The reviewed record of science sign in
Pith

arxiv: 2605.29210 · v1 · pith:TNOJDUH4 · submitted 2026-05-28 · cs.CR

SAMD: A Tool for Identifying False Data Injection Scenarios in AI/ML-enabled Medical Devices

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-29 07:13 UTCgrok-4.3pith:TNOJDUH4record.jsonopen to challenge →

classification cs.CR
keywords false data injectionAI securitymedical devicesattack scenario generationvulnerability analysiscontrol structure modelingFDA-cleared devicesautomated security tool
0
0 comments X

The pith

SAMD automates identification of false data injection risks in AI/ML medical devices by modeling them as control structures and using vulnerability databases with language models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces SAMD to perform security analysis on AI-enabled medical devices at the design stage, before users assemble the full system. It treats every component as a possible entry point for feeding false data into the machine learning engine, which could lead to misdiagnosis. The tool pulls known vulnerabilities from databases and uses language models to produce detailed lists of attack scenarios an adversary might follow. This approach matters because many risks only become visible once devices are in actual use. If the method works as described, device makers could spot and close injection paths earlier in development.

Core claim

SAMD models the medical system as a control structure in which all components are potential points for injecting false data into the ML engine. It combines vulnerability databases with large language models to automate discovery of weaknesses and to generate lists of potential attack scenarios that include concrete steps an adversary could take. Case studies on five FDA-cleared devices show the tool identifies target device technologies with 100 percent precision, retrieves linked known vulnerabilities with 63.2 percent precision, and produces highly relevant attack scenarios with 95.3 percent accuracy.

What carries the argument

The SAMD tool that represents the medical device as a control structure, treats every component as a possible false-data entry point into the ML model, and automates vulnerability lookup plus attack-scenario generation through databases and language models.

If this is right

  • Device designers can locate vulnerable points and injection paths into the ML model before the system reaches end users.
  • Detailed adversary steps for each scenario become available automatically during the design phase.
  • Known vulnerabilities tied to specific device technologies are surfaced for review with measurable retrieval rates.
  • The same process scales across multiple FDA-cleared devices without manual re-analysis of each component.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same control-structure modeling could be applied to other safety-critical AI systems that combine hardware and software at deployment time.
  • Regulatory bodies might incorporate automated scenario lists as part of pre-market security reviews for AI medical devices.
  • Connecting the output directly to patch-management systems could shorten the time between scenario discovery and mitigation.
  • Extending the approach to include runtime monitoring data might allow ongoing updates to the attack scenario list after deployment.

Load-bearing premise

The generated attack scenarios accurately reflect what real adversaries could achieve, based on the authors' assessment of relevance rather than separate external testing.

What would settle it

An independent red-team test on one of the five case-study devices in which security experts attempt the scenarios produced by SAMD and report how many succeed or match the generated steps.

Figures

Figures reproduced from arXiv: 2605.29210 by Athish Pranav Dharmalingam, Gargi Mitra, Homa Alemzadeh, Karthik Pattabiraman, Mohammadreza Hallajiyan, Shahrear Iqbal, Xueren Ge.

Figure 1
Figure 1. Figure 1: An example of BGMS including the peripheral devices [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Workflow of SAMD. Phases are highlighted in Bold. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: SAMD prompt template for CVE record selection [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: SAMD prompt template for generating attack steps [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Comparison of output correctness among three LLMs [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Example output of Attack Step Generator for IDx-DR. [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗
read the original abstract

The growing integration of artificial intelligence (AI) and machine learning (ML) in medical systems requires effective measures to address emerging security risks. One such risk is that of adversaries introducing false data through vulnerable system components during inference, causing misdiagnosis and wrong treatments. These risks are challenging to anticipate and address in the design phase, as the system assembly partially occurs during actual use by end users. To address this concern, we introduce SAMD, an automated tool for performing System Theoretic Process Analysis for Security (STPA-Sec) on AI/ML-enabled medical devices during the design phase. SAMD models the medical system as a control structure, treating all system components as potential points for injecting false data into the ML engine. It leverages state-of-the-art vulnerability databases and Large Language Models (LLMs) to automate vulnerability discovery and generate a list of potential attack scenarios. We demonstrate SAMD's effectiveness through case studies on five FDA-cleared medical devices, showcasing its ability to identify vulnerable points and potential attack paths. We find that SAMD has 100% precision in identifying target device technologies in the case studies' documents, retrieves the known vulnerabilities linked to them (with 63.2% precision), and generates highly relevant attack scenarios on the ML model, including detailed steps that an adversary might take (with 95.3% accuracy, and the highest time taken being 191.64s).

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces SAMD, a tool that automates STPA-Sec analysis for AI/ML-enabled medical devices by modeling systems as control structures, querying vulnerability databases, and using LLMs to identify false data injection points and generate attack scenarios. Case studies on five FDA-cleared devices claim 100% precision in identifying target device technologies from documentation, 63.2% precision in retrieving linked known vulnerabilities, and 95.3% accuracy in producing highly relevant attack scenarios with detailed adversary steps (maximum runtime 191.64 s).

Significance. If the evaluation methodology and external validation were provided and the metrics held under independent review, SAMD would represent a practical contribution to early-stage security analysis for regulated medical devices, where inference-time false data injection risks are difficult to anticipate manually. The combination of formal control-structure modeling with automated vulnerability lookup and scenario generation addresses a real gap in design-phase threat modeling for ML components.

major comments (2)
  1. [Abstract] Abstract: The central effectiveness claims rest on three quantitative metrics (100% technology identification precision, 63.2% vulnerability retrieval precision, 95.3% attack-scenario accuracy), yet the abstract supplies no description of the evaluation protocol, ground-truth construction, number of documents or scenarios assessed, blinding procedures, or whether relevance judgments were made solely by the authors versus external red-team reviewers. This omission is load-bearing because the paper's primary contribution is the demonstration of SAMD's utility via these results.
  2. [Abstract] Abstract / Results section: The 95.3% accuracy figure for 'highly relevant attack scenarios' is presented as evidence that the generated steps are actionable for adversaries, but no comparison against known real-world incidents, FDA-cleared device constraints, or STPA-Sec control-structure feasibility is described. Without such grounding, the metric functions as an internal plausibility score rather than a validated feasibility measure.
minor comments (1)
  1. [Abstract] The timing result (highest time taken 191.64 s) should specify the hardware, LLM model version, and whether the measurement includes database queries or only LLM generation.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on the abstract and evaluation details. We address each major comment below and will revise the manuscript accordingly to improve transparency.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The central effectiveness claims rest on three quantitative metrics (100% technology identification precision, 63.2% vulnerability retrieval precision, 95.3% attack-scenario accuracy), yet the abstract supplies no description of the evaluation protocol, ground-truth construction, number of documents or scenarios assessed, blinding procedures, or whether relevance judgments were made solely by the authors versus external red-team reviewers. This omission is load-bearing because the paper's primary contribution is the demonstration of SAMD's utility via these results.

    Authors: We agree the abstract should summarize the evaluation setup. The metrics derive from case studies on five FDA-cleared devices: technology identification used device documentation as ground truth; vulnerability retrieval cross-referenced public databases for known links; scenario relevance was assessed by the authors for alignment with the STPA-Sec control structure and ML false-data-injection potential (no external reviewers or blinding). We will revise the abstract to include a concise description of the protocol, number of devices/scenarios, and judgment basis. revision: yes

  2. Referee: [Abstract] Abstract / Results section: The 95.3% accuracy figure for 'highly relevant attack scenarios' is presented as evidence that the generated steps are actionable for adversaries, but no comparison against known real-world incidents, FDA-cleared device constraints, or STPA-Sec control-structure feasibility is described. Without such grounding, the metric functions as an internal plausibility score rather than a validated feasibility measure.

    Authors: The 95.3% reflects author judgment of scenario relevance to the modeled control structure and ML component constraints. We did not compare to specific real-world incidents, as documented cases for these exact FDA-cleared devices are limited in public literature. The scenarios are explicitly tied to STPA-Sec control actions and retrieved vulnerabilities. We will revise the results section to clarify the metric's internal basis and add an explicit limitations paragraph on the absence of external incident validation. revision: partial

Circularity Check

0 steps flagged

No circularity; tool evaluation is empirical case-study reporting without self-referential derivations

full rationale

The paper describes SAMD as an automated STPA-Sec tool that models control structures, queries vulnerability databases, and uses LLMs to generate attack scenarios, then reports performance on five FDA-cleared device case studies (100% technology identification precision, 63.2% vulnerability retrieval precision, 95.3% scenario relevance accuracy). No equations, fitted parameters, predictions derived from inputs, self-citations, uniqueness theorems, or ansatzes appear in the provided text. The accuracy metric is an evaluation outcome on the generated scenarios rather than a quantity forced by construction from the method itself. This is a standard tool-description paper whose central claims rest on external case-study data rather than any closed loop.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, axioms, or invented entities are stated beyond the implicit modeling choice of treating all components as injection points.

axioms (1)
  • domain assumption STPA-Sec is a suitable framework for modeling false data injection risks in AI/ML medical devices
    The tool is built directly on this modeling approach as described in the abstract.

pith-pipeline@v0.9.1-grok · 5816 in / 1387 out tokens · 29198 ms · 2026-06-29T07:13:37.206764+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

60 extracted references · 3 canonical work pages · 2 internal anchors

  1. [1]

    Principles and Perspectives in Medical Diagnostic Systems Employing Artificial Intel- ligence (AI) Algorithms,

    M. Tariq, Y . Hayat, A. Hussain, A. Tariq, and S. Rasool, “Principles and Perspectives in Medical Diagnostic Systems Employing Artificial Intel- ligence (AI) Algorithms,”International Research Journal of Economics and Management Studies, vol. 3, no. 1, pp. 376–398, 2024

  2. [2]

    Artificial Intelligence and Machine Learning (AI/ML)-Enabled Medical Devices,

    U.S. FDA, “Artificial Intelligence and Machine Learning (AI/ML)-Enabled Medical Devices,” 2023. [Online]. Available: https://www.fda.gov/medical-devices/software-medical-device- samd/artificial-intelligence-and-machine-learning-aiml-enabled- medical-devices

  3. [3]

    NuVasive Pulse System,

    ——, “NuVasive Pulse System,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpmn/pmn.cfm? ID=K180038

  4. [4]

    One Drop Blood Glucose Mon- itoring System,

    ——, “One Drop Blood Glucose Mon- itoring System,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpmn/pmn.cfm? ID=K161834

  5. [5]

    Adversarial Attacks to Machine Learning-Based Smart Healthcare Systems,

    A. I. Newaz, N. I. Haque, A. K. Sikder, M. A. Rahman, and A. S. Ulua- gac, “Adversarial Attacks to Machine Learning-Based Smart Healthcare Systems,” inIEEE GLOBECOM ’20, 2020, pp. 1–6

  6. [6]

    Threats to Training: A Survey of Poisoning Attacks and Defenses on Machine Learning Systems,

    Z. Wang, J. Ma, X. Wang, J. Hu, Z. Qin, and K. Ren, “Threats to Training: A Survey of Poisoning Attacks and Defenses on Machine Learning Systems,”ACM Comput. Surv., vol. 55, no. 7, 2022

  7. [7]

    Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI,

    A. Barredo Arrieta, N. D ´ıaz-Rodr´ıguez, J. Del Ser, A. Bennetot, S. Tabik, A. Barbado, S. Garcia, S. Gil-Lopez, D. Molina, R. Benjamins, R. Chatila, and F. Herrera, “Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI,”Information Fusion, vol. 58, pp. 82–115, 2020

  8. [8]

    Secure and Robust Machine Learning for Healthcare: A Survey,

    A. Qayyum, J. Qadir, M. Bilal, and A. Al-Fuqaha, “Secure and Robust Machine Learning for Healthcare: A Survey,”IEEE Reviews in Biomed- ical Engineering, vol. 14, pp. 156–180, 2021

  9. [9]

    Protected or porous: a comparative analysis of threat detection capability of iot safeguards,

    A. M. Mandalari, H. Haddadi, D. J. Dubois, and D. Choffnes, “Protected or porous: a comparative analysis of threat detection capability of iot safeguards,” in2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023, pp. 3061–3078

  10. [10]

    A study of data store-based home automation,

    K. Kafle, K. Moran, S. Manandhar, A. Nadkarni, and D. Poshyvanyk, “A study of data store-based home automation,” inProceedings of the Ninth ACM Conference on Data and Application Security and Privacy, 2019, pp. 73–84

  11. [11]

    Patching up: Stakeholder experiences of security updates for connected medical devices,

    L. Kustosch, C. Ga ˜n´an, M. van Eeten, and S. Parkin, “Patching up: Stakeholder experiences of security updates for connected medical devices,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 2265–2281

  12. [12]

    Discovering and understanding the security hazards in the interactions between{IoT}devices, mobile apps, and clouds on smart home platforms,

    W. Zhou, Y . Jia, Y . Yao, L. Zhu, L. Guan, Y . Mao, P. Liu, and Y . Zhang, “Discovering and understanding the security hazards in the interactions between{IoT}devices, mobile apps, and clouds on smart home platforms,” in28th USENIX security symposium (USENIX security 19), 2019, pp. 1133–1150

  13. [13]

    Systems-theoretic and data-driven security analysis in ml-enabled medical devices,

    G. Mitra, M. Hallajiyan, I. Kim, A. P. Dharmalingam, M. Elnawawy, S. Iqbal, K. Pattabiraman, and H. Alemzadeh, “Systems-theoretic and data-driven security analysis in ml-enabled medical devices,” 2025. [Online]. Available: https://arxiv.org/abs/2506.15028

  14. [14]

    Systems thinking for safety and security,

    W. Young and N. Leveson, “Systems thinking for safety and security,” inProceedings of ACM ACSAC ’13. Association for Computing Machinery, 2013, p. 1–8

  15. [15]

    Introduction to stpa-sec,

    C. Fleming, “Introduction to stpa-sec,”Systems Engineering for the Digital Age: Practitioner Perspectives, pp. 489–505, 2023

  16. [16]

    d-Nav System,

    U.S. FDA, “d-Nav System,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpmn/pmn.cfm? ID=K181916

  17. [17]

    ABMD Software,

    ——, “ABMD Software,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpmn/pmn.cfm? ID=K213760

  18. [18]

    IDx-DR v2.3,

    ——, “IDx-DR v2.3,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMN/pmn.cfm? ID=K213037

  19. [19]

    KIDScore D3,

    ——, “KIDScore D3,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMN/pmn.cfm? ID=K182798

  20. [20]

    Oxehealth Vital Signs,

    ——, “Oxehealth Vital Signs,” 2024. [Online]. Available: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMN/pmn.cfm? ID=K220899

  21. [21]

    Leveson,Engineering a safer world: Systems thinking applied to safety

    N. Leveson,Engineering a safer world: Systems thinking applied to safety. MIT press, 2011

  22. [22]

    An stpa primer,

    N. Leveson and J. Thomas, “An stpa primer,”Cambridge, MA, 2013

  23. [23]

    System-theoretic process analysis for security (STPA-SEC): Cyber security and STPA,

    W. Young and R. Porada, “System-theoretic process analysis for security (STPA-SEC): Cyber security and STPA,” inSTAMP Conference. MIT Press, 2017, pp. 27–30

  24. [24]

    Integrating autonomous vehicle safety and security analysis using STPA method and the six- step model,

    G. Sabaliauskaite, L. S. Liew, and J. Cui, “Integrating autonomous vehicle safety and security analysis using STPA method and the six- step model,”International Journal on Advances in Security, vol. 11, no. 1&2, pp. 160–169, 2018

  25. [25]

    Safety and Security Analysis of AEB for L4 Autonomous Vehicle Using STPA,

    S. Sharma, A. Flores, C. Hobbs, J. Stafford, and S. Fischmeister, “Safety and Security Analysis of AEB for L4 Autonomous Vehicle Using STPA,” inWorkshop on ASD’19, ser. Open Access Series in Informatics (OASIcs), vol. 68. Schloss Dagstuhl – Leibniz-Zentrum f ¨ur Informatik, 2019, pp. 5:1–5:13

  26. [26]

    Sam: Foreseeing inference-time false data injec- tion attacks on ml-enabled medical devices,

    M. Hallajiyan, A. P. Dharmalingam, G. Mitra, H. Alemzadeh, S. Iqbal, and K. Pattabiraman, “Sam: Foreseeing inference-time false data injec- tion attacks on ml-enabled medical devices,” inProceedings of the 2024 Workshop on Cybersecurity in Healthcare, 2023, pp. 77–84

  27. [27]

    Abdulkhaleq and S

    A. Abdulkhaleq and S. Wagner,Open tool support for system-theoretic process analysis. Universit ¨atsbibliothek der Universit¨at Stuttgart, 2014

  28. [28]

    XSTAMPP: an eXtensible STAMP platform as tool support for safety engineering,

    ——, “XSTAMPP: an eXtensible STAMP platform as tool support for safety engineering,” 2015

  29. [29]

    Transportation systems safety hazard analysis tool (SafetyHAT) user guide (version 1.0),

    C. Becker and Q. Van Eikema Hommes, “Transportation systems safety hazard analysis tool (SafetyHAT) user guide (version 1.0),” USA, Tech. Rep., 2014

  30. [30]

    WebSTAMP: A web application for STPA & STPA-Sec,

    F. G. Souza, D. P. Pereira, R. M. Pagliares, S. Nadjm-Tehrani, and C. M. Hirata, “WebSTAMP: A web application for STPA & STPA-Sec,” in MATEC Web of Conferences, vol. 273. EDP Sciences, 2019, p. 02010

  31. [31]

    A STAMP-based ontology approach to support safety and security analyses,

    D. P. Pereira, C. Hirata, and S. Nadjm-Tehrani, “A STAMP-based ontology approach to support safety and security analyses,”Journal of Information Security and Applications, vol. 47, pp. 302–319, 2019

  32. [32]

    Safety Analysis in the Era of Large Language Models: A Case Study of STPA Using ChatGPT,

    Y . Qi, X. Zhao, S. Khastgir, and X. Huang, “Safety Analysis in the Era of Large Language Models: A Case Study of STPA Using ChatGPT,” 2023

  33. [33]

    Welcome Your New AI Teammate: On Safety Analysis by Leashing Large Language Models,

    A. Nouri, B. Cabrero-Daniel, F. Torner, H. Sivencrona, and C. Berger, “Welcome Your New AI Teammate: On Safety Analysis by Leashing Large Language Models,” inProceedings of the IEEE/ACM CAIN ’24, 2024, p. 172–177

  34. [34]

    Engineering Safety Requirements for Autonomous Driving with Large Language Models,

    A. Nouri, B. Cabrero-Daniel, F. T ¨orner, H. Sivencrona, and C. Berger, “Engineering Safety Requirements for Autonomous Driving with Large Language Models,” 2024

  35. [35]

    Systematically Assessing the Security Risks of AI/ML-enabled Con- nected Healthcare Systems,

    M. Elnawawy, M. Hallajiyan, G. Mitra, S. Iqbal, and K. Pattabiraman, “Systematically Assessing the Security Risks of AI/ML-enabled Con- nected Healthcare Systems,” inProceedings of IEEE/ACM CHASE ’24, 2024, pp. 97–108

  36. [36]

    Design and validation of an open-source closed-loop testbed for artificial pancreas systems,

    X. Zhou, M. Kouzel, H. Ren, and H. Alemzadeh, “Design and validation of an open-source closed-loop testbed for artificial pancreas systems,” in2022 IEEE/ACM Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE). IEEE, 2022, pp. 1–12

  37. [37]

    Blur- tooth: Exploiting cross-transport key derivation in bluetooth classic and bluetooth low energy,

    D. Antonioli, N. O. Tippenhauer, K. Rasmussen, and M. Payer, “Blur- tooth: Exploiting cross-transport key derivation in bluetooth classic and bluetooth low energy,” inProceedings of the 2022 ACM on Asia conference on computer and communications security, 2022, pp. 196– 207

  38. [38]

    Android source code vulnerability detection: a systematic literature review,

    J. Senanayake, H. Kalutarage, M. O. Al-Kadri, A. Petrovski, and L. Piras, “Android source code vulnerability detection: a systematic literature review,”ACM Computing Surveys, vol. 55, no. 9, pp. 1–37, 2023

  39. [39]

    Survey on wireless network security,

    R. Nazir, A. A. Laghari, K. Kumar, S. David, and M. Ali, “Survey on wireless network security,”Archives of Computational Methods in Engineering, pp. 1–20, 2021

  40. [40]

    Electromagnetic radiofrequency radiation emitted from gsm mobile phones decreases the accuracy of home blood glucose monitors,

    S. Mortazavi, X. Gholampour, M. Haghani, G. Mortazavi, and A. Mor- tazavi, “Electromagnetic radiofrequency radiation emitted from gsm mobile phones decreases the accuracy of home blood glucose monitors,” Journal of Biomedical Physics and Engineering, vol. 4, no. 3, 2014

  41. [41]

    Hallucinations in llms: Understanding and addressing challenges,

    G. Perkovi ´c, A. Drobnjak, and I. Boti ˇcki, “Hallucinations in llms: Understanding and addressing challenges,” in2024 47th MIPRO ICT and Electronics Convention (MIPRO). IEEE, 2024, pp. 2084–2088

  42. [42]

    Medaiscout: Automated retrieval of known machine learning vulnerabilities in medical applications,

    A. P. Dharmalingam and G. Mitra, “Medaiscout: Automated retrieval of known machine learning vulnerabilities in medical applications,” inRed Teaming GenAI: What Can We Learn from Adversaries?, 2024

  43. [43]

    GLiNER: Generalist model for named entity recognition using bidirectional transformer,

    U. Zaratiana, N. Tomeh, P. Holat, and T. Charnois, “GLiNER: Generalist model for named entity recognition using bidirectional transformer,” inProceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers), K. Duh, H. Gomez, and S. Bethard, Eds. Mexico C...

  44. [44]

    GPT-4 Technical Report

    J. Achiam, S. Adler, S. Agarwal, L. Ahmad, I. Akkaya, F. L. Aleman, D. Almeida, J. Altenschmidt, S. Altman, S. Anadkatet al., “Gpt-4 technical report,”arXiv preprint arXiv:2303.08774, 2023

  45. [45]

    Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical De- vices—A Review,

    T. Yaqoob, H. Abbas, and M. Atiquzzaman, “Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical De- vices—A Review,”IEEE Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3723–3768, 2019

  46. [46]

    How ChatGPT and our foundation models are developed,

    OpenAI, “How ChatGPT and our foundation models are developed,”

  47. [47]

    Available: https://openai.com/policies/how-chatgpt-and- our-foundation-models-are-developed/

    [Online]. Available: https://openai.com/policies/how-chatgpt-and- our-foundation-models-are-developed/

  48. [48]

    Role play with large language models,

    M. Shanahan, K. McDonell, and L. Reynolds, “Role play with large language models,”Nature, vol. 623, no. 7987, pp. 493–498, 2023

  49. [49]

    CAMEL: Communicative Agents for

    G. Li, H. Hammoud, H. Itani, D. Khizbullin, and B. Ghanem, “CAMEL: Communicative Agents for ”Mind” Exploration of Large Language Model Society,” inAdvances in Neural Information Processing Systems, vol. 36. Curran Associates, Inc., 2023, pp. 51 991–52 008

  50. [50]

    Teler: A general taxonomy of llm prompts for benchmarking complex tasks,

    S. K. K. Santu and D. Feng, “Teler: A general taxonomy of llm prompts for benchmarking complex tasks,” 2023

  51. [51]

    MITRE ATT&CK

    MITRE, “MITRE ATT&CK.” [Online]. Available: https://attack.mitre.org/

  52. [52]

    Chain-of-thought prompting elicits reasoning in large language models,

    J. Wei, X. Wang, D. Schuurmans, M. Bosma, F. Xia, E. Chi, Q. V . Le, and D. Zhou, “Chain-of-thought prompting elicits reasoning in large language models,”Advances in neural information processing systems, vol. 35, pp. 24 824–24 837, 2022

  53. [53]

    The llama 3 herd of models,

    A. Dubey, A. Jauhri, A. Pandey, A. Kadian, A. Al-Dahle, A. Letman, A. Mathur, A. Schelten, A. Yang, A. Fanet al., “The llama 3 herd of models,”arXiv e-prints, pp. arXiv–2407, 2024

  54. [54]

    A mathematical investigation of hallucination and creativity in gpt models,

    M. Lee, “A mathematical investigation of hallucination and creativity in gpt models,”Mathematics, vol. 11, no. 10, p. 2320, 2023

  55. [55]

    Judging llm-as-a-judge with mt-bench and chatbot arena,

    L. Zheng, W.-L. Chiang, Y . Sheng, S. Zhuang, Z. Wu, Y . Zhuang, Z. Lin, Z. Li, D. Li, E. Xinget al., “Judging llm-as-a-judge with mt-bench and chatbot arena,”Advances in neural information processing systems, vol. 36, pp. 46 595–46 623, 2023

  56. [56]

    Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures,” in Proceedings of the ACM SIGSAC CCS ’15, 2015, p. 1322–1333

  57. [57]

    CT-GAN: Malicious tampering of 3d medical imagery using deep learning,

    Y . Mirsky, T. Mahler, I. Shelef, and Y . Elovici, “CT-GAN: Malicious tampering of 3d medical imagery using deep learning,” inUSENIX Security ’19. USENIX Association, 2019, pp. 461–478

  58. [58]

    Adversarial exposure attack on diabetic retinopathy imagery grading,

    Y . Cheng, Q. Guo, F. Juefei-Xu, H. Fu, S.-W. Lin, and W. Lin, “Adversarial exposure attack on diabetic retinopathy imagery grading,” IEEE Journal of Biomedical and Health Informatics, 2024

  59. [59]

    Adver- sarial attacks and adversarial robustness in computational pathology,

    N. Ghaffari Laleh, D. Truhn, G. P. Veldhuizen, T. Han, M. van Treeck, R. D. Buelow, R. Langer, B. Dislich, P. Boor, V . Schulzet al., “Adver- sarial attacks and adversarial robustness in computational pathology,” Nature communications, vol. 13, no. 1, p. 5711, 2022

  60. [60]

    Adversarial Perturbations Against Real-Time Video Classification Systems

    S. Li, A. Neupane, S. Paul, C. Song, S. V . Krishnamurthy, A. K. R. Chowdhury, and A. Swami, “Adversarial perturbations against real-time video classification systems,”arXiv preprint arXiv:1807.00458, 2018