The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions

TL;DR

This paper introduces an instruction hierarchy for LLMs to prioritize privileged instructions, enhancing robustness against malicious prompts while maintaining core capabilities.

Contribution

It proposes a hierarchical instruction-following training method that teaches LLMs to ignore lower-privileged instructions, improving security against prompt-based attacks.

Findings

Significantly increased robustness to unseen attacks

Minimal impact on standard model capabilities

Effective hierarchy-based instruction prioritization

Abstract

Today's LLMs are susceptible to prompt injections, jailbreaks, and other attacks that allow adversaries to overwrite a model's original instructions with their own malicious prompts. In this work, we argue that one of the primary vulnerabilities underlying these attacks is that LLMs often consider system prompts (e.g., text from an application developer) to be the same priority as text from untrusted users and third parties. To address this, we propose an instruction hierarchy that explicitly defines how models should behave when instructions of different priorities conflict. We then propose a data generation method to demonstrate this hierarchical instruction following behavior, which teaches LLMs to selectively ignore lower-privileged instructions. We apply this method to GPT-3.5, showing that it drastically increases robustness -- even for attack types not seen during training -- while imposing minimal degradations on standard capabilities.