Эта статья является препринтом и не была отрецензирована.
О результатах, изложенных в препринтах, не следует сообщать в СМИ как о проверенной информации.
Machine-Speed Cyber and Poisoned Cognition: A Layer- Dependent Game-Theoretic Framework, with Empirical Probes
1. Durmus, E., Lovitt, L., Tamkin, A., Ritchie, S., Clark, J., Ganguli, D. (2024). Measuring the
2. Persuasiveness of Language Models. Anthropic.
3. Sharma, M., Tong, M., Korbak, T., et al. (2023). Towards Understanding Sycophancy in Language Models. arXiv:2310.13548.
4. Perez, E., et al. (2022). Discovering Language Model Behaviors with Model-Written Evaluations. arXiv:2212.09251.
5. Xie, J., Zhang, K., Chen, J., Lou, R., Su, Y. (2024). Adaptive Chameleon or Stubborn Sloth: Revealing the Behavior of LLMs in Knowledge Conflicts. ICLR. arXiv:2305.13300.
6. Xu, R., et al. (2024). Knowledge Conflicts for LLMs: A Survey. EMNLP.
7. Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. (2023). Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. AISec '23. arXiv:2302.12173.
8. Zou, W., Geng, R., Wang, B., Jia, J. (2025). PoisonedRAG: Knowledge Corruption Attacks to RAG. USENIX Security. arXiv:2402.07867.
9. Gu, J., Jiang, X., et al. (2024). A Survey on LLM-as-a-Judge. arXiv:2411.15594. (See also LLMs Cannot Reliably Judge (Yet?), 2025, arXiv:2506.09443.)
10. Scaling language model size yields diminishing returns for single-message political persuasion (2025), PNAS, doi:10.1073/pnas.2413443122.
11. Shi, F., Chen, X., Misra, K., Scales, N., Dohan, D., Chi, E. H., Schärli, N., Zhou, D. (2023). Large Language Models Can Be Easily Distracted by Irrelevant Context. ICML. arXiv:2302.00093.
12. Chen, Z., Liu, J., Liu, H., Cheng, Q., Zhang, F., Lu, W., Liu, X. (2024). Black-Box Opinion Manipulation Attacks to Retrieval-Augmented Generation. arXiv:2407.13757 (extended as FlippedRAG, CCS 2025).
13. Gong, Y., Chen, Z., Liu, J., Chen, M., Yu, F., Lu, W., Wang, X., Liu, X. (2025). Topic-FlipRAG: Topic-Orientated Adversarial Opinion Manipulation Attacks to RAG Models. USENIX Security. arXiv:2502.01386.
14. Raina, V., Liusie, A., Gales, M. (2024). Is LLM-as-a-Judge Robust? Universal Adversarial Attacks on Zero-shot LLM Assessment. EMNLP. arXiv:2402.14016.
15. Sun, X., Kong, L., Zhang, A., Zeng, L., Wang, T. (2026). How LLMs Are Persuaded: A Few Attention Heads, Rerouted. arXiv:2605.09314.
16. Zhou, H., Zou, X., Wu, J., et al. (2026). MedMisBench: Measuring Epistemic Resilience of LLMs Under Misleading Medical Context. arXiv:2606.12291.
17. Gordeychik, S. (2025). Prediction Meets Patch Queues: Empirical Limits of EPSS-Only Prioritization Using CISA KEV Additions in 2025. TechRxiv (preprint), December 2025. https://doi.org/10.36227/techrxiv.176857939.95987957/v1
18. Gordeychik, S. (2026). UPS Meets Patch Queues: Evidence-Timeline Prioritization under Limited Capacity, Cadence, and Compliance Gravity. SSRN Working Paper No. 6286359 (posted 14 Apr 2026; written 31 Jan 2026). Data and code: github.com/scadastrangelove/kev_vs_epss .
19. Hubinger, E., Denison, C., Mu, J., et al. (2024). Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training. Anthropic. arXiv:2401.05566.
20. Zhang, Y., Rando, J., Evtimov, I., Chi, J., Smith, E. M., Carlini, N., Tramèr, F., Ippolito, D. (2024). Persistent Pre-Training Poisoning of LLMs. ICLR 2025. arXiv:2410.13722.
21. Pulipaka, S., Hlebik, S., Raghav, L., Abdelnabi, S., Raina, V., Sheth, I., Fritz, M. (2026). Hidden in Memory: Sleeper Memory Poisoning in LLM Agents. arXiv:2605.15338.
22. Kamenica, E., Gentzkow, M. (2011). Bayesian Persuasion. American Economic Review 101(6):2590–2615. doi:10.1257/aer.101.6.2590.
23. Rid, T., Buchanan, B. (2015). Attributing Cyber Attacks. Journal of Strategic Studies 38(1–2):4– 37. doi:10.1080/01402390.2014.977382.
24. Borghard, E. D., Lonergan, S. W. (2023). Deterrence by Denial in Cyberspace. Journal of Strategic Studies 46(3):534–569. doi:10.1080/01402390.2021.1944856.
25. Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I. (2021). Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice 2(3):20. doi:10.1145/3436242. arXiv:1908.04856.
26. Big Sleep team, Google Project Zero & DeepMind (2024). From Naptime to Big Sleep: Using LLMs to Catch Vulnerabilities in Real-World Code. Google Project Zero blog.
27. DARPA (2025). AI Cyber Challenge (AIxCC). Final competition, DEF CON 33.
28. Wang, K., Li, J., Yang, S., Zhang, Z., Wang, D. (2025). When Truth Is Overridden: Uncovering the Internal Origins of Sycophancy in Large Language Models. AAAI 2026. arXiv:2508.02087.
29. Fanous, A., Goldberg, J., Agarwal, A. A., Lin, J., Zhou, A., Daneshjou, R., Koyejo, S. (2025). SycEval: Evaluating LLM Sycophancy. AIES 2025. arXiv:2502.08177.
30. Hong, J., Byun, G., Kim, S., Shu, K., Choi, J. D. (2025). Measuring Sycophancy of Language Models in Multi-turn Dialogues. Findings of EMNLP 2025. arXiv:2505.23840.
31. Salvi, F., Horta Ribeiro, M., Gallotti, R., West, R. (2024). On the Conversational Persuasiveness of Large Language Models: A Randomized Controlled Trial. arXiv:2403.14380 (Nature Human Behaviour 2025, doi:10.1038/s41562-025-02194-6).
32. Costello, T. H., Pennycook, G., Rand, D. G. (2024). Durably Reducing Conspiracy Beliefs through Dialogues with AI. Science 385(6714):eadq1814. doi:10.1126/science.adq1814.
33. Motwani, S. R., Baranchuk, M., Strohmeier, M., Bolina, V., Torr, P. H. S., Hammond, L., Schroeder de Witt, C. (2024). Secret Collusion among AI Agents: Multi-Agent Deception via Steganography. NeurIPS 2024. arXiv:2402.07510.
34. Debenedetti, E., Zhang, J., Balunović, M., Beurer-Kellner, L., Fischer, M., Tramèr, F. (2024).
35. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. NeurIPS 2024 (Datasets & Benchmarks). arXiv:2406.13352.
36. Tramèr, F., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P. (2017). The Space of Transferable Adversarial Examples. arXiv:1704.03453.
37. Demontis, A., Melis, M., Pintor, M., Jagielski, M., Biggio, B., Oprea, A., Nita-Rotaru, C., Roli, F. (2019). Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. USENIX Security. arXiv:1809.02861.
38. Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A. (2019). Adversarial Examples Are Not Bugs, They Are Features. NeurIPS. arXiv:1905.02175.
39. Falliere, N., Ó Murchú, L., Chien, E. (2011). W32.Stuxnet Dossier (v1.4). Symantec Security Response.
40. Kaspersky Lab GReAT (2012). Gauss: Abnormal Distribution. Securelist.
41. Pinsker, M. S. (1964). Information and Information Stability of Random Variables and Processes. Holden-Day.
42. Cover, T. M., Thomas, J. A. (2006). Elements of Information Theory (2nd ed.). Wiley.
43. Wald, A. (1947). Sequential Analysis. Wiley.
44. Wald, A., Wolfowitz, J. (1948). Optimum Character of the Sequential Probability Ratio Test. Annals of Mathematical Statistics 19(3):326–339. doi:10.1214/aoms/1177730197.
45. Chaudhry, M. L., Templeton, J. G. C. (1983). A First Course in Bulk Queues. Wiley.
46. Gross, D., Shortle, J. F., Thompson, J. M., Harris, C. M. (2008). Fundamentals of Queueing Theory (4th ed.). Wiley.
47. Jervis, R. (1978). Cooperation under the Security Dilemma. World Politics 30(2):167–214. doi:10.2307/2009958.
48. Buchanan, B. (2017). The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations. Oxford University Press (New York). doi:10.1093/acprof:oso/9780190665012.001.0001. (Stand- alone monograph, distinct from Rid & Buchanan 2015 above.)
49. Halpern, J. Y., Rêgo, L. C. (2014). Extensive Games with Possibly Unaware Players. Mathematical Social Sciences 70:42–58. doi:10.1016/j.mathsocsci.2012.11.002. (Games with un- awareness; cf. Heifetz–Meier–Schipper 2006/2013.)
50. Townsend, R. M. (1979). Optimal Contracts and Competitive Markets with Costly State Verification. Journal of Economic Theory 21(2):265–293. doi:10.1016/0022-0531(79)90031-0. (Audit / costly assurance; cf. Gale–Hellwig 1985.)
51. Cybersecurity and Infrastructure Security Agency (CISA). Known Exploited Vulnerabilities Catalog. U.S. Department of Homeland Security. https://www.cisa.gov/known-exploited-vulner- abilities-catalog (accessed 2026-07-03).
52. Cybersecurity and Infrastructure Security Agency (CISA) (2021). Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Issued 2021-11-03; re- voked and superseded by BOD 26-04 on 2026-06-10 (cited as directive-as-issued). https://www.- cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnera- bilities-revoked
53. Nelson, A., Rekhi, S., Souppaya, M., Scarfone, K. (2025). Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST Special Publication 800-61r3. doi:10.6028/NIST.SP.800-61r3. — supersedes the classic Cichonski, P., Millar, T., Grance, T., Scarfone, K. (2012). Computer Security Incident Handling Guide. NIST SP 800-61r2. doi:10.6028/NIST.SP.800-61r2 (withdrawn 2025-04-03).
54. Verizon (2026). 2026 Data Breach Investigations Report (DBIR) (19th annual ed.). Verizon Business. https://www.verizon.com/business/resources/reports/dbir/
55. Mandiant (Google Cloud) (2026). M-Trends 2026: Data, Insights, and Strategies From the Frontlines. https://cloud.google.com/security/resources/m-trends