AdverShield-LLM: Adversarial Robustness Certification for IoT-Integrated Retrieval-Augmented Generation via Randomized Smoothing

Authors

  • Yasser Samir Hadi Middle Technical University

DOI:

https://doi.org/10.47134/jtsi.v3i2.6047

Keywords:

Adversarial Robustness Certification, Iot Security, Retrieval-Augmented Generation, Randomized Smoothing, Large Language Models, Knowledge Poisoning, Prompt Injection Defense

Abstract

The emergence of the Internet of Things (IoT) ecosystems, Retrieval-Augmented Generation (RAG) systems have become commonplace and provide a means for embedding dynamically retrieved external knowledge in the response from a Large Language Model (LLM). While potentially helpful, IoT-enabled RAG pipelines present significant adversarial threats such as poisoning passages into the IoT knowledge base, altering dense retrieval embeddings, and conducting indirect prompt injection attacks via the inputs through the IoT sensors, all of which can impact the fidelity of generated responses and compromise the trustworthiness of the system. Current defenses are based mostly on heuristic filtering or empirical adversarial training, and are not known to be robustly certified or are fragile under adaptive adversaries. In response to these challenges, this article introduces a new certified defense framework named AdverShield-LLM to combine the randomized smoothing technique with a multi-granular noise injection mechanism well-suited to the distributed and low latency requirements of RAG systems in the IoT domain. AdverShield-LLM consists of three synergistic modules: (i) Passage-Level Smoothed Aggregation (PLSA) module which certifies the robustness of RAG retrieval against bounded corpus poisoning under an isolate-then-smooth paradigm, (ii) Token-Adaptive Gaussian Defense (TAGD) layer that certifies LLM generation against indirect prompt injection by propagating l_2-norm perturbation bounds through the transformer attention stack, and (iii) IoT-Aware Certified Radius Scheduler (IACRS) that dynamically schedules noise budgets among constrained edge nodes while preserving the certified radius. AdverShield-LLM is evaluated on three IoT security benchmarks—MS-RAG-IoT, NQ-Adversarial and IoTQA-Poison—with extensive experiments showing its certified accuracy is 81.4% under l_2 perturbation radius σ=0.50 compared to the strongest baseline RobustRAG which reported +9.3% accuracy, and reduced the attack success rate from 74.2% to 8.6% against PoisonedRAG. Moreover, AdverShield-LLM ensures the accuracy of clean answers within 2.1% of the undefended RAG accuracy, proving that certified robustness does not compromise the utility of RAGs in resource-limited IoT environments.

References

AboulEla, S. G., & Kashef, R. F. (2025). Leveraging large language models, graph neural networks, and explainable AI for revolutionizing the next-generation network intrusion detection systems. Journal of Intelligent Information Systems, 63(5), 1807–1835. https://link.springer.com/article/10.1007/s10844-025-00964-2

Afiffy, M., Fakhr, M. W., & Maghraby, F. A. (2026). Enhancing adversarial resilience in semantic caching for secure retrieval augmented generation systems. Scientific Reports, 16, Article 5936. https://doi.org/10.1038/s41598-026-36721-w

Aljanabi, M. H., Noori, A. S., & Al-Khazraji, A. A. (2025). Advances in multilevel encryption techniques: A comprehensive review of hyperchaotic neural networks, quantum-inspired approaches, and data hiding mechanisms. VFAST Transactions on Software Engineering, 13(3), 228–257.

Al-Khazraji, A. A., Ali, A. M., Abdulridha, T. T., Rijab, M., & Al-Janabi, M. H. (2025). Secure quantum key distribution over VLC networks for next-generation smart cities. International Journal of Networked and Distributed Computing, 13(2), 33.

Chang, Y., Wang, X., Wang, J., Wu, Y., Yang, L., Zhu, K., & Chen, H., et al. (2024). A survey on evaluation of large language models.ACM Transactions on Intelligent Systems and Technology, 15(3), 1–45. https://dl.acm.org/doi/full/10.1145/3641289

Cohen, J., Rosenfeld, E., & Kolter, Z. (2019). Certified adversarial robustness via randomized smoothing. In Proceedings of the 36th International Conference on Machine Learning (ICML) (pp. 1310–1320). PMLR. https://proceedings.mlr.press/v97/cohen19c.html

Dai, E., Zhao, T., Zhu, H., Xu, J., Guo, Z., Liu, H., Tang, J., & Wang, S. (2024). A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability. Machine Intelligence Research, 21(6), 1011–1061. https://link.springer.com/article/10.1007/s11633-024-1510-8

Das, B. C., Amini, M. H., & Wu, Y. (2025). Security and privacy challenges of large language models: A survey. ACM Computing Surveys, 57(6), Article 152, 1–39. https://dl.acm.org/doi/full/10.1145/3712001

Deng, J., Hong, H., Palmer, A., Zhou, X., Bi, J., Mahmood, K., Hong, Y., & Aguiar, D. (2025). Certifying adapters: Enabling and enhancing the certification of classifier adversarial robustness. In Proceedings of the 2025 International Joint Conference on Neural Networks (IJCNN) (pp. 1–8). IEEE. https://ieeexplore.ieee.org/abstract/document/11228719

Dong, Y., Mu, R., Zhang, Y., Sun, S., Zhang, T., Wu, C., Jin, G., Qi, Y., Hu, J., Meng, J., Bensalem, S., & Huang, X. (2025). Safeguarding large language models: A survey. Artificial Intelligence Review, 58(12), Article 382. https://link.springer.com/article/10.1007/s10462-025-11389-2

Ferrag, M. A., Alwahedi, F., Battah, A., Cherif, B., Mechri, A., Tihanyi, N., Bisztray, T., & Debbah, M. (2025). Generative AI in cybersecurity: A comprehensive review of LLM applications and vulnerabilities. Internet of Things and Cyber-Physical Systems, 5, 1–46. https://doi.org/10.1016/j.iotcps.2025.01.001

Gokcimen, T., & Das, B. (2025). A novel system for strengthening security in large language models against hallucination and injection attacks with effective strategies. Alexandria Engineering Journal, 123, 71–90. https://doi.org/10.1016/j.aej.2025.03.030.

Guo, Q., Pang, S., Jia, X., Liu, Y., & Guo, Q. (2024). Efficient generation of targeted and transferable adversarial examples for vision-language models via diffusion models. IEEE Transactions on Information Forensics and Security, 20, 1333–1348. https://ieeexplore.ieee.org/abstract/document/10812818

Huang, M., Shi, X., Yin, X., Han, D., Yang, J., & Wang, Z. (2025). Dimensional robustness certification for deep neural networks in network intrusion detection systems. ACM Transactions on Privacy and Security, 28(3), 1–35. https://dl.acm.org/doi/10.1145/3715121

Issa, W., Moustafa, N., Turnbull, B., Sohrabi, N., & Tari, Z. (2023). Blockchain-based federated learning for securing internet of things: A comprehensive survey. ACM Computing Surveys, 55(9), 1–43. https://dl.acm.org/doi/full/10.1145/3560816

Jaffal, N. O., Alkhanafseh, M., & Mohaisen, D. (2025). Large language models in cybersecurity: A survey of applications, vulnerabilities, and defense techniques. AI, 6(9), Article 216. https://doi.org/10.3390/ai6090216

Jia, X., Chen, Y., Mao, X., Duan, R., Gu, J., Zhang, R., Xue, H., Liu, Y., & Cao, X. (2024). Revisiting and exploring efficient fast adversarial training via LAW: Lipschitz regularization and auto weight averaging. IEEE Transactions on Information Forensics and Security, 19, 8125–8139. https://ieeexplore.ieee.org/abstract/document/10574880

Joshi, A. & Baidya, S. (2026). Securing the cognitive layer: A survey on security threats, defenses, and privacy-preserving architectures for LLM-IoT integration. Journal of Cybersecurity and Privacy, 6(2), Article 63. https://doi.org/10.3390/jcp6020063

Karpukhin, V., Oguz, B., Min, S., Lewis, P., Wu, L., Edunov, S., Chen, D., & Yih, W. (2020). Dense passage retrieval for open-domain question answering. In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP) (pp. 6769–6781). ACL. https://aclanthology.org/2020.emnlp-main.550/

Kumar, M., Samriya, J. K., Walia, G. K., Verma, P., Wu, H., & Gill, S. S. (2025). Blockchain empowered secure federated learning for consumer IoT applications in cloud-edge collaborative environment. IEEE Transactions on Consumer Electronics, 71(2), 3986–3996. https://ieeexplore.ieee.org/abstract/document/10849591

Lewis, P., Perez, E., Piktus, A., Petroni, F., Karpukhin, V., Goyal, N., Küttler, H., Lewis, M., Yih, W.-T., Rocktäschel, T., Riedel, S., & Kiela, D. (2020). Retrieval-augmented generation for knowledge-intensive NLP tasks. In Advances in Neural Information Processing Systems (NeurIPS) (Vol. 33, pp. 9459–9474). https://proceedings.neurips.cc/paper/2020/hash/6b493230205f780e1bc26945df7481e5-Abstract.html

Li, Y., Eustratiadis, P., Fan, Y., & Kanoulas, E. (2026). On the Robustness of LLM-Based Dense Retrievers: A Systematic Analysis of Generalizability and Stability https://doi.org/10.48550/arXiv.2604.16576.

Li, Y., Eustratiadis, P., Lupart, S., & Kanoulas, E. (2025). Unsupervised corpus poisoning attacks in continuous space for dense retrieval. In Proceedings of the 48th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '25) (pp. 2452–2462). ACM. https://dl.acm.org/doi/abs/10.1145/3726302.3730110

Liu, Y.-A., Zhang, R., Guo, J., de Rijke, M., Chen, W., Fan, Y., & Cheng, X. (2023). Black-box adversarial attacks against dense retrieval models: A multi-view contrastive learning method. In Proceedings of the 32nd ACM International Conference on Information and Knowledge Management (CIKM '23) (pp. 1647–1656). ACM. https://dl.acm.org/doi/abs/10.1145/3583780.3614793

Lu, Y., Huang, X., Dai, Y., Maharjan, S., & Zhang, Y. (2020). Blockchain and federated learning for privacy-preserved data sharing in industrial IoT. IEEE Transactions on Industrial Informatics, 16(6), 4177–4186. https://ieeexplore.ieee.org/abstract/document/8843900

Muliarevych, O. (2024). Enhancing system security: LLM-driven defense against prompt injection vulnerabilities. In Proceedings of the IEEE 17th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering (TCSET) (pp. 420–423). IEEE. https://ieeexplore.ieee.org/abstract/document/10755823

Padmavathi, V., & Saminathan, R. (2025). A federated edge intelligence framework with trust based access control for secure and privacy preserving IoT systems. Scientific Reports, 15(1), Article 35832. https://www.nature.com/articles/s41598-025-19712-1

Peng, K., Xiao, P., Wang, S., & Leung, V. C. M. (2024). SCOF: Security-aware computation offloading using federated reinforcement learning in industrial internet of things with edge computing. IEEE Transactions on Services Computing, 17(4), 1780–1792. https://ieeexplore.ieee.org/abstract/document/10473157

Salim, S., Moustafa, N., & Almorjan, A. (2025). Responsible deep-federated-learning-based threat detection for satellite communications. IEEE Internet of Things Journal, 12(5), 4807–4819. https://ieeexplore.ieee.org/abstract/document/10847856

Sattarpour, S., Barati, A., & Barati, H. (2025). EBIDS: Efficient BERT-based intrusion detection system in the network and application layers of IoT. Cluster Computing, 28(2), Article 138. https://link.springer.com/article/10.1007/s10586-024-04775-y

Sharaf, S. A., & Nooh, S. (2025). Identifying significant features in adversarial attack detection framework using federated learning empowered medical IoT network security. Scientific Reports, 15(1), Article 31485. https://www.nature.com/articles/s41598-025-14913-0

Shi, J., Yuan, Z., Liu, Y., Huang, Y., Zhou, P., Sun, L., & Gong, N. Z. (2024a). Optimization-based prompt injection attack to LLM-as-a-judge. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS) (pp. 660–674). ACM. https://dl.acm.org/doi/abs/10.1145/3658644.3690291

Shi, Y., Wei, K., Shen, L., Li, J., Wang, X., Yuan, B., & Guo, S. (2024b). Efficient federated learning with enhanced privacy via lottery ticket pruning in edge computing. IEEE Transactions on Mobile Computing, 23(10), 9946–9958. https://ieeexplore.ieee.org/abstract/document/10452820

Tang, Q., Qian, J., Du, X., Wang, S., & Liu, H. (2026). Advancing adversarial and LLM robustness in trustworthy AI: A comprehensive survey. Artificial Intelligence Review. https://link.springer.com/article/10.1007/s10462-026-11558-x

Tao, Y., Shen, Y., Zhang, H., Shen, Y., Wang, L., Shi, C., & Du, S. (2024). Robustness of large language models against adversarial attacks. In Proceedings of the 4th International Conference on Artificial Intelligence, Robotics, and Communication (ICAIRC) (pp. 182–185). IEEE. https://ieeexplore.ieee.org/abstract/document/10900215

Wang, C., Li, H., Song, W., & Lin, Y. (2025b). Retrieval-augmented generation: A survey of security challenges and countermeasures. In Proceedings of the 11th IEEE International Conference on Privacy Computing and Data Security (PCDS) (pp. 210–217). IEEE. https://ieeexplore.ieee.org/abstract/document/11172756

Wang, S., Zhu, T., Liu, B., Ding, M., Ye, D., Zhou, W., & Yu, P. (2025a). Unique security and privacy threats of large language models: A comprehensive survey. ACM Computing Surveys, 58(4), Article 83, 1–36. https://dl.acm.org/doi/full/10.1145/3764113

Wu, Q., He, K., & Chen, X. (2020). Personalized federated learning for intelligent IoT applications: A cloud-edge based framework. IEEE Open Journal of the Computer Society, 1, 35–44. https://ieeexplore.ieee.org/abstract/document/9090366

Xiang, Z., Miller, D. J., & Kesidis, G. (2022). Detection of backdoors in trained classifiers without access to the training set. IEEE Transactions on Neural Networks and Learning Systems, 33(3), 1177–1191. https://ieeexplore.ieee.org/abstract/document/9296553

Yin, X., Ni, C., & Wang, S. (2024). Multitask-based evaluation of open-source LLM on software vulnerability. IEEE Transactions on Software Engineering, 50(11), 3071–3087. https://ieeexplore.ieee.org/abstract/document/10706805

Zhang, B., Xin, H., Fang, M., Liu, Z., Yi, B., Li, T., & Liu, Z. (2025). Traceback of poisoning attacks to retrieval-augmented generation. In Proceedings of the ACM Web Conference 2025 (WWW '25) (pp. 2085–2097). ACM. https://doi.org/10.1145/3696410.3714756 https://doi.org/10.1145/3696410.3714756

Zhang, H., Shao, W., Liu, H., Ma, Y., Luo, P., Qiao, Y., Zheng, N., & Zhang, K. (2024). B-AVIBench: Toward evaluating the robustness of large vision-language model on black-box adversarial visual-instructions. IEEE Transactions on Information Forensics and Security, 20, 1434–1446. https://ieeexplore.ieee.org/abstract/document/10816024

Zhang, X., Zhang, C., Li, T., Huang, Y., Jia, X., Hu, M., Zhang, J., Liu, Y., Ma, S., & Shen, C. (2025). JailGuard: A universal detection framework for prompt-based attacks on LLM systems. ACM Transactions on Software Engineering and Methodology, 35(1), 1–40. https://dl.acm.org/doi/full/10.1145/3724393

Zhang, Y., Li, Y., Cui, L., Cai, D., Liu, L., Fu, T., & Huang, X., et al. (2025). Siren's song in the AI ocean: A survey on hallucination in large language models. Computational Linguistics, 51(4), 1373–1418. https://doi.org/10.1162/COLI.a.16

Zhong, M., & Tandon, R. (2024). SPLITZ: Certifiable robustness via split Lipschitz randomized smoothing. IEEE Transactions on Information Forensics and Security, 20, 1–14. DOI: 10.1109/TIFS.2025.3595402

Zou, W., Geng, R., Wang, B., & Jia, J. (2025). PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models. In Proceedings of the 34th USENIX Security Symposium (pp. 3827–3844). USENIX Association. https://www.usenix.org/conference/usenixsecurity25/presentation/zou-poisonedrag

Downloads

Published

2026-07-06

How to Cite

Hadi, Y. S. (2026). AdverShield-LLM: Adversarial Robustness Certification for IoT-Integrated Retrieval-Augmented Generation via Randomized Smoothing. Journal of Technology and System Information, 3(2), 105–135. https://doi.org/10.47134/jtsi.v3i2.6047

Issue

Section

Articles

Similar Articles

<< < 1 2 3 

You may also start an advanced similarity search for this article.