{"id":"https://openalex.org/W4409150456","doi":"https://doi.org/10.1145/3690624.3709179","title":"Benchmarking and Defending against Indirect Prompt Injection Attacks on Large Language Models","display_name":"Benchmarking and Defending against Indirect Prompt Injection Attacks on Large Language Models","publication_year":2025,"publication_date":"2025-04-04","ids":{"openalex":"https://openalex.org/W4409150456","doi":"https://doi.org/10.1145/3690624.3709179"},"language":"en","primary_location":{"id":"doi:10.1145/3690624.3709179","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3690624.3709179","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3690624.3709179","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5023080342","display_name":"Jingwei Yi","orcid":"https://orcid.org/0009-0001-2786-6395"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jingwei Yi","raw_affiliation_strings":["University of Science and Technology of China, Heifei, China"],"affiliations":[{"raw_affiliation_string":"University of Science and Technology of China, Heifei, China","institution_ids":["https://openalex.org/I126520041"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037356694","display_name":"Yueqi Xie","orcid":"https://orcid.org/0000-0002-5169-3180"},"institutions":[{"id":"https://openalex.org/I200769079","display_name":"Hong Kong University of Science and Technology","ror":"https://ror.org/00q4vv597","country_code":"HK","type":"education","lineage":["https://openalex.org/I200769079"]}],"countries":["HK"],"is_corresponding":false,"raw_author_name":"Yueqi Xie","raw_affiliation_strings":["Hong Kong University of Science and Technology, Hong Kong, China"],"affiliations":[{"raw_affiliation_string":"Hong Kong University of Science and Technology, Hong Kong, China","institution_ids":["https://openalex.org/I200769079"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101883857","display_name":"Bin Zhu","orcid":"https://orcid.org/0000-0002-3571-7808"},"institutions":[{"id":"https://openalex.org/I4210113369","display_name":"Microsoft Research Asia (China)","ror":"https://ror.org/0300m5276","country_code":"CN","type":"company","lineage":["https://openalex.org/I1290206253","https://openalex.org/I4210113369"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bin Zhu","raw_affiliation_strings":["Microsoft Corporation, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Beijing, China","institution_ids":["https://openalex.org/I4210113369"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5079458476","display_name":"Emre K\u0131c\u0131man","orcid":"https://orcid.org/0000-0001-5429-468X"},"institutions":[{"id":"https://openalex.org/I1290206253","display_name":"Microsoft (United States)","ror":"https://ror.org/00d0nc645","country_code":"US","type":"company","lineage":["https://openalex.org/I1290206253"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Emre Kiciman","raw_affiliation_strings":["Microsoft Corporation, Redmond, USA"],"affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Redmond, USA","institution_ids":["https://openalex.org/I1290206253"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100932403","display_name":"Guangzhong Sun","orcid":"https://orcid.org/0000-0002-0794-7681"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Guangzhong Sun","raw_affiliation_strings":["University of Science and Technology of China, Hefei, China"],"affiliations":[{"raw_affiliation_string":"University of Science and Technology of China, Hefei, China","institution_ids":["https://openalex.org/I126520041"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5044651577","display_name":"Xing Xie","orcid":"https://orcid.org/0000-0002-8608-8482"},"institutions":[{"id":"https://openalex.org/I4210113369","display_name":"Microsoft Research Asia (China)","ror":"https://ror.org/0300m5276","country_code":"CN","type":"company","lineage":["https://openalex.org/I1290206253","https://openalex.org/I4210113369"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xing Xie","raw_affiliation_strings":["Microsoft Corporation, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Beijing, China","institution_ids":["https://openalex.org/I4210113369"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5076423724","display_name":"Fangzhao Wu","orcid":"https://orcid.org/0000-0001-9138-1272"},"institutions":[{"id":"https://openalex.org/I4210113369","display_name":"Microsoft Research Asia (China)","ror":"https://ror.org/0300m5276","country_code":"CN","type":"company","lineage":["https://openalex.org/I1290206253","https://openalex.org/I4210113369"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Fangzhao Wu","raw_affiliation_strings":["Microsoft Corporation, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Beijing, China","institution_ids":["https://openalex.org/I4210113369"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5023080342"],"corresponding_institution_ids":["https://openalex.org/I126520041"],"apc_list":null,"apc_paid":null,"fwci":42.1767,"has_fulltext":false,"cited_by_count":19,"citation_normalized_percentile":{"value":0.99740728,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1809","last_page":"1820"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10181","display_name":"Natural Language Processing Techniques","score":0.9947999715805054,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.992900013923645,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/benchmarking","display_name":"Benchmarking","score":0.8302823305130005},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5916642546653748},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.35572224855422974},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.17445477843284607}],"concepts":[{"id":"https://openalex.org/C86251818","wikidata":"https://www.wikidata.org/wiki/Q816754","display_name":"Benchmarking","level":2,"score":0.8302823305130005},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5916642546653748},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.35572224855422974},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.17445477843284607},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3690624.3709179","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3690624.3709179","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3690624.3709179","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3690624.3709179","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1","raw_type":"proceedings-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/5","display_name":"Gender equality","score":0.46000000834465027}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":11,"referenced_works":["https://openalex.org/W2557764419","https://openalex.org/W2888482885","https://openalex.org/W2963899988","https://openalex.org/W4221143046","https://openalex.org/W4225108562","https://openalex.org/W4226278401","https://openalex.org/W4281557260","https://openalex.org/W4292779060","https://openalex.org/W4388626886","https://openalex.org/W6778883912","https://openalex.org/W6838865847"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W4238897586","https://openalex.org/W435179959","https://openalex.org/W2619091065","https://openalex.org/W2059640416","https://openalex.org/W1490753184","https://openalex.org/W2284465472","https://openalex.org/W2291782699"],"abstract_inverted_index":{"The":[0],"integration":[1],"of":[2,67,104,110,170],"large":[3],"language":[4],"models":[5],"(LLMs)":[6],"with":[7],"external":[8,33,113],"content":[9,34],"has":[10],"enabled":[11],"applications":[12,182],"such":[13,68],"as":[14],"Microsoft":[15],"Copilot":[16],"but":[17],"also":[18],"introduced":[19],"vulnerabilities":[20,135],"to":[21,63,88,93,132,161],"indirect":[22],"prompt":[23,58],"injection":[24,59],"attacks.":[25],"In":[26],"these":[27,117,134],"attacks,":[28,60],"malicious":[29],"instructions":[30,111],"embedded":[31],"within":[32,112],"can":[35],"manipulate":[36],"LLM":[37,181],"outputs,":[38],"causing":[39],"deviations":[40],"from":[41],"user":[42],"expectations.":[43],"To":[44],"address":[45,133],"this":[46,174],"critical":[47],"yet":[48],"under-explored":[49],"issue,":[50],"we":[51,72,119],"introduce":[52],"the":[53,65,108,157,167],"first":[54],"benchmark":[55],"for":[56],"bindirect":[57],"named":[61],"BIPIA,":[62,71],"assess":[64],"risk":[66],"vulnerabilities.":[69],"Using":[70],"evaluate":[73],"existing":[74],"LLMs":[75],"and":[76,98,101,128,139,183,187],"find":[77],"them":[78],"universally":[79],"vulnerable.":[80],"Our":[81,190],"analysis":[82],"identifies":[83],"two":[84,121],"key":[85],"factors":[86],"contributing":[87],"their":[89,102,185],"success:":[90],"LLMs'":[91],"inability":[92],"distinguish":[94],"between":[95],"informational":[96],"context":[97],"actionable":[99],"instructions,":[100],"lack":[103],"awareness":[105,127],"in":[106,136],"avoiding":[107],"execution":[109],"content.":[114],"Based":[115],"on":[116],"findings,":[118],"propose":[120],"novel":[122],"defense":[123,148,155],"mechanisms":[124],"--":[125,131],"boundary":[126],"explicit":[129],"reminder":[130],"both":[137],"black-box":[138,147],"white-box":[140,154],"settings.":[141],"Extensive":[142],"experiments":[143],"demonstrate":[144],"that":[145],"our":[146,153],"provides":[149],"substantial":[150],"mitigation,":[151],"while":[152,165],"reduces":[156],"attack":[158],"success":[159],"rate":[160],"near-zero":[162],"levels,":[163],"all":[164],"preserving":[166],"output":[168],"quality":[169],"LLMs.":[171],"We":[172],"hope":[173],"work":[175],"inspires":[176],"further":[177],"research":[178],"into":[179],"securing":[180],"fostering":[184],"safe":[186],"reliable":[188],"use.":[189],"code":[191],"is":[192],"available":[193],"at":[194],"https://github.com/microsoft/BIPIA.":[195]},"counts_by_year":[{"year":2026,"cited_by_count":3},{"year":2025,"cited_by_count":15},{"year":2024,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}