{"id":"https://openalex.org/W4416035960","doi":"https://doi.org/10.18653/v1/2025.findings-emnlp.157","title":"DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-based Agent","display_name":"DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-based Agent","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4416035960","doi":"https://doi.org/10.18653/v1/2025.findings-emnlp.157"},"language":null,"primary_location":{"id":"doi:10.18653/v1/2025.findings-emnlp.157","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.findings-emnlp.157","pdf_url":"https://aclanthology.org/2025.findings-emnlp.157.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Findings of the Association for Computational Linguistics: EMNLP 2025","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://aclanthology.org/2025.findings-emnlp.157.pdf","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5041358046","display_name":"Pengyu Zhu","orcid":"https://orcid.org/0000-0002-0892-3606"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pengyu Zhu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102495024","display_name":"Zhenhong Zhou","orcid":"https://orcid.org/0000-0001-9801-2218"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhenhong Zhou","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089416195","display_name":"Y Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yuanhe Zhang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Shilinlu Yan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shilinlu Yan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101741806","display_name":"Kun Wang","orcid":"https://orcid.org/0000-0002-0885-4022"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kun Wang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5036865453","display_name":"Sen Su","orcid":"https://orcid.org/0000-0003-4266-7527"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sen Su","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.7378,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.87249619,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"2890","last_page":"2912"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.17679999768733978,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.17679999768733978,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.15919999778270721,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.10779999941587448,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.47679999470710754},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.3303999900817871},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.31540000438690186},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.30720001459121704}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6322000026702881},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.47679999470710754},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4189000129699707},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3303999900817871},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.31540000438690186},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.30720001459121704},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.2736000120639801},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.23100000619888306},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.22630000114440918},{"id":"https://openalex.org/C147494362","wikidata":"https://www.wikidata.org/wiki/Q2078905","display_name":"Troubleshooting","level":2,"score":0.22509999573230743}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.18653/v1/2025.findings-emnlp.157","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.findings-emnlp.157","pdf_url":"https://aclanthology.org/2025.findings-emnlp.157.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Findings of the Association for Computational Linguistics: EMNLP 2025","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.18653/v1/2025.findings-emnlp.157","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.findings-emnlp.157","pdf_url":"https://aclanthology.org/2025.findings-emnlp.157.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Findings of the Association for Computational Linguistics: EMNLP 2025","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G8521681689","display_name":null,"funder_award_id":"62372051","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416035960.pdf","grobid_xml":"https://content.openalex.org/works/W4416035960.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"As":[0],"LLM-based":[1],"agents":[2],"become":[3],"increasingly":[4],"prevalent,":[5],"triggers":[6],"implanted":[7],"in":[8,24,45,140,152],"user":[9],"queries":[10],"or":[11],"environment":[12],"feedback":[13],"can":[14],"activate":[15],"hidden":[16],"backdoors,":[17],"raising":[18],"critical":[19],"concerns":[20],"about":[21],"safety":[22,33,47,77,98,142,150],"vulnerabilities":[23],"agents.However,":[25],"traditional":[26],"backdoor":[27,55,71,85,113,165],"attacks":[28],"are":[29,94],"often":[30],"detectable":[31],"by":[32],"audits":[34,99],"that":[35,120],"analyze":[36],"the":[37,70,84,108,146,157],"reasoning":[38],"process":[39],"of":[40,111,135,148],"agents,":[41],"hindering":[42],"further":[43,82],"progress":[44],"agent":[46,112],"research.To":[48],"this":[49],"end,":[50],"we":[51,64,81,101],"propose":[52],"a":[53,104,132],"novel":[54],"implantation":[56],"strategy":[57],"called":[58],"Dynamically":[59],"Encrypted":[60],"Multi-Backdoor":[61],"Implantation":[62],"Attack.Specifically,":[63],"introduce":[65],"dynamic":[66],"encryption,":[67],"which":[68],"maps":[69],"into":[72,86],"benign":[73],"content,":[74],"effectively":[75],"circumventing":[76],"audits.To":[78],"enhance":[79],"stealthiness,":[80],"decompose":[83],"multiple":[87,117],"subbackdoor":[88],"fragments.Based":[89],"on":[90],"these":[91],"advancements,":[92],"backdoors":[93],"allowed":[95],"to":[96],"bypass":[97],"significantly.Additionally,":[100],"present":[102],"AgentBackdoorEval,":[103],"dataset":[105],"designed":[106],"for":[107,160],"comprehensive":[109],"evaluation":[110],"attacks.Experimental":[114],"results":[115],"across":[116],"datasets":[118],"demonstrate":[119],"our":[121],"method":[122],"achieves":[123],"an":[124],"attack":[125],"success":[126],"rate":[127,134],"approaching":[128],"100%":[129],"while":[130],"maintaining":[131],"detection":[133],"0%,":[136],"illustrating":[137],"its":[138],"effectiveness":[139],"evading":[141],"audits.Our":[143],"findings":[144],"highlight":[145],"limitations":[147],"existing":[149],"mechanisms":[151],"detecting":[153],"advanced":[154],"attacks,":[155],"underscoring":[156],"urgent":[158],"need":[159],"more":[161],"robust":[162],"defenses":[163],"against":[164],"threats.":[166]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-11-08T00:00:00"}