{"id":"https://openalex.org/W7160448311","doi":"https://doi.org/10.48550/arxiv.2605.03378","title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","display_name":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","publication_year":2026,"publication_date":"2026-05-05","ids":{"openalex":"https://openalex.org/W7160448311","doi":"https://doi.org/10.48550/arxiv.2605.03378"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.03378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.03378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.03378","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135528480","display_name":"Shihao Weng","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Weng, Shihao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135430169","display_name":"Yang Feng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Feng, Yang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135419980","display_name":"Jinrui Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Jinrui","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135443825","display_name":"Xiaofei Xie","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xie, Xiaofei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058013874","display_name":"Jiongchi Yu","orcid":"https://orcid.org/0000-0002-2888-4499"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yu, Jiongchi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5135485542","display_name":"Jia Liu","orcid":"https://orcid.org/0000-0001-8104-0079"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Jia","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5135528480"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.42489999532699585,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.42489999532699585,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.14100000262260437,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.06310000270605087,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5652999877929688},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.4828999936580658},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.460999995470047},{"id":"https://openalex.org/keywords/trustworthiness","display_name":"Trustworthiness","score":0.41589999198913574},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.4129999876022339}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7236999869346619},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.647599995136261},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5652999877929688},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.4828999936580658},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.460999995470047},{"id":"https://openalex.org/C153701036","wikidata":"https://www.wikidata.org/wiki/Q659974","display_name":"Trustworthiness","level":2,"score":0.41589999198913574},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.4129999876022339},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.38909998536109924},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.35589998960494995},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.32910001277923584},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.27070000767707825}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.03378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.03378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.03378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.03378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"rise":[1],"of":[2,115],"Large":[3],"Language":[4],"Model":[5],"(LLM)":[6],"agents,":[7],"augmented":[8],"with":[9],"tool":[10],"use,":[11],"skills,":[12],"and":[13,44,65,70,94,131,141,202,233],"external":[14],"knowledge,":[15],"has":[16],"introduced":[17],"new":[18],"security":[19],"risks.":[20],"Among":[21],"them,":[22],"prompt":[23,133],"injection":[24,134],"attacks,":[25],"where":[26,81],"adversaries":[27,95],"embed":[28],"malicious":[29],"instructions":[30],"into":[31,199],"the":[32,38,56,66,91,113],"agent":[33,57,82,117,200],"workflow,":[34],"have":[35],"emerged":[36],"as":[37,49],"primary":[39],"threat.":[40],"However,":[41],"existing":[42,104,153,231],"benchmarks":[43],"defenses":[45,105,154,232],"are":[46,68],"fundamentally":[47],"limited":[48],"they":[50,75],"assume":[51],"context-insensitive":[52],"settings":[53],"in":[54,157,166],"which":[55],"works":[58],"under":[59],"a":[60,73,125,176,205],"fully":[61],"specified":[62],"user":[63,92],"instruction,":[64],"attacks":[67,99,165],"straightforward":[69],"context-independent.":[71],"As":[72],"result,":[74],"fail":[76],"to":[77,100,193,222],"capture":[78],"real-world":[79,116],"deployments":[80],"behavior":[83],"usually":[84],"depends":[85],"on":[86,107],"dynamic":[87],"context,":[88],"not":[89],"just":[90],"prompt,":[93],"can":[96],"adapt":[97],"their":[98],"different":[101],"context.":[102],"Similarly,":[103],"built":[106],"this":[108,120,158,171],"narrow":[109],"threat":[110],"model":[111],"overlook":[112],"nature":[114],"delegation.":[118],"In":[119],"paper,":[121],"we":[122,173],"present":[123],"AgentLure,":[124],"benchmark":[126],"that":[127,152,179],"captures":[128],"context-dependent":[129],"tasks":[130],"context-aware":[132],"attacks.":[135],"AgentLure":[136],"spans":[137],"four":[138],"agentic":[139,167],"domains":[140],"eight":[142],"attack":[143,147,219],"vectors":[144],"across":[145],"diverse":[146],"surfaces.":[148],"Our":[149,214],"evaluation":[150,215],"shows":[151,216],"often":[155],"struggle":[156],"setting,":[159],"yielding":[160],"poor":[161],"performance":[162],"against":[163,236],"such":[164],"systems.":[168],"To":[169],"address":[170],"limitation,":[172],"propose":[174],"ARGUS,":[175],"defense":[177],"mechanism":[178],"enforces":[180],"provenance-aware":[181],"decision":[182,206],"auditing":[183],"for":[184],"LLM":[185],"agents.":[186],"ARGUS":[187,217],"constructs":[188],"an":[189],"influence":[190],"provenance":[191],"graph":[192],"track":[194],"how":[195],"untrusted":[196],"context":[197],"propagates":[198],"decisions":[201],"verify":[203],"whether":[204],"is":[207],"justified":[208],"by":[209],"trustworthy":[210],"evidence":[211],"before":[212],"execution.":[213],"reduces":[218],"success":[220],"rate":[221],"3.8%":[223],"while":[224],"preserving":[225],"87.5%":[226],"task":[227],"utility,":[228],"significantly":[229],"outperforming":[230],"remaining":[234],"robust":[235],"adaptive":[237],"white-box":[238],"adversaries.":[239]},"counts_by_year":[],"updated_date":"2026-05-07T06:12:12.454206","created_date":"2026-05-07T00:00:00"}