{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:A5V66ZEG5HOUKSQKTWBYBW4FW4","short_pith_number":"pith:A5V66ZEG","canonical_record":{"source":{"id":"2506.04390","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-06-04T19:15:09Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"85a159c099ac9067c1ef87584039d6e654ae79f5851a3e1104fe76a6386499a3","abstract_canon_sha256":"af4cd6656325970d6df908c1fbf0d37cbb4eda8aa828adf23288c8f234342c9d"},"schema_version":"1.0"},"canonical_sha256":"076bef6486e9dd454a0a9d8380db85b726b5705b10ae2e2678a8a9cafba4156f","source":{"kind":"arxiv","id":"2506.04390","version":2},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2506.04390","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"arxiv_version","alias_value":"2506.04390v2","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2506.04390","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_12","alias_value":"A5V66ZEG5HOU","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_16","alias_value":"A5V66ZEG5HOUKSQK","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_8","alias_value":"A5V66ZEG","created_at":"2026-05-25T02:01:04Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:A5V66ZEG5HOUKSQKTWBYBW4FW4","target":"record","payload":{"canonical_record":{"source":{"id":"2506.04390","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-06-04T19:15:09Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"85a159c099ac9067c1ef87584039d6e654ae79f5851a3e1104fe76a6386499a3","abstract_canon_sha256":"af4cd6656325970d6df908c1fbf0d37cbb4eda8aa828adf23288c8f234342c9d"},"schema_version":"1.0"},"canonical_sha256":"076bef6486e9dd454a0a9d8380db85b726b5705b10ae2e2678a8a9cafba4156f","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-25T02:01:04.712804Z","signature_b64":"FIOvYZzJwtyl8nz9mbOLubIiWuHzJefjYkJxfadvR5DXDo+CAQZXuitsONCImOpRl7CWA8Az1mDI3RMIg77vCA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"076bef6486e9dd454a0a9d8380db85b726b5705b10ae2e2678a8a9cafba4156f","last_reissued_at":"2026-05-25T02:01:04.711951Z","signature_status":"signed_v1","first_computed_at":"2026-05-25T02:01:04.711951Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2506.04390","source_version":2,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-25T02:01:04Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"vvq5wtdUud06bOSH508mi+w9fule0a39FnfGmc9ISWgmTdrnlwLO8Wawm6PPG1lpihwwhgTsjME4EyLSQM7BCQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-28T01:23:42.007898Z"},"content_sha256":"4cf4ae99556fa32df8525df14ddd45859ecd262343ac59eb8b7e71242434f89e","schema_version":"1.0","event_id":"sha256:4cf4ae99556fa32df8525df14ddd45859ecd262343ac59eb8b7e71242434f89e"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:A5V66ZEG5HOUKSQKTWBYBW4FW4","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Through the Stealth Lens: Attention-Aware Defenses Against Poisoning in RAG","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Ashish Hooda, Krishnamurthy Dj Dvijotham, Nils Palumbo, Sarthak Choudhary, Somesh Jha","submitted_at":"2025-06-04T19:15:09Z","abstract_excerpt":"Retrieval-augmented generation (RAG) systems are vulnerable to attacks that inject poisoned passages into the retrieved context, even at low corruption rates. We show that existing attacks are not designed to be stealthy, allowing reliable detection and mitigation. We formalize a distinguishability-based security game to quantify stealth for such attacks. If a few poisoned passages control the response, they must bias the inference process more than the benign ones, inherently compromising stealth. This motivates analyzing intermediate signals of LLMs, such as attention weights, to approximate"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2506.04390","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2506.04390/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-25T02:01:04Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"pq0JekOlrMipDBLgeWQDS6DLSGeE+Oe/8HwC04ZWgnJdyss8QeJSOK91FzOnwoipIbfR96vFMUdelNNJhK0tAw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-28T01:23:42.008284Z"},"content_sha256":"3c0ed7e12009b24682d021d242a00f660284f30b668194d30efbbc02adef85ae","schema_version":"1.0","event_id":"sha256:3c0ed7e12009b24682d021d242a00f660284f30b668194d30efbbc02adef85ae"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/bundle.json","state_url":"https://pith.science/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-28T01:23:42Z","links":{"resolver":"https://pith.science/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4","bundle":"https://pith.science/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/bundle.json","state":"https://pith.science/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/state.json","well_known_bundle":"https://pith.science/.well-known/pith/A5V66ZEG5HOUKSQKTWBYBW4FW4/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:A5V66ZEG5HOUKSQKTWBYBW4FW4","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"af4cd6656325970d6df908c1fbf0d37cbb4eda8aa828adf23288c8f234342c9d","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-06-04T19:15:09Z","title_canon_sha256":"85a159c099ac9067c1ef87584039d6e654ae79f5851a3e1104fe76a6386499a3"},"schema_version":"1.0","source":{"id":"2506.04390","kind":"arxiv","version":2}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2506.04390","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"arxiv_version","alias_value":"2506.04390v2","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2506.04390","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_12","alias_value":"A5V66ZEG5HOU","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_16","alias_value":"A5V66ZEG5HOUKSQK","created_at":"2026-05-25T02:01:04Z"},{"alias_kind":"pith_short_8","alias_value":"A5V66ZEG","created_at":"2026-05-25T02:01:04Z"}],"graph_snapshots":[{"event_id":"sha256:3c0ed7e12009b24682d021d242a00f660284f30b668194d30efbbc02adef85ae","target":"graph","created_at":"2026-05-25T02:01:04Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2506.04390/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Retrieval-augmented generation (RAG) systems are vulnerable to attacks that inject poisoned passages into the retrieved context, even at low corruption rates. We show that existing attacks are not designed to be stealthy, allowing reliable detection and mitigation. We formalize a distinguishability-based security game to quantify stealth for such attacks. If a few poisoned passages control the response, they must bias the inference process more than the benign ones, inherently compromising stealth. This motivates analyzing intermediate signals of LLMs, such as attention weights, to approximate","authors_text":"Ashish Hooda, Krishnamurthy Dj Dvijotham, Nils Palumbo, Sarthak Choudhary, Somesh Jha","cross_cats":["cs.AI"],"headline":"","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-06-04T19:15:09Z","title":"Through the Stealth Lens: Attention-Aware Defenses Against Poisoning in RAG"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2506.04390","kind":"arxiv","version":2},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:4cf4ae99556fa32df8525df14ddd45859ecd262343ac59eb8b7e71242434f89e","target":"record","created_at":"2026-05-25T02:01:04Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"af4cd6656325970d6df908c1fbf0d37cbb4eda8aa828adf23288c8f234342c9d","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2025-06-04T19:15:09Z","title_canon_sha256":"85a159c099ac9067c1ef87584039d6e654ae79f5851a3e1104fe76a6386499a3"},"schema_version":"1.0","source":{"id":"2506.04390","kind":"arxiv","version":2}},"canonical_sha256":"076bef6486e9dd454a0a9d8380db85b726b5705b10ae2e2678a8a9cafba4156f","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"076bef6486e9dd454a0a9d8380db85b726b5705b10ae2e2678a8a9cafba4156f","first_computed_at":"2026-05-25T02:01:04.711951Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-25T02:01:04.711951Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"FIOvYZzJwtyl8nz9mbOLubIiWuHzJefjYkJxfadvR5DXDo+CAQZXuitsONCImOpRl7CWA8Az1mDI3RMIg77vCA==","signature_status":"signed_v1","signed_at":"2026-05-25T02:01:04.712804Z","signed_message":"canonical_sha256_bytes"},"source_id":"2506.04390","source_kind":"arxiv","source_version":2}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:4cf4ae99556fa32df8525df14ddd45859ecd262343ac59eb8b7e71242434f89e","sha256:3c0ed7e12009b24682d021d242a00f660284f30b668194d30efbbc02adef85ae"],"state_sha256":"e8b331aaac3fffd3631f7726ed18ef91eb20ed657b93de52c3c974e7194b404e"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"VQGAjmbbdCA2oiOkwxHM7Hjwd19mnufyGm1Y9hwl6anfHxCIL+ugd2HR+Hugc6DFu3cFKUWFjcl8SFrMkM9aCw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-28T01:23:42.010358Z","bundle_sha256":"442906d205c6386a4066a63355da669b6f6e85484ec776a103f7acb31431fd29"}}