DataSentinel: A Game-Theoretic Detection of Prompt Injection Attacks
About
LLM-integrated applications and agents are vulnerable to prompt injection attacks, where an attacker injects prompts into their inputs to induce attacker-desired outputs. A detection method aims to determine whether a given input is contaminated by an injected prompt. However, existing detection methods have limited effectiveness against state-of-the-art attacks, let alone adaptive ones. In this work, we propose DataSentinel, a game-theoretic method to detect prompt injection attacks. Specifically, DataSentinel fine-tunes an LLM to detect inputs contaminated with injected prompts that are strategically adapted to evade detection. We formulate this as a minimax optimization problem, with the objective of fine-tuning the LLM to detect strong adaptive attacks. Furthermore, we propose a gradient-based method to solve the minimax optimization problem by alternating between the inner max and outer min problems. Our evaluation results on multiple benchmark datasets and LLMs show that DataSentinel effectively detects both existing and adaptive prompt injection attacks.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| End-to-End Defense in RAG | SciFact | ASR21 | 69 | |
| End-to-End Defense in RAG | HotpotQA | Attack Success Rate (ASR)22 | 69 | |
| End-to-End Defense in RAG | ArguAna | Attack Success Rate (ASR)6 | 63 | |
| End-to-End Defense in RAG | FEVER | ASR15 | 63 | |
| End-to-End Defense in RAG | FiQA | ASR23 | 63 | |
| RAG Attack Defense | Natural Questions | ASR31 | 63 | |
| Prompt injection detection | PopUp attack (top visited websites) | Accuracy49.96 | 40 | |
| Question Answering | SQuAD v2 | ASR Score0.78 | 36 | |
| Question Answering | Dolly Closed QA | ASR84 | 36 | |
| Prompt Injection and Jailbreak Detection | WARD (test) | Accuracy56.5 | 27 |