Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Adversarial Search Engine Optimization for Large Language Models
Authors: Fredrik Nestaas, Edoardo Debenedetti, Florian Tramer
ICLR 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We demonstrate our attacks on production LLM search engines (Bing and Perplexity) and plugin APIs (for GPT-4 and Claude). |
| Researcher Affiliation | Academia | Fredrik Nestaas, Edoardo Debenedetti, Florian Tramรจr ETH Zurich EMAIL |
| Pseudocode | No | The paper describes methods and examples of injections but does not present them in a structured pseudocode or algorithm block. |
| Open Source Code | No | Our experiments can likely not be exactly replicated for a number of reasons. First, the LLM search engines and plugin augmented LLMs we use are black boxes, and changes made to the models or other aspects of the system (such as the system prompt) could affect the results. |
| Open Datasets | No | For experiments with search engines, we populate 50 dummy web pages on the domain spylab.ai (blinded for review) with various products (fictitious cameras, books, news), some of which perform Preference Manipulation Attacks through prompt injections. |
| Dataset Splits | No | For experiments with search engines, we populate 50 dummy web pages on the domain spylab.ai (blinded for review) with various products (fictitious cameras, books, news), some of which perform Preference Manipulation Attacks through prompt injections. |
| Hardware Specification | No | All experiments were performed on a regular laptop as they do not require particularly powerful resources. |
| Software Dependencies | No | We use real production LLM search engines Bing Copilot and Perplexity and plugin-enhanced LLMs (Anthropic s Claude 3, and Open AI s GPT-4). |
| Experiment Setup | No | We use real production LLM search engines Bing Copilot and Perplexity and plugin-enhanced LLMs (Anthropic s Claude 3, and Open AI s GPT-4). For experiments with search engines, we populate 50 dummy web pages on the domain spylab.ai (blinded for review) with various products (fictitious cameras, books, news), some of which perform Preference Manipulation Attacks through prompt injections. |