Gandalf the Red: Adaptive Security for LLMs

TL;DR

This paper introduces D-SEC, a model for adaptive LLM security that considers attacker-legitimate user dynamics, and Gandalf, a gamified platform for generating realistic prompt attacks, revealing trade-offs between security and usability.

Contribution

It presents D-SEC for modeling adaptive threats and introduces Gandalf, a large dataset of prompt attacks, to improve evaluation of LLM defenses.

Findings

Defenses can degrade usability even without request blocking.

Adaptive defenses and defense-in-depth improve security without harming utility.

Realistic attack data helps evaluate and enhance LLM security strategies.

Abstract

Current evaluations of defenses against prompt attacks in large language model (LLM) applications often overlook two critical factors: the dynamic nature of adversarial behavior and the usability penalties imposed on legitimate users by restrictive defenses. We propose D-SEC (Dynamic Security Utility Threat Model), which explicitly separates attackers from legitimate users, models multi-step interactions, and expresses the security-utility in an optimizable form. We further address the shortcomings in existing evaluations by introducing Gandalf, a crowd-sourced, gamified red-teaming platform designed to generate realistic, adaptive attack. Using Gandalf, we collect and release a dataset of 279k prompt attacks. Complemented by benign user data, our analysis reveals the interplay between security and utility, showing that defenses integrated in the LLM (e.g., system prompts) can degrade usability even without blocking requests. We demonstrate that restricted application domains, defense-in-depth, and adaptive defenses are effective strategies for building secure and useful LLM applications.