{"id":"https://openalex.org/W4411337807","doi":"https://doi.org/10.1109/sp61157.2025.00121","title":"Fun-tuning: Characterizing the Vulnerability of Proprietary LLMs to Optimization-Based Prompt Injection Attacks via the Fine-Tuning Interface","display_name":"Fun-tuning: Characterizing the Vulnerability of Proprietary LLMs to Optimization-Based Prompt Injection Attacks via the Fine-Tuning Interface","publication_year":2025,"publication_date":"2025-05-12","ids":{"openalex":"https://openalex.org/W4411337807","doi":"https://doi.org/10.1109/sp61157.2025.00121"},"language":"en","primary_location":{"id":"doi:10.1109/sp61157.2025.00121","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp61157.2025.00121","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5065946369","display_name":"Andrey Labunets","orcid":"https://orcid.org/0009-0002-7957-4631"},"institutions":[{"id":"https://openalex.org/I2800935791","display_name":"UC San Diego Health System","ror":"https://ror.org/01kbfgm16","country_code":"US","type":"healthcare","lineage":["https://openalex.org/I2800935791"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Andrey Labunets","raw_affiliation_strings":["UC San Diego"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"UC San Diego","institution_ids":["https://openalex.org/I2800935791"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5115944539","display_name":"Nishit V. Pandya","orcid":null},"institutions":[{"id":"https://openalex.org/I2800935791","display_name":"UC San Diego Health System","ror":"https://ror.org/01kbfgm16","country_code":"US","type":"healthcare","lineage":["https://openalex.org/I2800935791"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Nishit V. Pandya","raw_affiliation_strings":["UC San Diego"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"UC San Diego","institution_ids":["https://openalex.org/I2800935791"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077170899","display_name":"Ashish Hooda","orcid":"https://orcid.org/0000-0002-2928-919X"},"institutions":[{"id":"https://openalex.org/I135310074","display_name":"University of Wisconsin\u2013Madison","ror":"https://ror.org/01y2jtd41","country_code":"US","type":"education","lineage":["https://openalex.org/I135310074"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ashish Hooda","raw_affiliation_strings":["University of Wisconsin Madison"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Wisconsin Madison","institution_ids":["https://openalex.org/I135310074"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5018979541","display_name":"Xiaohan Fu","orcid":null},"institutions":[{"id":"https://openalex.org/I2800935791","display_name":"UC San Diego Health System","ror":"https://ror.org/01kbfgm16","country_code":"US","type":"healthcare","lineage":["https://openalex.org/I2800935791"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xiaohan Fu","raw_affiliation_strings":["UC San Diego"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"UC San Diego","institution_ids":["https://openalex.org/I2800935791"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5060924315","display_name":"Earlence Fernandes","orcid":"https://orcid.org/0000-0001-8593-2840"},"institutions":[{"id":"https://openalex.org/I2800935791","display_name":"UC San Diego Health System","ror":"https://ror.org/01kbfgm16","country_code":"US","type":"healthcare","lineage":["https://openalex.org/I2800935791"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Earlence Fernandes","raw_affiliation_strings":["UC San Diego"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"UC San Diego","institution_ids":["https://openalex.org/I2800935791"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.3592,"has_fulltext":false,"cited_by_count":2,"citation_normalized_percentile":{"value":0.92398062,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":91,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"411","last_page":"429"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11005","display_name":"Radiation Effects in Electronics","score":0.9929999709129333,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9927999973297119,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.802588164806366},{"id":"https://openalex.org/keywords/interface","display_name":"Interface (matter)","score":0.6462424397468567},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5303664207458496},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.35060638189315796},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.16467449069023132}],"concepts":[{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.802588164806366},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.6462424397468567},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5303664207458496},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.35060638189315796},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.16467449069023132},{"id":"https://openalex.org/C157915830","wikidata":"https://www.wikidata.org/wiki/Q2928001","display_name":"Bubble","level":2,"score":0.0},{"id":"https://openalex.org/C129307140","wikidata":"https://www.wikidata.org/wiki/Q6795880","display_name":"Maximum bubble pressure method","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp61157.2025.00121","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp61157.2025.00121","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3478747887","display_name":"CAREER: Security and Privacy Foundations of Internet-Scale User-Centered Automation","funder_award_id":"2312119","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":6,"referenced_works":["https://openalex.org/W3046853140","https://openalex.org/W4388886073","https://openalex.org/W4389518968","https://openalex.org/W4402670146","https://openalex.org/W4402671155","https://openalex.org/W4404612289"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"We":[0],"surface":[1],"a":[2,97,107,144],"new":[3],"threat":[4],"to":[5,15,37,56,73,154],"closed-weight":[6],"Large":[7],"Language":[8],"Models":[9],"(LLMs)":[10],"that":[11,94],"enables":[12],"an":[13,24,50,71,78],"attacker":[14,25,72],"compute":[16,74],"optimization-based":[17],"prompt":[18,114],"injections.":[19],"Specifically,":[20],"we":[21,81,117],"characterize":[22,82],"how":[23],"can":[26],"leverage":[27],"the":[28,33,39,83,88,112,135,140,152],"loss-like":[29,84],"information":[30,69],"returned":[31,86],"from":[32],"remote":[34],"fine-tuning":[35,45,90,141],"interface":[36,46,142],"guide":[38],"search":[40,109],"for":[41,59,70,100,147],"adversarial":[42,75,104],"prompts.":[43,76],"The":[44],"is":[47],"hosted":[48],"by":[49,87],"LLM":[51],"vendor":[52],"and":[53,92,124],"allows":[54],"developers":[55,148],"fine-tune":[57],"LLMs":[58,153],"their":[60],"tasks,":[61],"thus":[62],"providing":[63],"utility,":[64],"but":[65,149],"also":[66,150],"exposes":[67,151],"enough":[68],"Through":[77],"experimental":[79],"analysis,":[80],"values":[85],"Gemini":[89,128],"API":[91],"demonstrate":[93,118],"they":[95],"provide":[96],"useful":[98,145],"signal":[99],"discrete":[101],"optimization":[102],"of":[103,130],"prompts":[105],"using":[106],"greedy":[108],"algorithm.":[110],"Using":[111],"PurpleLlama":[113],"injection":[115],"benchmark,":[116],"attack":[119],"success":[120],"rates":[121],"between":[122],"65%":[123],"82%":[125],"on":[126],"Google's":[127],"family":[129],"LLMs.":[131],"These":[132],"attacks":[133],"exploit":[134],"classic":[136],"utility-security":[137],"tradeoff":[138],"-":[139],"provides":[143],"feature":[146],"powerful":[155],"attacks.":[156]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":1}],"updated_date":"2026-06-22T08:00:12.763002","created_date":"2025-10-10T00:00:00"}