@inproceedings{li-etal-2025-transferable,
    title = "Transferable Direct Prompt Injection via Activation-Guided {MCMC} Sampling",
    author = "Li, Minghui  and
      Zhang, Hao  and
      Zhang, Yechao  and
      Wan, Wei  and
      Hu, Shengshan  and
      Xiaobing, Pei  and
      Wang, Jing",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-emnlp/2025.emnlp-main.102/",
    pages = "1966--1978",
    ISBN = "979-8-89176-332-6",
    abstract = "Direct Prompt Injection (DPI) attacks pose a critical security threat to Large Language Models (LLMs) due to their low barrier of execution and high potential damage. To address the impracticality of existing white-box/gray-box methods and the poor transferability of black-box methods, we propose an activations-guided prompt injection attack framework. We first construct an Energy-based Model (EBM) using activations from a surrogate model to evaluate the quality of adversarial prompts. Guided by the trained EBM, we employ the token-level Markov Chain Monte Carlo (MCMC) sampling to adaptively optimize adversarial prompts, thereby enabling gradient-free black-box attacks. Experimental results demonstrate our superior cross-model transferability, achieving 49.6{\%} attack success rate (ASR) across five mainstream LLMs and 34.6{\%} improvement over human-crafted prompts, and maintaining 36.6{\%} ASR on unseen task scenarios. Interpretability analysis reveals a correlation between activations and attack effectiveness, highlighting the critical role of semantic patterns in transferable vulnerability exploitation."
}