Know Thy Enemy: Securing LLMs Against Prompt Injection via Diverse Data Synthesis and Instruction-Level Chain-of-Thought Learning
This addresses security vulnerabilities in LLM-integrated applications, which is critical for developers and users, though it appears incremental as it builds on existing defense methods.
The paper tackles the problem of defending large language models (LLMs) against prompt injection attacks by proposing InstruCoT, a method that synthesizes diverse training data and uses instruction-level chain-of-thought fine-tuning, resulting in significant performance improvements across behavior deviation, privacy leakage, and harmful output dimensions while maintaining utility.
Large language model (LLM)-integrated applications have become increasingly prevalent, yet face critical security vulnerabilities from prompt injection (PI) attacks. Defending against PI attacks faces two major issues: malicious instructions can be injected through diverse vectors, and injected instructions often lack clear semantic boundaries from the surrounding context, making them difficult to identify. To address these issues, we propose InstruCoT, a model enhancement method for PI defense that synthesizes diverse training data and employs instruction-level chain-of-thought fine-tuning, enabling LLMs to effectively identify and reject malicious instructions regardless of their source or position in the context. We evaluate InstruCoT across three critical dimensions: Behavior Deviation, Privacy Leakage, and Harmful Output. Experimental results across four LLMs demonstrate that InstruCoT significantly outperforms baselines in all dimensions while maintaining utility performance without degradation