{"id":"https://openalex.org/W7135043996","doi":"https://doi.org/10.48550/arxiv.2603.10749","title":"AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations","display_name":"AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations","publication_year":2026,"publication_date":"2026-03-11","ids":{"openalex":"https://openalex.org/W7135043996","doi":"https://doi.org/10.48550/arxiv.2603.10749"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.10749","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10749","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.10749","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5128819158","display_name":"Yu He","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"He, Yu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037971089","display_name":"Haozhe Zhu","orcid":"https://orcid.org/0000-0002-6412-3996"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhu, Haozhe","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128875420","display_name":"Yiming Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Yiming","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128917746","display_name":"Shuo Shao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shao, Shuo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128901357","display_name":"Hongwei Yao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yao, Hongwei","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128842198","display_name":"Zhihao Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zhihao","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5128828695","display_name":"Zhan Qin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qin, Zhan","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5128819158"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.902400016784668,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.902400016784668,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.061000000685453415,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.015799999237060547,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/counterfactual-thinking","display_name":"Counterfactual thinking","score":0.7181000113487244},{"id":"https://openalex.org/keywords/attribution","display_name":"Attribution","score":0.4884999990463257},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.47290000319480896},{"id":"https://openalex.org/keywords/shadow","display_name":"Shadow (psychology)","score":0.4648999869823456},{"id":"https://openalex.org/keywords/causality","display_name":"Causality (physics)","score":0.4002000093460083},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.39980000257492065},{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.3905999958515167},{"id":"https://openalex.org/keywords/semantics","display_name":"Semantics (computer science)","score":0.34940001368522644}],"concepts":[{"id":"https://openalex.org/C108650721","wikidata":"https://www.wikidata.org/wiki/Q1783253","display_name":"Counterfactual thinking","level":2,"score":0.7181000113487244},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6589999794960022},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6025000214576721},{"id":"https://openalex.org/C143299363","wikidata":"https://www.wikidata.org/wiki/Q900584","display_name":"Attribution","level":2,"score":0.4884999990463257},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.47290000319480896},{"id":"https://openalex.org/C117797892","wikidata":"https://www.wikidata.org/wiki/Q286363","display_name":"Shadow (psychology)","level":2,"score":0.4648999869823456},{"id":"https://openalex.org/C64357122","wikidata":"https://www.wikidata.org/wiki/Q1149766","display_name":"Causality (physics)","level":2,"score":0.4002000093460083},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.39980000257492065},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.3905999958515167},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.34940001368522644},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.33869999647140503},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.33559998869895935},{"id":"https://openalex.org/C153180980","wikidata":"https://www.wikidata.org/wiki/Q19776675","display_name":"Commit","level":2,"score":0.3255999982357025},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.32179999351501465},{"id":"https://openalex.org/C98184364","wikidata":"https://www.wikidata.org/wiki/Q1780131","display_name":"Argument (complex analysis)","level":2,"score":0.31279999017715454},{"id":"https://openalex.org/C2776544517","wikidata":"https://www.wikidata.org/wiki/Q189447","display_name":"Unexpected events","level":2,"score":0.30059999227523804},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.2897000014781952},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2874999940395355},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.27140000462532043},{"id":"https://openalex.org/C58166","wikidata":"https://www.wikidata.org/wiki/Q224821","display_name":"Fuzzy logic","level":2,"score":0.26759999990463257},{"id":"https://openalex.org/C2909950764","wikidata":"https://www.wikidata.org/wiki/Q17126141","display_name":"Active monitoring","level":2,"score":0.265500009059906},{"id":"https://openalex.org/C166151441","wikidata":"https://www.wikidata.org/wiki/Q4923601","display_name":"Causation","level":2,"score":0.26019999384880066}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.10749","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10749","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.10749","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10749","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Reduced inequalities","score":0.5941476225852966,"id":"https://metadata.un.org/sdg/10"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"LLM":[0,146],"agents":[1,51],"are":[2],"highly":[3],"vulnerable":[4],"to":[5,19,36,38,65,121,128,145],"Indirect":[6],"Prompt":[7],"Injection":[8],"(IPI),":[9],"where":[10,179],"adversaries":[11],"embed":[12],"malicious":[13],"directives":[14],"in":[15,177],"untrusted":[16,79],"tool":[17,57,67,98],"outputs":[18],"hijack":[20],"execution.":[21],"Most":[22],"existing":[23],"defenses":[24,181],"treat":[25],"IPI":[26],"as":[27],"an":[28],"input-level":[29],"semantic":[30],"discrimination":[31],"problem,":[32],"which":[33,49],"often":[34],"fails":[35],"generalize":[37],"unseen":[39],"payloads.":[40],"We":[41,81],"propose":[42],"a":[43,55,87,109,138],"new":[44],"paradigm,":[45],"action-level":[46],"causal":[47],"attribution,":[48],"secures":[50],"by":[52,70,78,104],"asking":[53],"why":[54],"particular":[56],"call":[58],"is":[59,64,143],"produced.":[60],"The":[61],"central":[62],"goal":[63],"distinguish":[66],"calls":[68],"supported":[69],"the":[71,106],"user's":[72],"intent":[73],"from":[74],"those":[75],"causally":[76],"driven":[77],"observations.":[80,114],"instantiate":[82],"this":[83],"paradigm":[84],"with":[85,162],"AttriGuard,":[86],"runtime":[88],"defense":[89],"based":[90],"on":[91],"parallel":[92],"counterfactual":[93],"tests.":[94],"For":[95],"each":[96],"proposed":[97],"call,":[99],"AttriGuard":[100,116,155],"verifies":[101],"its":[102],"necessity":[103],"re-executing":[105],"agent":[107,153],"under":[108,159,173],"control-attenuated":[110],"view":[111],"of":[112],"external":[113],"Technically,":[115],"combines":[117],"teacher-forced":[118],"shadow":[119],"replay":[120],"prevent":[122],"attribution":[123],"confounding,":[124],"hierarchical":[125],"control":[126,131],"attenuation":[127],"suppress":[129],"diverse":[130],"channels":[132],"while":[133],"preserving":[134],"task-relevant":[135],"information,":[136],"and":[137,151,166],"fuzzy":[139],"survival":[140],"criterion":[141],"that":[142],"robust":[144],"stochasticity.":[147],"Across":[148],"four":[149],"LLMs":[150],"two":[152],"benchmarks,":[154],"achieves":[156],"0%":[157],"ASR":[158],"static":[160],"attacks":[161,176],"negligible":[163],"utility":[164],"loss":[165],"moderate":[167],"overhead.":[168],"Importantly,":[169],"it":[170],"remains":[171],"resilient":[172],"adaptive":[174],"optimization-based":[175],"settings":[178],"leading":[180],"degrade":[182],"significantly.":[183]},"counts_by_year":[],"updated_date":"2026-03-13T14:25:03.468858","created_date":"2026-03-13T00:00:00"}