PromptArmor: Simple yet Effective Prompt Injection Defenses

TL;DR

PromptArmor is a straightforward defense mechanism that prompts an LLM to detect and eliminate prompt injections, significantly reducing attack success rates and maintaining high accuracy in identifying malicious prompts.

Contribution

This paper introduces PromptArmor, a simple yet effective method for defending against prompt injection attacks by leveraging LLM prompting techniques.

Findings

Achieves below 1% false positive and false negative rates on the AgentDojo benchmark.

Reduces attack success rate to below 1% after prompt removal.

Effective against adaptive prompt injection attacks.

Abstract

Despite their potential, recent research has demonstrated that LLM agents are vulnerable to prompt injection attacks, where malicious prompts are injected into the agent's input, causing it to perform an attacker-specified task rather than the intended task provided by the user. In this paper, we present PromptArmor, a simple yet effective defense against prompt injection attacks. Specifically, PromptArmor prompts an off-the-shelf LLM to detect and remove potential injected prompts from the input before the agent processes it. Our results show that PromptArmor can accurately identify and remove injected prompts. For example, using GPT-4o, GPT-4.1, or o4-mini, PromptArmor achieves both a false positive rate and a false negative rate below 1% on the AgentDojo benchmark. Moreover, after removing injected prompts with PromptArmor, the attack success rate drops to below 1%. We also demonstrate PromptArmor's effectiveness against adaptive attacks and explore different strategies for prompting an LLM. We recommend that PromptArmor be adopted as a standard baseline for evaluating new defenses against prompt injection attacks.