Adversarial Attacks on LLM-as-a-Judge Systems: Insights from Prompt Injections
This addresses security risks in AI evaluation systems, which is an incremental but important domain-specific problem.
The paper tackled the vulnerability of LLM-as-a-judge systems to prompt injection attacks, finding that attacks achieved up to 73.8% success rate, with smaller models being more vulnerable and transferability ranging from 50.5% to 62.6%.
LLM as judge systems used to assess text quality code correctness and argument strength are vulnerable to prompt injection attacks. We introduce a framework that separates content author attacks from system prompt attacks and evaluate five models Gemma 3.27B Gemma 3.4B Llama 3.2 3B GPT 4 and Claude 3 Opus on four tasks with various defenses using fifty prompts per condition. Attacks achieved up to seventy three point eight percent success smaller models proved more vulnerable and transferability ranged from fifty point five to sixty two point six percent. Our results contrast with Universal Prompt Injection and AdvPrompter We recommend multi model committees and comparative scoring and release all code and datasets