DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents

TL;DR

DRIFT is a dynamic, rule-based framework that enhances the security of LLM agents by enforcing adaptable policies and isolating injection risks, effectively defending against prompt injection attacks while preserving utility.

Contribution

This paper introduces DRIFT, a novel framework that dynamically updates security policies and isolates injection threats, addressing limitations of static defenses in securing LLM agents.

Findings

DRIFT effectively defends against prompt injection attacks.

Maintains high utility across diverse models.

Demonstrates robustness and adaptability in empirical evaluations.

Abstract

Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities. By interacting with external environments through predefined tools, these agents can carry out complex user tasks. Nonetheless, this interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior, potentially resulting in economic loss, privacy leakage, or system compromise. System-level defenses have recently shown promise by enforcing static or predefined policies, but they still face two key challenges: the ability to dynamically update security rules and the need for memory stream isolation. To address these challenges, we propose Dynamic Rule-based Isolation Framework for Trustworthy agentic systems (DRIFT), which enforces the dynamic security policy and injection isolation for securing LLM agents against prompt injection attacks. A Secure Planner first constructs a minimal function trajectory and a JSON-schema-style parameter checklist for each function node based on the user query. A Dynamic Validator then monitors deviations from the original plan, assessing whether changes comply with privilege limitations and the user's intent. Finally, an Injection Isolator detects and masks any instructions that may conflict with the user query from the memory stream to mitigate long-term risks. We empirically validate the effectiveness of DRIFT on the AgentDojo, ASB, and AgentDyn benchmark, demonstrating its strong security performance while maintaining high utility across diverse models, showcasing both its robustness and adaptability. The project website is available at https://safo-lab.github.io/DRIFT.