Pith. sign in

REVIEW 3 major objections 6 minor 77 references

Context compression is a defense choke point: invisible Unicode perturbations can make agent summaries unusable while leaving the page looking unchanged to human readers.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-10 11:46 UTC pith:MRQYAOSP

load-bearing objection Solid systems paper that makes compression a real content-protection chokepoint and backs it with thorough multi-target evidence; the only load-bearing soft spot is the no-sanitization threat model the authors already flag. the 3 major comments →

arxiv 2607.08180 v1 pith:MRQYAOSP submitted 2026-07-09 cs.CR cs.AI

Out of Sight: Compression-Aware Content Protection against Agentic Crawlers

classification cs.CR cs.AI
keywords content protectionLLM agentscontext compressioninvisible perturbationsCAPEagentic crawlersUnicodeprompt compression
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

LLM agents no longer merely copy pages; they retrieve text, compress it to fit context budgets, store the result in memory, and reuse it downstream. Perimeter defenses such as robots.txt and bot blocks fail once an agent mimics a normal browser, and visible prompt-injection defenses often hurt human readability. This paper argues that the compression step itself is an overlooked protection layer. CAPE injects invisible character sequences that leave the human-visible surface almost identical, yet systematically corrupt the compressed representation so that facts, code structure, and dialogue state are lost. The method first mines disruptive structural patterns on open surrogate compressors, then adapts them to black-box targets with prior-guided evolution and a preference ranker that spends only a small query budget. Across long documents, code, and dialogues—and in LangGraph and GitHub Copilot workflows—CAPE produces far more information loss than prior baselines while keeping human-visible difference near that of random invisible characters.

Core claim

Context compression, the routine agent step that condenses retrieved content to fit limited context, can be turned into a content-layer defense. By injecting optimized invisible perturbations, CAPE induces severe textual and informational degradation in the compressed output—up to 75.8% more information loss than the strongest baseline—while the protected text remains visually indistinguishable from the original for human readers, and the effect transfers to real agent pipelines.

What carries the argument

CAPE (Compression-Aware Protective Evolution): a three-stage procedure that discovers degradation-linked structural priors of invisible-token patterns on a surrogate compressor, adapts them to query-only targets by prior-guided evolutionary search, and allocates scarce target queries with a preference-calibrated local ranker.

Load-bearing premise

The agent must send the harvested page into its compressor essentially as published, without first stripping zero-width or other invisible Unicode characters.

What would settle it

Strip all invisible and zero-width Unicode from a CAPE-protected document, re-run the same compressor or LangGraph/Copilot pipeline on the cleaned text, and check whether textual and information degradation fall back to the unprotected baseline.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Publishers can ship pages that stay fully readable for people but yield unreliable agent memories and summaries once perimeter access controls are bypassed.
  • Compression becomes a complementary defense layer rather than a neutral preprocessing step in agent pipelines.
  • Protection transfers beyond lab compressors into real stacks such as LangGraph workflows and GitHub Copilot code assistance.
  • Perturbations optimized for several mainstream targets can be composed into one payload when the future compressor is unknown at publication time.
  • Future content-protection research should treat agent compression and memory-construction modules as security-sensitive interfaces.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Widespread default Unicode normalization in agent crawlers would neutralize this class of defense, but could also damage legitimate formatting-sensitive content such as code and structured markup, so sanitization may stay incomplete for some time.
  • The same invisible surface could be dual-use: defenders degrade fidelity while attackers might try to steer compression toward preferred summaries, creating an arms race over tokenizer and sanitization defaults.
  • A standardized, machine-readable protection signal for compression (analogous to robots.txt for crawling) could achieve similar goals without relying on invisible characters if platforms and agent vendors agreed to honor it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 6 minor

Summary. The paper argues that context compression in LLM agent pipelines is an overlooked chokepoint for content protection, and proposes CAPE: a three-stage framework that injects invisible Unicode perturbations (preserving human-visible form) so that agent compressors lose structural fidelity and task-relevant information. Stage 1 discovers structural priors on accessible surrogate compressors via a distributional (entropy / anomalous-continuation) objective; Stages 2–3 adapt those seeds to query-only targets with prior-guided evolution and a preference-calibrated ranker under a 100-query budget. Experiments on long-form text, code, and dialogue against GPT-4.1, Gemini 3 Flash, LangGraph, and GitHub Copilot report large gains in textual/information degradation and downstream utility loss (e.g., LangGraph DRAD up to 59.7%) while keeping automated HVID low; ablations, compositional transfer, and cross-paradigm compression (abstractive, Selective Context, LLMLingua, ICAE) support the design.

Significance. If the threat model holds, the work is significant for agent-era content protection: it reframes compression as a complementary defense layer when access controls fail, and supplies a concrete, low-query adaptation pipeline with real-world transfer to LangGraph and GitHub Copilot. Strengths include paired evaluation across three content types and four target settings, stage-level and component ablations (Fig. 3–4), compositional multi-target transfer (Table 5), generalization across hard/soft/abstractive compressors (Table 6), near-window stress tests, fixed held-out hyperparameters, and a public prototype release. The contribution is primarily empirical and systems-oriented rather than theoretical, but the compression-chokepoint framing is novel and actionable for publishers and agent developers.

major comments (3)
  1. [§3.1 Threat Model; Limitations] §3.1 (Threat Model) and Limitations: The central protection claim rests on the adversary forwarding harvested text 'verbatim, without aggressive preprocessing or sanitization' and not stripping zero-width/invisible Unicode. Limitations correctly notes that Unicode normalization or whitespace sanitization would prevent perturbations from reaching the compressor, collapsing all reported gains (up to 75.8% information-loss improvement, LangGraph DRAD 59.7%, Copilot CSD/MOR). This assumption is load-bearing and currently untested. The manuscript needs either (i) experiments under light/realistic sanitization (NFC/NFKC, zero-width stripping, common HTML/text cleaners) with residual degradation reported, or (ii) a quantitative scoping of which real agent/crawler pipelines leave invisible tokens intact, plus clearer claim language that CAPE is a first-line content-layer defense only when saniti
  2. [§5.1 Metrics; §A.11 HVID] §5.1 Metrics and claims of 'visually indistinguishable' / 'human-visible difference ~1.4%': HVID (§A.11, Eq. for HVID) is a five-component automated score (invisible-set membership, multi-mode OCR/render NED, adjacent-window NED, log-PPL naturalness, semantic similarity). No human subject study validates that protected pages are perceived as identical to originals under ordinary reading (browser, Markdown, code viewers). For a core selling point—'without changing its human-visible surface form'—either a small human indistinguishability study or softer language (e.g., 'low automated HVID; human study left to future work') is needed so the imperceptibility claim is not overstated relative to the evidence.
  3. [Abstract; §5.2; Table 1] Abstract / Contributions vs §5.2: The abstract and contribution list claim CAPE 'improves information loss by up to 75.8% over the strongest baseline,' while §5.2 reports 'up to 62.6%' for GPT-4.1 information loss and separately 'TD by 241.7%' on Gemini. The 75.8% figure is not clearly traceable to a specific cell in Table 1–3 or the appendix tables. Please pin the headline percentage to an explicit table entry (metric, content type, target, baseline) and align abstract, intro, and results so the strongest claim is reproducible from the reported numbers.
minor comments (6)
  1. [§2; Fig. 1] Fig. 1 and the five-stage agent workflow are clear, but the figure caption and §2 should briefly note which commercial/open compressors map to 'LLM-driven compression' vs hard token selection vs soft representation, so readers can connect the background to Table 6.
  2. [§4.1; Eq. (4); §A.4] Eq. (4) and §A.4: Vanom / Vlang construction is described at a high level (clean-run frequent tokens vs rare/control tokens plus search-induced tokens). A short pseudocode or fixed recipe (frequency thresholds, exclusion of special IDs) would improve reproducibility of Structural Prior Discovery.
  3. [Table 1] Table 1 formatting: dual numbers with colored subscripts are dense; consider moving absolute deltas to a supplement or using a single primary score plus Δ in parentheses for readability in print.
  4. [§A.8; Table 8] §A.8 case study (Table 8) is useful but very long; a shortened main-text excerpt with the full table in the appendix would help readers without breaking flow.
  5. [Throughout] Minor typos / consistency: 'agentic crawlers' vs 'agent-driven crawlers'; occasional encoding artifacts in the manuscript text (e.g., 'RAGâs'); standardize 'Invisible Perturbation' capitalization.
  6. [§5.1; §A.7] §5.1 Implementation: coefficients from grid search are listed; stating the validation split size and that the same grid was not re-run per target (as claimed in §A.7) in the main text would help readers trust the frozen-hyperparameter claim.

Circularity Check

0 steps flagged

No significant circularity; CAPE is an empirical optimization-and-evaluation framework whose protection gains are measured against external compressors and independent baselines, not derived by construction from its own inputs.

full rationale

The paper's central claims are empirical performance numbers (up to 75.8% information-loss improvement, low HVID, LangGraph DRAD 59.7%, Copilot CSD/MOR) obtained by running a three-stage search (surrogate prior discovery via Eq. 4, prior-guided evolution with regularized fitness, preference-calibrated query selection via Eqs. 5-6) against closed-source and commercial compressors under a fixed 100-query budget. Hyper-parameters are selected once by grid search on a held-out validation split and then frozen; they are never re-fit to the reported test numbers. Metrics (TD, ID, OSD, HVID, DRAD, CSD, MOR) are defined independently of the search objective and compare protected versus unmodified outputs under identical prompts and decoding. Ablations (Fig. 3, Fig. 4), compositional transfer (Table 5), and cross-paradigm generalization (Table 6) further isolate components against external baselines (TAP, HardCom, REGTEXT, I-GCG, SoftCom, random/fixed invisible controls). There is no self-definitional equation, no fitted parameter renamed as a prediction, no load-bearing self-citation of a uniqueness theorem, and no ansatz smuggled via prior author work. The only load-bearing assumption is the threat-model statement that the adversary forwards text verbatim without stripping invisible characters; that is an external scope condition, not an internal circular reduction. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

6 free parameters · 4 axioms · 2 invented entities

The central empirical claim rests on a small set of threat-model assumptions, a handful of grid-searched coefficients that control the multi-term objectives, and the operational definition of 'invisible' tokens. No new physical entities are postulated; the invented constructs are algorithmic (structural descriptors, local preference ranker). The free parameters are ordinary hyper-parameters fixed once on a validation split.

free parameters (6)
  • λ_a (anomalous-continuation weight) = 0.75
    Grid-searched on held-out split; fixed at 0.75; directly scales the primary surrogate degradation term.
  • λ_l (language-suppression weight) = 0.30
    Grid-searched; fixed at 0.30; balances fluent-language penalty against anomalous mass.
  • λ_p, λ_u, λ_r (fitness regularizers) = 0.30 / 0.15 / 0.10
    Prior-consistency, instability, and tabu penalties; grid-searched and frozen at 0.30/0.15/0.10.
  • β_u, β_n (acquisition coefficients) = 0.25 / 0.15
    Uncertainty and novelty bonuses for query allocation; fixed at 0.25/0.15 after validation.
  • perturbation length ratio = 1/20
    Default 1/20 of input length chosen by sensitivity analysis; controls capacity of the invisible string.
  • target query budget B = 100
    Hard limit of 100 queries per example; shapes the entire adaptation regime.
axioms (4)
  • domain assumption Modern agent pipelines routinely invoke an LLM-based or token-selection compressor before reasoning or memory write.
    Stated in §1–2 and Fig. 1; without this the chokepoint disappears.
  • domain assumption Invisible Unicode characters (zero-width, variation selectors, etc.) survive rendering for humans yet alter tokenizer IDs and future-token distributions inside LLMs.
    Relies on prior work (Boucher et al., Geh et al.) and is used throughout §4.1 and A.4.
  • ad hoc to paper Adversary treats harvested content as pristine and does not apply aggressive Unicode normalization or invisible-character stripping before compression.
    Explicit in §3.1 Threat Model and revisited in Limitations; load-bearing for any protection effect.
  • domain assumption Surrogate open-source compressors yield structural priors that remain useful after low-budget evolutionary adaptation to unknown black-box targets.
    Core transfer hypothesis of Stages 1–2; tested but not proved in general.
invented entities (2)
  • Structural descriptors (local fragments, co-occurrence patterns, position-length cells) no independent evidence
    purpose: Compact, transferable representation of degradation-causing invisible patterns extracted from the surrogate.
    Defined in §4.1 / A.4; no independent existence outside the CAPE pipeline.
  • Preference-calibrated local ranker f_ϕ no independent evidence
    purpose: Cheap within-pool ordering of candidates so that scarce target queries are spent on high-value or uncertain structures.
    Introduced in §4.3; trained only on the paper's own preference pairs.

pith-pipeline@v1.1.0-grok45 · 44420 in / 3386 out tokens · 48530 ms · 2026-07-10T11:46:38.923483+00:00 · methodology

0 comments
read the original abstract

The rise of LLM-based agents with reasoning, summarization, and memory capabilities has created a new threat surface for online content that conventional defenses fail to address. Existing defenses like access controls can be circumvented by agents mimicking ordinary browsers, and injection-based defenses often degrade human readability. In this paper, we revisit the agent pipeline and identify context compression, which agents routinely invoke to fit context budgets, as a critical yet overlooked defense layer. We propose CAPE, a framework that protects high-value textual content by injecting invisible perturbations without changing its human-visible surface form, thereby inducing severe information loss during agent compression. CAPE extracts disruptive seed perturbations from an accessible surrogate compressor, then adapts them to query-only target compressors through prior-guided evolution and preference-calibrated candidate prioritization, achieving effective protection under a low query budget. Experiments on three content types and four compression settings show that CAPE improves information loss by up to 75.8% over the strongest baseline while keeping protected content visually indistinguishable from originals. CAPE also transfers to real-world settings, including the LangGraph agent workflow and GitHub Copilot, highlighting its generality and practical value. This paper aims to reveal context compression as a new defense layer, promoting content protection research in the agent era.

Figures

Figures reproduced from arXiv: 2607.08180 by Xuefei Wang.

Figure 1
Figure 1. Figure 1: General agent workflow with compression mechanism. evaluation materials to support reproducibility1 . 2 Background and Related Work Agent Workflows. Modern LLM-based agents translate a user goal into a final answer through a multi-stage, closed-loop workflow (Xi et al., 2025; Sumers et al., 2023; Wang et al., 2024). As illus￾trated in [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of CAPE. CAPE discovers structural priors from accessible compressors, adapts them through prior-guided evolution, and allocates closed-source queries via preference-calibrated selection to generate adapted protective perturbations. where q a t (V) = P v∈V q a t (v) is the marginal prob￾ability assigned to a token set, and H(q a t ) denotes distribution entropy. The three terms serve com￾plementar… view at source ↗
Figure 3
Figure 3. Figure 3: Component ablation results. mechanisms of CAPE (i.e., distributional surrogate optimization, prior-guided variation and preference calibrated ranker) [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Query-efficiency dynamics on GPT-4.1. Each point reports the best-so-far degradation score under the current target-query budget. CAPE is compared with two baselines and three internal variants that remove Structural Prior Discov￾ery, Prior-Guided Evolutionary Adaptation, and Preference￾Calibrated Query Selection. significant degradation, indicating that unguided target-side search is ineffective when the … view at source ↗
Figure 5
Figure 5. Figure 5: Invisible Perturbation length sensitivity on Llama3-8B. Left: final TD under different perturbation length ratios. Right: optimization steps required to reach TD ≥ 0.60. fault Budget Selection. We provide an additional sensitivity analysis to justify the default invisible perturbation budget used in the main experiments. Since input examples have different lengths, we vary the perturbation-to-input length … view at source ↗
Figure 6
Figure 6. Figure 6: Sensitivity of CAPE to insertion position and invisible perturbation length across Text, Dialogue, and Code tasks. 0.0 0.2 0.4 0.6 0.8 1.0 Textual Degradation 0.0 0.2 0.4 0.6 0.8 1.0 Information Degradation joint high￾degradation Random Baselines Motif-guided pool CAPE selected [PITH_FULL_IMAGE:figures/full_fig_p019_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Candidate-level TD-ID distribution before final selec￾tion. Local-fragment-guided and CAPE-selected candidates move toward the joint high-degradation region, indicating cou￾pled textual and informational degradation. A.4 Details of Structural Prior Discovery This subsection provides the implementation de￾tails omitted from §4.1. It explains the invisible￾token space, the surrogate-side probing objec￾tive, … view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

77 extracted references · 77 canonical work pages · 11 internal anchors

  1. [1]

    Aho and Jeffrey D

    Alfred V. Aho and Jeffrey D. Ullman , title =. 1972

  2. [2]

    Publications Manual , year = "1983", publisher =

  3. [3]

    Chandra and Dexter C

    Ashok K. Chandra and Dexter C. Kozen and Larry J. Stockmeyer , year = "1981", title =. doi:10.1145/322234.322243

  4. [4]

    Scalable training of

    Andrew, Galen and Gao, Jianfeng , booktitle=. Scalable training of

  5. [5]

    Dan Gusfield , title =. 1997

  6. [6]

    Tetreault , title =

    Mohammad Sadegh Rasooli and Joel R. Tetreault , title =. Computing Research Repository , volume =. 2015 , url =

  7. [7]

    A Framework for Learning Predictive Structures from Multiple Tasks and Unlabeled Data , Volume =

    Ando, Rie Kubota and Zhang, Tong , Issn =. A Framework for Learning Predictive Structures from Multiple Tasks and Unlabeled Data , Volume =. Journal of Machine Learning Research , Month = dec, Numpages =

  8. [8]

    Advances in Neural Information Processing Systems , volume=

    Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents , author=. Advances in Neural Information Processing Systems , volume=

  9. [9]

    gradient descent

    Automatic prompt optimization with “gradient descent” and beam search , author=. Proceedings of the 2023 conference on empirical methods in natural language processing , pages=

  10. [10]

    Universal and Transferable Adversarial Attacks on Aligned Language Models

    Universal and transferable adversarial attacks on aligned language models , author=. arXiv preprint arXiv:2307.15043 , year=

  11. [11]

    AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models

    Autodan: Generating stealthy jailbreak prompts on aligned large language models , author=. arXiv preprint arXiv:2310.04451 , year=

  12. [12]

    33rd USENIX Security Symposium (USENIX Security 24) , pages=

    Formalizing and benchmarking prompt injection attacks and defenses , author=. 33rd USENIX Security Symposium (USENIX Security 24) , pages=

  13. [13]

    Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

    Waterfall: Scalable framework for robust text watermarking and provenance for llms , author=. Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

  14. [14]

    Towards operationalizing right to data protection , author=. Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers) , pages=

  15. [15]

    Data Poisoning in Deep Learning: A Survey

    Data poisoning in deep learning: A survey , author=. arXiv preprint arXiv:2503.22759 , year=

  16. [16]

    32nd USENIX Security Symposium (USENIX Security 23) , pages=

    Extracting Training Data from Large Language Models , author=. 32nd USENIX Security Symposium (USENIX Security 23) , pages=

  17. [17]

    LLML ingua-2: Data Distillation for Efficient and Faithful Task-Agnostic Prompt Compression

    Pan, Zhuoshi and Wu, Qianhui and Jiang, Huiqiang and Xia, Menglin and Luo, Xufang and Zhang, Jue and Lin, Qingwei and R. LLML ingua-2: Data Distillation for Efficient and Faithful Task-Agnostic Prompt Compression. Findings of the Association for Computational Linguistics: ACL 2024. 2024. doi:10.18653/v1/2024.findings-acl.57

  18. [18]

    When Compression Becomes an Attack Surface: Black-Box Attacks on Prompt-Compressed LLM Agents

    CompressionAttack: Exploiting Prompt Compression as a New Attack Surface in LLM-Powered Agents , author=. arXiv preprint arXiv:2510.22963 , year=

  19. [19]

    Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

    Adapting language models to compress contexts , author=. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

  20. [20]

    In-context Autoencoder for Context Compression in a Large Language Model

    In-context autoencoder for context compression in a large language model , author=. arXiv preprint arXiv:2307.06945 , year=

  21. [21]

    , author=

    MemGPT: towards LLMs as operating systems. , author=. 2023 , publisher=

  22. [22]

    Proceedings of the 36th annual acm symposium on user interface software and technology , pages=

    Generative agents: Interactive simulacra of human behavior , author=. Proceedings of the 36th annual acm symposium on user interface software and technology , pages=

  23. [23]

    Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

    Web Intellectual Property at Risk: Preventing Unauthorized Real-Time Retrieval by Large Language Models , author=. Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing , pages=

  24. [24]

    txt directives: evidence from a large-scale empirical study , author=

    Scrapers selectively respect robots. txt directives: evidence from a large-scale empirical study , author=. Proceedings of the 2025 ACM Internet Measurement Conference , pages=

  25. [25]

    Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

    Enhancing training data attribution for large language models with fitting error consideration , author=. Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

  26. [26]

    AdvPrompter: Fast Adaptive Adversarial Prompting for LLMs

    Advprompter: Fast adaptive adversarial prompting for llms , author=. arXiv preprint arXiv:2404.16873 , year=

  27. [27]

    Proceedings of the 2023 conference on empirical methods in natural language processing , pages=

    Llmlingua: Compressing prompts for accelerated inference of large language models , author=. Proceedings of the 2023 conference on empirical methods in natural language processing , pages=

  28. [28]

    Advances in neural information processing systems , volume=

    Jailbroken: How does llm safety training fail? , author=. Advances in neural information processing systems , volume=

  29. [29]

    AI and Data Scraping on the Archive , year =

  30. [30]

    2025 , note =

    Tome, Joao and Pacheco, Jorge and Azevedo, Carlos , title =. 2025 , note =

  31. [31]

    2024 , note =

    Bocharov, Alex and Vargas, Santiago and Martinetti, Adam and Tatoris, Reid and Azevedo, Carlos , title =. 2024 , note =

  32. [32]

    Proceedings of the 16th ACM workshop on artificial intelligence and security , pages=

    Not what you've signed up for: Compromising real-world llm-integrated applications with indirect prompt injection , author=. Proceedings of the 16th ACM workshop on artificial intelligence and security , pages=

  33. [33]

    Advances in Neural Information Processing Systems , volume=

    Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases , author=. Advances in Neural Information Processing Systems , volume=

  34. [34]

    Prompt Injection Attack to Tool Selection in LLM Agents

    Prompt injection attack to tool selection in llm agents , author=. arXiv preprint arXiv:2504.19793 , year=

  35. [35]

    Proceedings of the 2023 conference on empirical methods in natural language processing , pages=

    Compressing context to enhance inference efficiency of large language models , author=. Proceedings of the 2023 conference on empirical methods in natural language processing , pages=

  36. [36]

    International Conference on Learning Representations , volume=

    Quantifying the plausibility of context reliance in neural machine translation , author=. International Conference on Learning Representations , volume=

  37. [37]

    Findings of the Association for Computational Linguistics: EMNLP 2022 , pages=

    Generating textual adversaries with minimal perturbation , author=. Findings of the Association for Computational Linguistics: EMNLP 2022 , pages=

  38. [38]

    Sustainability , volume=

    Tourism service scheduling in smart city based on hybrid genetic algorithm simulated annealing algorithm , author=. Sustainability , volume=. 2022 , publisher=

  39. [39]

    Computer and Decision Making: An International Journal , volume=

    A Hybrid Genetic Algorithm and Simulated Annealing Approach for the Uncapacitated Facility Location Problem , author=. Computer and Decision Making: An International Journal , volume=

  40. [40]

    Findings of the Association for Computational Linguistics: EMNLP 2024 , pages=

    Typos that broke the rag’s back: Genetic attack on rag pipeline by simulating documents in the wild via low-level perturbations , author=. Findings of the Association for Computational Linguistics: EMNLP 2024 , pages=

  41. [41]

    Advances in Neural Information Processing Systems , volume=

    Babilong: Testing the limits of llms with long context reasoning-in-a-haystack , author=. Advances in Neural Information Processing Systems , volume=

  42. [42]

    Advances in Neural Information Processing Systems , volume=

    Stress-testing long-context language models with lifelong icl and task haystack , author=. Advances in Neural Information Processing Systems , volume=

  43. [43]

    Advances in Neural Information Processing Systems , volume=

    Core: Benchmarking LLMs’ code reasoning capabilities through static analysis tasks , author=. Advances in Neural Information Processing Systems , volume=

  44. [44]

    Advances in Neural Information Processing Systems , volume=

    CodeAssistBench (CAB): Dataset & benchmarking for multi-turn chat-based code assistance , author=. Advances in Neural Information Processing Systems , volume=

  45. [45]

    Advances in Neural Information Processing Systems , volume=

    T1: A tool-oriented conversational dataset for multi-turn agentic planning , author=. Advances in Neural Information Processing Systems , volume=

  46. [46]

    Improved Techniques for Optimization-Based Jailbreaking on Large Language Models

    Improved techniques for optimization-based jailbreaking on large language models , author=. arXiv preprint arXiv:2405.21018 , year=

  47. [47]

    Advances in Neural Information Processing Systems , volume=

    Tree of attacks: Jailbreaking black-box llms automatically , author=. Advances in Neural Information Processing Systems , volume=

  48. [48]

    PAL: Proxy-Guided Black-Box Attack on Large Language Models

    Pal: Proxy-guided black-box attack on large language models , author=. arXiv preprint arXiv:2402.09674 , year=

  49. [49]

    2025 , howpublished =

    The Unicode Standard, Version 17.0: Special Areas and Format Characters , author =. 2025 , howpublished =

  50. [50]

    Proceedings of the 43rd IEEE Symposium on Security and Privacy , year =

    Bad Characters: Imperceptible NLP Attacks , author =. Proceedings of the 43rd IEEE Symposium on Security and Privacy , year =

  51. [51]

    2025 , howpublished =

    Special-Character Adversarial Attacks on Open-Source Language Models , author =. 2025 , howpublished =

  52. [52]

    International Conference on Learning Representations , year =

    The Curious Case of Neural Text Degeneration , author =. International Conference on Learning Representations , year =

  53. [53]

    Pillutla, Krishna and Swayamdipta, Swabha and Zellers, Rowan and Thickstun, John and Welleck, Sean and Choi, Yejin and Harchaoui, Zaid , booktitle =

  54. [54]

    Fabbri, Alexander R. and Kry. Transactions of the Association for Computational Linguistics , year =

  55. [55]

    Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics , year =

    Asking and Answering Questions to Evaluate the Factual Consistency of Summaries , author =. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics , year =

  56. [56]

    Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing , year =

    Q^2 : Evaluating Factual Consistency in Knowledge-Grounded Dialogues via Question Generation and Question Answering , author =. Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing , year =

  57. [57]

    2025 , howpublished =

    2025 Developer Survey: AI , author =. 2025 , howpublished =

  58. [58]

    International Conference on Learning Representations , volume=

    Compressed context memory for online language model interaction , author=. International Conference on Learning Representations , volume=

  59. [59]

    2023 Tenth International Conference on Social Networks Analysis, Management and Security (SNAMS) , pages=

    Semantic compression with large language models , author=. 2023 Tenth International Conference on Social Networks Analysis, Management and Security (SNAMS) , pages=. 2023 , organization=

  60. [60]

    Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

    Adversarial tokenization , author=. Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

  61. [61]

    Understanding the Ability of LLMs to Handle Character-Level Perturbation

    On the Ability of LLMs to Handle Character-Level Perturbations: How Well and How? , author=. arXiv preprint arXiv:2510.14365 , year=

  62. [62]

    Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

    Fishing for magikarp: Automatically detecting under-trained tokens in large language models , author=. Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

  63. [63]

    Proceedings of the 8th BlackboxNLP Workshop: Analyzing and Interpreting Neural Networks for NLP , pages=

    Evil twins are not that evil: Qualitative insights into machine-generated prompts , author=. Proceedings of the 8th BlackboxNLP Workshop: Analyzing and Interpreting Neural Networks for NLP , pages=

  64. [64]

    Proceedings of the ACM on Software Engineering , volume=

    Glitch tokens in large language models: Categorization taxonomy and effective detection , author=. Proceedings of the ACM on Software Engineering , volume=. 2024 , publisher=

  65. [65]

    Findings of the Association for Computational Linguistics: EMNLP 2023 , pages=

    Toward Human Readable Prompt Tuning: Kubrick’s The Shining is a good movie, and a good prompt too? , author=. Findings of the Association for Computational Linguistics: EMNLP 2023 , pages=

  66. [66]

    Advances in Neural Information Processing Systems , volume=

    The refinedweb dataset for falcon llm: Outperforming curated corpora with web data only , author=. Advances in Neural Information Processing Systems , volume=

  67. [67]

    Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

    Dolma: An open corpus of three trillion tokens for language model pretraining research , author=. Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

  68. [68]

    Google Keyword Blog.-12/17/2025.-[Electronic resource] URL: https://blog

    Gemini 3 Flash: frontier intelligence built for speed , author=. Google Keyword Blog.-12/17/2025.-[Electronic resource] URL: https://blog. google/products/gemini/gemini-3-flash/(accessed: 10/16/2025) , year=

  69. [69]

    2024 , publisher =

    GitHub repository , url =. 2024 , publisher =

  70. [70]

    Science China Information Sciences , volume=

    The rise and potential of large language model based agents: A survey , author=. Science China Information Sciences , volume=. 2025 , publisher=

  71. [71]

    Transactions on Machine Learning Research , year=

    Cognitive architectures for language agents , author=. Transactions on Machine Learning Research , year=

  72. [72]

    Frontiers of Computer Science , volume=

    A survey on large language model based autonomous agents , author=. Frontiers of Computer Science , volume=. 2024 , publisher=

  73. [73]

    RECOMP: Improving Retrieval-Augmented LMs with Compression and Selective Augmentation

    Recomp: Improving retrieval-augmented lms with compression and selective augmentation , author=. arXiv preprint arXiv:2310.04408 , year=

  74. [74]

    Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

    Compact: Compressing retrieved documents actively for question answering , author=. Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing , pages=

  75. [75]

    2022 IEEE symposium on security and privacy (SP) , pages=

    Bad characters: Imperceptible nlp attacks , author=. 2022 IEEE symposium on security and privacy (SP) , pages=. 2022 , organization=

  76. [76]

    International Conference on Machine Learning , pages=

    A Human-Inspired Reading Agent with Gist Memory of Very Long Contexts , author=. International Conference on Machine Learning , pages=. 2024 , organization=

  77. [77]

    Proceedings of the AAAI conference on artificial intelligence , volume=

    Memorybank: Enhancing large language models with long-term memory , author=. Proceedings of the AAAI conference on artificial intelligence , volume=