Attention Tracker: Detecting Prompt Injection Attacks in LLMs

TL;DR

This paper introduces Attention Tracker, a training-free method that detects prompt injection attacks in LLMs by analyzing attention patterns, improving detection accuracy across models and attack types.

Contribution

The paper uncovers the distraction effect in attention heads and proposes a novel, training-free detection method that generalizes across models and datasets.

Findings

AUROC improved by up to 10% over existing methods

Effective detection across diverse models and attack types

Performs well even on small LLMs

Abstract

Large Language Models (LLMs) have revolutionized various domains but remain vulnerable to prompt injection attacks, where malicious inputs manipulate the model into ignoring original instructions and executing designated action. In this paper, we investigate the underlying mechanisms of these attacks by analyzing the attention patterns within LLMs. We introduce the concept of the distraction effect, where specific attention heads, termed important heads, shift focus from the original instruction to the injected instruction. Building on this discovery, we propose Attention Tracker, a training-free detection method that tracks attention patterns on instruction to detect prompt injection attacks without the need for additional LLM inference. Our method generalizes effectively across diverse models, datasets, and attack types, showing an AUROC improvement of up to 10.0% over existing methods, and performs well even on small LLMs. We demonstrate the robustness of our approach through extensive evaluations and provide insights into safeguarding LLM-integrated systems from prompt injection vulnerabilities.