{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2023:54VLLDE6PRT6UCVFWYPUDRIZID","short_pith_number":"pith:54VLLDE6","schema_version":"1.0","canonical_sha256":"ef2ab58c9e7c67ea0aa5b61f41c51940e5d64ab5315268a3e2044726a031ddb8","source":{"kind":"arxiv","id":"2307.16888","version":3},"attestation_state":"computed","paper":{"title":"Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.CR","cs.LG"],"primary_cat":"cs.CL","authors_text":"Hai Wang, Hongxia Jin, Jun Yan, Lichang Chen, Shiyang Li, Vijay Srinivasan, Vikas Yadav, Xiang Ren, Zheng Tang","submitted_at":"2023-07-31T17:56:00Z","abstract_excerpt":"Instruction-tuned Large Language Models (LLMs) have become a ubiquitous platform for open-ended applications due to their ability to modulate responses based on human instructions. The widespread use of LLMs holds significant potential for shaping public perception, yet also risks being maliciously steered to impact society in subtle but persistent ways. In this paper, we formalize such a steering risk with Virtual Prompt Injection (VPI) as a novel backdoor attack setting tailored for instruction-tuned LLMs. In a VPI attack, the backdoored model is expected to respond as if an attacker-specifi"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2307.16888","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CL","submitted_at":"2023-07-31T17:56:00Z","cross_cats_sorted":["cs.CR","cs.LG"],"title_canon_sha256":"e9c6d62c5bd2488b0cec5ca2b1f6f08e4403b5353a707f370d2271d274b63d7f","abstract_canon_sha256":"ffbe5baeabedb58650518d01726ee50a8b6c803dab403093e864812970d343db"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-07-05T08:03:43.075421Z","signature_b64":"rMsoSPf9xB0Z41ZtR2N8Tm9eAR3NxTBEuo8465UTkUaFsElCEvMYoNtQPHjsRrDqWECSyyTj/pWo70CFDP6aBA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"ef2ab58c9e7c67ea0aa5b61f41c51940e5d64ab5315268a3e2044726a031ddb8","last_reissued_at":"2026-07-05T08:03:43.074913Z","signature_status":"signed_v1","first_computed_at":"2026-07-05T08:03:43.074913Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.CR","cs.LG"],"primary_cat":"cs.CL","authors_text":"Hai Wang, Hongxia Jin, Jun Yan, Lichang Chen, Shiyang Li, Vijay Srinivasan, Vikas Yadav, Xiang Ren, Zheng Tang","submitted_at":"2023-07-31T17:56:00Z","abstract_excerpt":"Instruction-tuned Large Language Models (LLMs) have become a ubiquitous platform for open-ended applications due to their ability to modulate responses based on human instructions. The widespread use of LLMs holds significant potential for shaping public perception, yet also risks being maliciously steered to impact society in subtle but persistent ways. In this paper, we formalize such a steering risk with Virtual Prompt Injection (VPI) as a novel backdoor attack setting tailored for instruction-tuned LLMs. In a VPI attack, the backdoored model is expected to respond as if an attacker-specifi"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2307.16888","kind":"arxiv","version":3},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2307.16888/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2307.16888","created_at":"2026-07-05T08:03:43.074985+00:00"},{"alias_kind":"arxiv_version","alias_value":"2307.16888v3","created_at":"2026-07-05T08:03:43.074985+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2307.16888","created_at":"2026-07-05T08:03:43.074985+00:00"},{"alias_kind":"pith_short_12","alias_value":"54VLLDE6PRT6","created_at":"2026-07-05T08:03:43.074985+00:00"},{"alias_kind":"pith_short_16","alias_value":"54VLLDE6PRT6UCVF","created_at":"2026-07-05T08:03:43.074985+00:00"},{"alias_kind":"pith_short_8","alias_value":"54VLLDE6","created_at":"2026-07-05T08:03:43.074985+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":3,"internal_anchor_count":0,"sample":[{"citing_arxiv_id":"2510.16558","citing_title":"A First Look at the Security Issues in the Model Context Protocol Ecosystem","ref_index":52,"is_internal_anchor":false},{"citing_arxiv_id":"2510.23883","citing_title":"Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges","ref_index":129,"is_internal_anchor":false},{"citing_arxiv_id":"2604.01473","citing_title":"SelfGrader: LLM Jailbreak Detection via Anchored Token-Level Logits","ref_index":23,"is_internal_anchor":false}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID","json":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID.json","graph_json":"https://pith.science/api/pith-number/54VLLDE6PRT6UCVFWYPUDRIZID/graph.json","events_json":"https://pith.science/api/pith-number/54VLLDE6PRT6UCVFWYPUDRIZID/events.json","paper":"https://pith.science/paper/54VLLDE6"},"agent_actions":{"view_html":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID","download_json":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID.json","view_paper":"https://pith.science/paper/54VLLDE6","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2307.16888&json=true","fetch_graph":"https://pith.science/api/pith-number/54VLLDE6PRT6UCVFWYPUDRIZID/graph.json","fetch_events":"https://pith.science/api/pith-number/54VLLDE6PRT6UCVFWYPUDRIZID/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID/action/timestamp_anchor","attest_storage":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID/action/storage_attestation","attest_author":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID/action/author_attestation","sign_citation":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID/action/citation_signature","submit_replication":"https://pith.science/pith/54VLLDE6PRT6UCVFWYPUDRIZID/action/replication_record"}},"created_at":"2026-07-05T08:03:43.074985+00:00","updated_at":"2026-07-05T08:03:43.074985+00:00"}