{"id":"https://openalex.org/W7139004531","doi":"https://doi.org/10.48550/arxiv.2603.17239","title":"LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems","display_name":"LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems","publication_year":2026,"publication_date":"2026-03-18","ids":{"openalex":"https://openalex.org/W7139004531","doi":"https://doi.org/10.48550/arxiv.2603.17239"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.17239","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.17239","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.17239","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5119554364","display_name":"Hammad Atta","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Atta, Hammad","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129783443","display_name":"Ken Huang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Huang, Ken","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129871322","display_name":"Kyriakos Rock Lambros","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lambros, Kyriakos Rock","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130140512","display_name":"Yasir Mehmood","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mehmood, Yasir","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130209931","display_name":"Zeeshan Baig","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Baig, Zeeshan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130093678","display_name":"Mohamed Abdur Rahman","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rahman, Mohamed Abdur","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130209146","display_name":"Manish Bhatt","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bhatt, Manish","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129840024","display_name":"M. Aziz Ul Haq","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Haq, M. Aziz Ul","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130202616","display_name":"Muhammad Aatif","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Aatif, Muhammad","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5119554367","display_name":"Nadeem Shahzad","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shahzad, Nadeem","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129981700","display_name":"Kamal Noor","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Noor, Kamal","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5119849744","display_name":"Vineeth Sai Narajala","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Narajala, Vineeth Sai","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101877561","display_name":"Hazem Ismail Ali","orcid":"https://orcid.org/0000-0003-1342-4227"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ali, Hazem","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5130006606","display_name":"Jamel Abed","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Abed, Jamel","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":14,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.46050000190734863,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.46050000190734863,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.10700000077486038,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.05249999836087227,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/mirroring","display_name":"Mirroring","score":0.6247000098228455},{"id":"https://openalex.org/keywords/cognitive-reframing","display_name":"Cognitive reframing","score":0.43529999256134033},{"id":"https://openalex.org/keywords/taxonomy","display_name":"Taxonomy (biology)","score":0.41269999742507935},{"id":"https://openalex.org/keywords/chord","display_name":"Chord (peer-to-peer)","score":0.40389999747276306},{"id":"https://openalex.org/keywords/security-token","display_name":"Security token","score":0.4016999900341034},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.38519999384880066},{"id":"https://openalex.org/keywords/class","display_name":"Class (philosophy)","score":0.3652999997138977},{"id":"https://openalex.org/keywords/payload","display_name":"Payload (computing)","score":0.35920000076293945},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.34700000286102295}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.65829998254776},{"id":"https://openalex.org/C189645446","wikidata":"https://www.wikidata.org/wiki/Q350865","display_name":"Mirroring","level":2,"score":0.6247000098228455},{"id":"https://openalex.org/C187029079","wikidata":"https://www.wikidata.org/wiki/Q958679","display_name":"Cognitive reframing","level":2,"score":0.43529999256134033},{"id":"https://openalex.org/C58642233","wikidata":"https://www.wikidata.org/wiki/Q8269924","display_name":"Taxonomy (biology)","level":2,"score":0.41269999742507935},{"id":"https://openalex.org/C194147245","wikidata":"https://www.wikidata.org/wiki/Q1076368","display_name":"Chord (peer-to-peer)","level":2,"score":0.40389999747276306},{"id":"https://openalex.org/C48145219","wikidata":"https://www.wikidata.org/wiki/Q1335365","display_name":"Security token","level":2,"score":0.4016999900341034},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.38519999384880066},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.3652999997138977},{"id":"https://openalex.org/C134066672","wikidata":"https://www.wikidata.org/wiki/Q1424639","display_name":"Payload (computing)","level":3,"score":0.35920000076293945},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.34700000286102295},{"id":"https://openalex.org/C61352017","wikidata":"https://www.wikidata.org/wiki/Q211058","display_name":"Circuit breaker","level":2,"score":0.3346000015735626},{"id":"https://openalex.org/C4679612","wikidata":"https://www.wikidata.org/wiki/Q866298","display_name":"Aggregate (composite)","level":2,"score":0.32359999418258667},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.3221000134944916},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.3124000132083893},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.29649999737739563},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.29339998960494995},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.28780001401901245},{"id":"https://openalex.org/C59519942","wikidata":"https://www.wikidata.org/wiki/Q650665","display_name":"Drone","level":2,"score":0.2809999883174896},{"id":"https://openalex.org/C45235069","wikidata":"https://www.wikidata.org/wiki/Q278425","display_name":"Table (database)","level":2,"score":0.2750000059604645},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.25940001010894775},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2549999952316284},{"id":"https://openalex.org/C94124525","wikidata":"https://www.wikidata.org/wiki/Q912550","display_name":"Categorization","level":2,"score":0.25429999828338623},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.25189998745918274}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.17239","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.17239","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.17239","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.17239","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Agentic":[0],"LLM":[1,169],"systems":[2],"equipped":[3],"with":[4,50,153,186,216],"persistent":[5],"memory,":[6],"RAG":[7],"pipelines,":[8],"and":[9,64,108,132,196,208],"external":[10],"tool":[11],"connectors":[12],"face":[13],"a":[14,86,113,134,154,187],"class":[15],"of":[16,116,157,192],"attacks":[17],"-":[18,24,54],"Logic-layer":[19],"Prompt":[20],"Control":[21],"Injection":[22],"(LPCI)":[23],"for":[25],"which":[26],"no":[27],"automated":[28,41],"red-teaming":[29,42],"instrument":[30],"existed.":[31],"We":[32],"present":[33],"LAAF":[34,83,177],"(Logic-layer":[35],"Automated":[36],"Attack":[37],"Framework),":[38],"the":[39,80,147,150,158,212],"first":[40],"framework":[43],"to":[44],"combine":[45],"an":[46],"LPCI-specific":[47],"technique":[48,107,214],"taxonomy":[49,88],"stage-sequential":[51],"seed":[52],"escalation":[53],"two":[55],"capabilities":[56],"absent":[57],"from":[58,79],"existing":[59],"tools:":[60],"Garak":[61],"lacks":[62],"memory-persistence":[63],"cross-session":[65],"triggering;":[66],"PyRIT":[67],"supports":[68],"multi-turn":[69],"testing":[70],"but":[71],"treats":[72],"turns":[73],"independently,":[74],"without":[75],"seeding":[76],"each":[77,145],"stage":[78,152],"prior":[81],"breakthrough.":[82],"provides:":[84],"(i)":[85],"49-technique":[87],"spanning":[89],"six":[90],"attack":[91],"categories":[92],"(Encoding~11,":[93],"Structural~8,":[94],"Semantic~8,":[95],"Layered~5,":[96],"Trigger~12,":[97],"Exfiltration~5;":[98],"see":[99],"Table":[100],"1),":[101],"combinable":[102],"across":[103,171,204],"5":[104,122],"variants":[105],"per":[106],"6":[109],"lifecycle":[110],"stages,":[111],"yielding":[112],"theoretical":[114],"maximum":[115],"2,822,400":[117],"unique":[118],"payloads":[119,218],"($49":[120],"\\times":[121,123,125],"1{,}920":[124],"6$;":[126],"SHA-256":[127],"deduplicated":[128],"at":[129],"generation":[130],"time);":[131],"(ii)":[133],"Persistent":[135],"Stage":[136],"Breaker":[137],"(PSB)":[138],"that":[139,176],"drives":[140],"payload":[141],"mutation":[142],"stage-by-stage:":[143],"on":[144,166,221],"breakthrough,":[146],"PSB":[148],"seeds":[149],"next":[151],"mutated":[155],"form":[156],"winning":[159],"payload,":[160],"mirroring":[161],"real":[162],"adversarial":[163],"escalation.":[164],"Evaluation":[165],"five":[167],"production":[168],"platforms":[170],"three":[172],"independent":[173],"runs":[174],"demonstrates":[175],"achieves":[178],"higher":[179],"stage-breakthrough":[180],"efficiency":[181],"than":[182],"single-technique":[183],"random":[184],"testing,":[185],"mean":[188],"aggregate":[189],"breakthrough":[190],"rate":[191],"84\\%":[193],"(range":[194],"83--86\\%)":[195],"platform-level":[197],"rates":[198],"stable":[199],"within":[200],"17":[201],"percentage":[202],"points":[203],"runs.":[205],"Layered":[206],"combinations":[207],"semantic":[209],"reframing":[210],"are":[211],"highest-effectiveness":[213],"categories,":[215],"layered":[217],"outperforming":[219],"encoding":[220],"well-defended":[222],"platforms.":[223]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-03-20T00:00:00"}