Ioannis Stylianou, Panagiotis Bountakas, Apostolis Zarras, Aristeidis Farao, Vaios Bolgouras, Christos Xenakis (University of Piraeus) — Computer Science Review, 2026. DOI: 10.1016/j.cosrev.2026.101013. Venue was flagged ⚠ in early triage (Scholar masthead confusion / ResearchGate deposit); the Elsevier CSR record now lists the full six-author team and abstract. Full PDF behind publisher access — this note is grounded on the official abstract + author metadata, not a line-by-line PDF read.
Core Contribution
A Systematization of Knowledge (SoK): the claim is that LLM security guidance is fragmented and phase-specific (papers that only see jailbreaks, or only training-time poisoning, or only prompt injection). This paper offers a unified, lifecycle-centric taxonomy of 20 attack classes spanning training, inference, and system integration, plus a dependency-aware threat schema (attacks aren’t independent — causal and associative links matter), grounded with real-world case studies and visual mappings. From that schema they derive a defense-in-depth agenda: coverage-oriented risk assessment, mitigation prioritization, security-posture measurement, and open problems in adversarial ML / secure systems engineering.
Method
SoK methodology is literature synthesis + taxonomy engineering, not a model experiment.
Corpus / “dataset” (what was systematized)
Not a benchmark. The empirical object is the published attack-and-defense literature (academic + industry) on LLM threats. Exact inclusion criteria, search strings, years covered, and PRISMA-style counts are PDF-only (not in the abstract). What the abstract commits to:
- Synthesis across academic and industry sources (not academia-only).
- Grounding via real-world case studies (incidents / deployed failures), not only paper-theoretical attacks.
- Visual mappings of the taxonomy and dependencies.
Treat “20 attack classes” as the structured output of that synthesis.
Taxonomy construction (granular, as stated)
Lifecycle axis. Situate each threat in one or more of:
- Training (data poisoning, backdoors, compromised fine-tunes, …)
- Inference (jailbreaks, prompt injection, adversarial suffixes, side-channels on outputs, …)
- System integration (tool use, RAG corpus trust, plugin/supply-chain, deployment misconfig, …)
Dependency-aware schema. Beyond a flat list: encode causal links (attack A enables attack B) and associative links (attacks that co-occur or share preconditions). This is the methodological difference from “glossary of attack names” surveys.
Case-study grounding. Map abstract classes onto documented real-world incidents to keep the taxonomy operational for risk assessment.
Defense-in-depth layer. Using the schema, prescribe how defenders should:
- assess coverage (which classes are tested vs assumed away),
- prioritize mitigations given dependencies (fixing root causes before leaf symptoms),
- measure security posture (not just “we ran one jailbreak suite”),
- track open research gaps.
What this is not
- Not a new red-teaming algorithm.
- Not a scored leaderboard of models.
- Not (from the abstract) a deep dive into refusal-circuit geometry, quantization triggers, or labor-attribution measurement — breadth-first by design.
Limitations
- SoK breadth → shallow on any single mechanism (compression×safety, multilingual ASR, etc.).
- Publisher PDF still needed for the actual 20-class table, dependency graphs, and whether quantization / supply-chain GGUF attacks appear as first-class nodes or footnotes.
- Taxonomies age fast; agentic tool-use threats in particular are moving weekly (see the Week 2 preprint watchlist).
Relevance to My Niche
Related-work scaffolding once the DOI/venue line is stable — which it now is on Elsevier. Use it to place MultiJail, Egashira, P³A, etc. inside a shared attack-class map when writing the survey’s framing section, not as an empirical anchor for Direction 1–3. If the PDF’s 20 classes omit “quantization as trigger” or bury it under supply-chain, that’s itself a finding about what the SoK literature still under-weights.