Attention is All You Need to Defend Against Indirect Prompt Injection Attacks in LLMs

TL;DR

This paper introduces Rennervate, a novel attention-based framework for detecting and preventing indirect prompt injection attacks in large language models, enhancing security without compromising functionality.

Contribution

The paper proposes a fine-grained token-level detection method using attention features and introduces the FIPI dataset for IPI research, outperforming existing defenses.

Findings

Rennervate achieves higher precision than 15 existing methods.

It is effective across multiple LLMs and datasets.

The framework is transferable and robust against adaptive attacks.

Abstract

Large Language Models (LLMs) have been integrated into many applications (e.g., web agents) to perform more sophisticated tasks. However, LLM-empowered applications are vulnerable to Indirect Prompt Injection (IPI) attacks, where instructions are injected via untrustworthy external data sources. This paper presents Rennervate, a defense framework to detect and prevent IPI attacks. Rennervate leverages attention features to detect the covert injection at a fine-grained token level, enabling precise sanitization that neutralizes IPI attacks while maintaining LLM functionalities. Specifically, the token-level detector is materialized with a 2-step attentive pooling mechanism, which aggregates attention heads and response tokens for IPI detection and sanitization. Moreover, we establish a fine-grained IPI dataset, FIPI, to be open-sourced to support further research. Extensive experiments verify that Rennervate outperforms 15 commercial and academic IPI defense methods, achieving high precision on 5 LLMs and 6 datasets. We also demonstrate that Rennervate is transferable to unseen attacks and robust against adaptive adversaries.