Benchmarking and Defending Against Indirect Prompt Injection Attacks on Large Language Models

Original Paper: https://arxiv.org/abs/2312.14197

By: Jingwei Yi, Yueqi Xie, Bin Zhu, Emre Kiciman, Guangzhong Sun, Xing Xie, Fangzhao Wu

Abstract:

The integration of large language models (LLMs) with external content has enabled more up-to-date and wide-ranging applications of LLMs, such as Microsoft Copilot. However, this integration has also exposed LLMs to the risk of indirect prompt injection attacks, where an attacker can embed malicious instructions within external content, compromising LLM output and causing responses to deviate from user expectations. To investigate this important but underexplored issue, we introduce the first benchmark for indirect prompt injection attacks, named BIPIA, to evaluate the risk of such attacks. Based on the evaluation, our work makes a key analysis of the underlying reason for the success of the attack, namely the inability of LLMs to distinguish between instructions and external content and the absence of LLMs' awareness to not execute instructions within external content. Building upon this analysis, we develop two black-box methods based on prompt learning and a white-box defense method based on fine-tuning with adversarial training accordingly. Experimental results demonstrate that black-box defenses are highly effective in mitigating these attacks, while the white-box defense reduces the attack success rate to near-zero levels. Overall, our work systematically investigates indirect prompt injection attacks by introducing a benchmark, analyzing the underlying reason for the success of the attack, and developing an initial set of defenses.

Summary Notes

Benchmarking and Defending Against Indirect Prompt Injection Attacks on Large Language Models

As artificial intelligence (AI) continues to grow, large language models (LLMs) are becoming increasingly central in various applications like email responses and code generation.

Yet, their integration with external content exposes them to new security threats, notably indirect prompt injection attacks. This blog post explores these attacks, their impact on LLMs, and presents effective defense strategies, based on insights from Jingwei Yi et al.'s recent research.

What are Indirect Prompt Injection Attacks?

Indirect prompt injection attacks subtly embed malicious commands in external content that LLMs might use, aiming to manipulate the model's outputs.

Unlike direct attacks that tamper with input directly, these indirect methods are stealthier, potentially leading to misinformation spread or content filter bypass.

The BIPIA Benchmark: Assessing LLM Vulnerability

The Benchmark for Indirect Prompt Injection Attacks (BIPIA) evaluates LLM vulnerability across various scenarios:

• Code QA
• Summarization
• Table QA
• Web QA
• Email QA

Testing 25 LLMs, the research highlights a widespread vulnerability to these attacks.

Identifying Weaknesses

LLMs struggle to differentiate between legitimate and maliciously crafted content due to their design and operation principles.

This issue, combined with their reliance on external content, amplifies their susceptibility to indirect prompt injections.

Strengthening Defenses: Strategies and Mechanisms

The proposed defense strategies are categorized into black-box and white-box approaches:

Black-box Defenses

White-box Defenses

• In-Context Learning: Teaches the model to identify and ignore malicious content through input context examples.
• Multi-turn Dialogue: Engages the model in clarifying dialogues for ambiguous or harmful instructions.

Evaluating Defense Effectiveness

• Embedding Layer Modification: Adjusts the model's embedding layer to better distinguish between legitimate and malicious inputs.
• Adversarial Training: Involves training models with examples of indirect prompt injections to improve their resistance.

Looking Ahead

Implementing these defense strategies significantly lowered the Attack Success Rate (ASR) across tested LLMs, especially with white-box defenses, which nearly eliminated ASR. These methods also preserved the models' performance on benign inputs, ensuring their utility wasn't compromised for security.

Conclusion

While current defenses offer significant protection, the evolving nature of cybersecurity threats means ongoing adjustments and validations are necessary.

Future research will focus on refining these defenses and expanding BIPIA to encompass new attack vectors.