PromptArmor: Simple yet Effective Prompt Injection Defenses
About
Despite their potential, recent research has demonstrated that LLM agents are vulnerable to prompt injection attacks, where malicious prompts are injected into the agent's input, causing it to perform an attacker-specified task rather than the intended task provided by the user. In this paper, we present PromptArmor, a simple yet effective defense against prompt injection attacks. Specifically, PromptArmor prompts an off-the-shelf LLM to detect and remove potential injected prompts from the input before the agent processes it. Our results show that PromptArmor can accurately identify and remove injected prompts. For example, using GPT-4o, GPT-4.1, or o4-mini, PromptArmor achieves both a false positive rate and a false negative rate below 1% on the AgentDojo benchmark. Moreover, after removing injected prompts with PromptArmor, the attack success rate drops to below 1%. We also demonstrate PromptArmor's effectiveness against adaptive attacks and explore different strategies for prompting an LLM. We recommend that PromptArmor be adopted as a standard baseline for evaluating new defenses against prompt injection attacks.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Prompt Injection Prevention | Alpaca-Farm | -- | 105 | |
| Computer Use | OSWorld | OS Success Rate35.2 | 45 | |
| Prompt injection detection | PopUp attack (top visited websites) | Accuracy49.78 | 40 | |
| Question Answering | SQuAD v2 | ASR Score1 | 36 | |
| Question Answering | Dolly Closed QA | ASR100 | 36 | |
| Prompt Injection and Jailbreak Detection | WARD (test) | Accuracy54.33 | 27 | |
| Prompt Injection and Jailbreak Detection | EIA | Recall99.01 | 25 | |
| Prompt Injection Prevention | NQ simplified | Naïve Success Rate28 | 24 | |
| Indirect Prompt Injection Defense Evaluation | AgentDojo TOOLKNOWLEDGE attack suite | Latency (s)17.68 | 24 | |
| Prompt Injection Defense | OPI (Open-Prompt-Injection) | ASR31 | 24 |