PIShield: Detecting Prompt Injection Attacks via Intrinsic LLM Features
This addresses security vulnerabilities in LLM applications, offering an effective and efficient solution for detecting prompt injection attacks, though it is incremental as it builds on existing detection methods.
The paper tackles prompt injection attacks on LLM-integrated applications by proposing PIShield, a detection method that uses internal LLM representations to distinguish clean from contaminated prompts, achieving substantial performance gains over 11 baselines across 5 datasets and 8 attacks.
LLM-integrated applications are vulnerable to prompt injection attacks, where an attacker contaminates the input to inject malicious prompts, causing the LLM to follow the attacker's intent instead of the original user's. Existing prompt injection detection methods often have sub-optimal performance and/or high computational overhead. In this work, we propose PIShield, a detection method that is both effective and efficient. Our key observation is that the internal representation of the final token in a prompt-extracted from a specific layer of the LLM, which we term the injection-critical layer-captures distinguishing features between clean and contaminated prompts. Leveraging this insight, we train a simple linear classifier on these internal representations using a labeled set of clean and contaminated prompts. We compare PIShield against 11 baselines across 5 diverse benchmark datasets and 8 prompt injection attacks. The results demonstrate that PIShield is both highly effective and efficient, substantially outperforming existing methods. Additionally, we show that PIShield resists strong adaptive attacks.