{"id":"https://openalex.org/W4416037246","doi":"https://doi.org/10.18653/v1/2025.emnlp-main.53","title":"IPIGuard: A Novel Tool Dependency Graph-Based Defense Against Indirect Prompt Injection in LLM Agents","display_name":"IPIGuard: A Novel Tool Dependency Graph-Based Defense Against Indirect Prompt Injection in LLM Agents","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4416037246","doi":"https://doi.org/10.18653/v1/2025.emnlp-main.53"},"language":null,"primary_location":{"id":"doi:10.18653/v1/2025.emnlp-main.53","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.53","pdf_url":"https://aclanthology.org/2025.emnlp-main.53.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://aclanthology.org/2025.emnlp-main.53.pdf","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103723599","display_name":"Huining An","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Hengyu An","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5046749777","display_name":"J.Y. Zhang","orcid":"https://orcid.org/0000-0003-1700-7957"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jinghuai Zhang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051764747","display_name":"Tianyu Du","orcid":"https://orcid.org/0000-0002-7006-606X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tianyu Du","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5039517524","display_name":"Chunyi Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chunyi Zhou","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5075329055","display_name":"Qingming Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qingming Li","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5044425415","display_name":"Tao Lin","orcid":"https://orcid.org/0000-0003-0850-2294"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tao Lin","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5058611515","display_name":"Shouling Ji","orcid":"https://orcid.org/0000-0003-4268-372X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shouling Ji","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5103723599"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.17457162,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1023","last_page":"1039"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1736000031232834,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1736000031232834,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.14869999885559082,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10270","display_name":"Blockchain Technology Applications and Security","score":0.0828000009059906,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.4648999869823456},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.26080000400543213},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.23569999635219574},{"id":"https://openalex.org/keywords/perspective","display_name":"Perspective (graphical)","score":0.22789999842643738}],"concepts":[{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.4648999869823456},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.41999998688697815},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.3926999866962433},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3142000138759613},{"id":"https://openalex.org/C177713679","wikidata":"https://www.wikidata.org/wiki/Q679690","display_name":"Intensive care medicine","level":1,"score":0.2630999982357025},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.26080000400543213},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.23569999635219574},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.23019999265670776},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.22789999842643738},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.21819999814033508}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.18653/v1/2025.emnlp-main.53","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.53","pdf_url":"https://aclanthology.org/2025.emnlp-main.53.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.18653/v1/2025.emnlp-main.53","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.53","pdf_url":"https://aclanthology.org/2025.emnlp-main.53.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1121271761","display_name":null,"funder_award_id":"Program","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G1198879025","display_name":null,"funder_award_id":"2024M762829","funder_id":"https://openalex.org/F4320321543","funder_display_name":"China Postdoctoral Science Foundation"},{"id":"https://openalex.org/G1231421488","display_name":null,"funder_award_id":"under","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2082826544","display_name":null,"funder_award_id":"Postdoctoral","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2087396116","display_name":null,"funder_award_id":"China","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2273800250","display_name":null,"funder_award_id":"NSFC-","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G3317480652","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G391238517","display_name":null,"funder_award_id":", and","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4020255992","display_name":null,"funder_award_id":"Project","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4644492335","display_name":null,"funder_award_id":"62402418","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4676315439","display_name":null,"funder_award_id":", NSFC-","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G8283732743","display_name":null,"funder_award_id":"U244120033","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320321543","display_name":"China Postdoctoral Science Foundation","ror":"https://ror.org/0426zh255"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416037246.pdf","grobid_xml":"https://content.openalex.org/works/W4416037246.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"model":[2],"(LLM)":[3],"agents":[4,97],"are":[5],"widely":[6],"deployed":[7],"in":[8,207],"real-world":[9],"applications,":[10],"where":[11],"they":[12,78],"leverage":[13],"tools":[14],"to":[15,49,55,102,108],"retrieve":[16],"and":[17,47,195],"manipulate":[18],"external":[19,164],"data":[20,28],"for":[21,200],"complex":[22],"tasks.However,":[23],"when":[24],"interacting":[25],"with":[26,163],"untrusted":[27],"sources":[29],"(e.g.,":[30],"fetching":[31],"information":[32],"from":[33,161],"public":[34],"websites),":[35],"tool":[36,103,123,170],"responses":[37],"may":[38],"contain":[39],"injected":[40,174],"instructions":[41],"that":[42,112,187],"covertly":[43],"influence":[44],"agent":[45,93],"behaviors":[46],"lead":[48],"malicious":[50,122],"outcomes,":[51],"a":[52,95,130,148,151,190],"threat":[53],"referred":[54],"as":[56,147],"Indirect":[57],"Prompt":[58],"Injection":[59],"(IPI).Existing":[60],"defenses":[61],"typically":[62],"rely":[63,80],"on":[64,81,92,182],"advanced":[65],"prompting":[66],"strategies":[67],"or":[68],"auxiliary":[69],"detection":[70],"models.While":[71],"these":[72],"methods":[73],"have":[74],"demonstrated":[75],"some":[76],"effectiveness,":[77],"fundamentally":[79],"assumptions":[82],"about":[83],"the":[84,115,119,126,142,183,198,201],"model's":[85],"inherent":[86],"security,":[87],"which":[88,140],"lacks":[89],"structural":[90],"constraints":[91],"behaviors.As":[94],"result,":[96],"still":[98],"retain":[99],"unrestricted":[100],"access":[101],"invocations,":[104],"leaving":[105],"them":[106],"vulnerable":[107],"stronger":[109],"attack":[110],"vectors":[111],"can":[113],"bypass":[114],"security":[116],"guardrails":[117],"of":[118,203],"model.To":[120],"prevent":[121],"invocations":[124,171],"at":[125],"source,":[127],"we":[128],"propose":[129],"novel":[131],"defensive":[132],"task":[133,144],"execution":[134,145],"paradigm,":[135],"called":[136],"IPIGUARD":[137,166,188],"1":[138],",":[139],"models":[141],"agents'":[143],"process":[146],"traversal":[149],"over":[150],"planned":[152],"Tool":[153],"Dependency":[154],"Graph":[155],"(TDG).By":[156],"explicitly":[157],"decoupling":[158],"action":[159],"planning":[160],"interaction":[162],"data,":[165],"significantly":[167],"reduces":[168],"unintended":[169],"triggered":[172],"by":[173],"instructions,":[175],"thereby":[176],"enhancing":[177],"robustness":[178],"against":[179],"IPI":[180],"attacks.Experiments":[181],"AgentDojo":[184],"benchmark":[185],"show":[186],"achieves":[189],"superior":[191],"balance":[192],"between":[193],"effectiveness":[194],"robustness,":[196],"paving":[197],"way":[199],"development":[202],"safer":[204],"agentic":[205],"systems":[206],"dynamic":[208],"environments.":[209]},"counts_by_year":[],"updated_date":"2026-04-15T08:11:43.952461","created_date":"2025-11-08T00:00:00"}