Enhancing Security in LLM Applications: A Performance Evaluation of Early Detection Systems

TL;DR

This paper evaluates the effectiveness of early prompt injection detection systems in LLM applications, comparing open-source solutions and proposing improvements to enhance security against prompt leak attacks.

Contribution

It provides a comprehensive analysis and comparison of existing prompt leak detection techniques, identifying their strengths, weaknesses, and proposing specific improvements.

Findings

Vigil is best for minimal false positives.

Rebuff performs well for average detection needs.

Canary word checks in Vigil and Rebuff are ineffective against prompt leaks.

Abstract

Prompt injection threatens novel applications that emerge from adapting LLMs for various user tasks. The newly developed LLM-based software applications become more ubiquitous and diverse. However, the threat of prompt injection attacks undermines the security of these systems as the mitigation and defenses against them, proposed so far, are insufficient. We investigated the capabilities of early prompt injection detection systems, focusing specifically on the detection performance of techniques implemented in various open-source solutions. These solutions are supposed to detect certain types of prompt injection attacks, including the prompt leak. In prompt leakage attacks, an attacker maliciously manipulates the LLM into outputting its system instructions, violating the system's confidentiality. Our study presents analyzes of distinct prompt leakage detection techniques, and a comparative analysis of several detection solutions, which implement those techniques. We identify the strengths and weaknesses of these techniques and elaborate on their optimal configuration and usage in high-stake deployments. In one of the first studies on existing prompt leak detection solutions, we compared the performances of LLM Guard, Vigil, and Rebuff. We concluded that the implementations of canary word checks in Vigil and Rebuff were not effective at detecting prompt leak attacks, and we proposed improvements for them. We also found an evasion weakness in Rebuff's secondary model-based technique and proposed a mitigation. Then, the result of the comparison of LLM Guard, Vigil, and Rebuff at their peak performance revealed that Vigil is optimal for cases when minimal false positive rate is required, and Rebuff is the most optimal for average needs.