adversarial Attacks on LLMs (2025.acl-long)
Copied to clipboard
| Challenge: | cipher decoding, riddles, code execution embedded into model prompts bypass safety safeguards of large language models (LLMs) . |
| Approach: | They introduce a novel class of adversarial jailbreak adversarials on large language models, termed Task-in-Prompt (TIP) attacks. |
| Outcome: | The proposed techniques circumvent safeguards in six state-of-the-art language models, including GPT-4o and LLaMA 3.2, and consistently generate restricted content . |
Conjunctive Prompt Attacks in Multi-Agent LLM Systems (2026.acl-long)
Copied to clipboard
| Challenge: | Existing defenses do not reliably stop the attack because no single component appears malicious in isolation. |
| Approach: | They study conjunctive prompt attacks where trigger key and adversarial template appear benign alone but activate harmful behavior when routing brings them together. |
| Outcome: | The proposed model significantly improves performance over baselines while keeping false activations low. |
PromptKeeper: Safeguarding System Prompts for LLMs (2025.findings-emnlp)
Copied to clipboard
| Challenge: | PromptKeeper is a defense mechanism designed to safeguard system prompts . adversarial and regular queries can exploit LLM vulnerabilities to expose hidden prompts. |
| Approach: | PromptKeeper is a defense mechanism designed to safeguard system prompts . it detects both explicit and subtle leakage and regenerates responses using a dummy prompt . |
| Outcome: | PromptKeeper detects and mitigates side-channel vulnerabilities when prompts are exposed . it regenerates responses using a dummy prompt, ensuring outputs remain indistinguishable from typical interactions . |
Attack Prompt Generation for Red Teaming and Defending Large Language Models (2023.findings-emnlp)
Copied to clipboard
| Challenge: | Existing studies construct attack prompts via manual or automatic methods, but these methods have limitations on cost and quality. |
| Approach: | They propose an attack framework to instruct LLMs to mimic human-generated prompts through in-context learning and a defense framework that fine-tunes victim LLM's through iterative interactions with the attack framework. |
| Outcome: | The proposed approach is based on experiments on different LLMs to evaluate their effectiveness against red teaming attacks. |
Defense Against Prompt Injection Attack by Leveraging Attack Techniques (2025.acl-long)
Copied to clipboard
| Challenge: | Recent attacks leverage LLMs’ instruction-following abilities and their inabilities to distinguish instructions injected in the data content. |
| Approach: | They invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods by repeating the attack process with the original input instruction rather than the injected instruction. |
| Outcome: | The proposed methods outperform existing defense approaches, achieving state-of-the-art results. |
Beyond Prompt Engineering: A Systematic Analysis of Prompt Lexical Sensitivity and Its Impacts on Quality (2026.findings-acl)
Copied to clipboard
Qipeng Xie, Zi Liang, Jiafei Wu, Yufei Chen, Weizheng Wang, Wenao Ma, Zhong Ming, Haiqin Yang, Kaishun Wu
| Challenge: | Existing studies on prompt engineering have focused on optimizing models for performance under stylistic perturbations. |
| Approach: | They conduct the first analysis of n-gram token-level mechanisms . they find that higher average performance is inherently associated with lower variance and greater stability. |
| Outcome: | The proposed model reduces the variance of the generated code by 40% . the proposed model is based on a large-scale dataset of 132,000 prompt variants . |
Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs Through a Global Prompt Hacking Competition (2023.emnlp-main)
Copied to clipboard
Sander Schulhoff, Jeremy Pinto, Anaum Khan, Louis-François Bouchard, Chenglei Si, Svetlina Anati, Valen Tagliabue, Anson Kost, Christopher Carnahan, Jordan Boyd-Graber
| Challenge: | Large Language Models are increasingly being deployed in interactive contexts that involve direct user engagement. |
| Approach: | They run a global prompt hacking competition to encourage research on prompt hacks . they elicit 600K+ adversarial prompts against three state-of-the-art LLMs based on a dataset . |
| Outcome: | The results of the competition show that current LLMs can be manipulated via prompt hacking . the competition elicits 600K+ adversarial prompts against three state-of-the-art LLM models . |