Know Thy Enemy: Securing LLMs Against Prompt Injection via Diverse Data Synthesis and Instruction-Level Chain-of-Thought Learning (2026.findings-acl)
Copied to clipboard
Zhiyuan Chang, Mingyang Li, Yuekai Huang, Ziyou Jiang, Xiaojun Jia, Qian Xiong, Junjie Wang, Zhaoyang Li, Qing Wang
| Challenge: | Large language model (LLM)-integrated applications face security vulnerabilities from prompt injection (PI) attacks. |
| Approach: | They propose a model enhancement method that synthesizes diverse training data and employs instruction-level chain-of-thought fine-tuning to enable LLMs to effectively identify and reject malicious instructions regardless of their source or position in the context. |
| Outcome: | The proposed method outperforms baselines in three critical dimensions while maintaining utility performance without degradation. |
Similar Papers
Defense Against Prompt Injection Attack by Leveraging Attack Techniques (2025.acl-long)
Copied to clipboard
| Challenge: | Recent attacks leverage LLMs’ instruction-following abilities and their inabilities to distinguish instructions injected in the data content. |
| Approach: | They invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods by repeating the attack process with the original input instruction rather than the injected instruction. |
| Outcome: | The proposed methods outperform existing defense approaches, achieving state-of-the-art results. |
Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection (2024.naacl-long)
Copied to clipboard
Jun Yan, Vikas Yadav, Shiyang Li, Lichang Chen, Zheng Tang, Hai Wang, Vijay Srinivasan, Xiang Ren, Hongxia Jin
| Challenge: | Instruction-tuned Large Language Models (LLMs) can modulate responses based on human instructions, but they can be maliciously steered to impact society in subtle but persistent ways. |
| Approach: | They propose a backdoor attack setting that allows an attacker to inject a virtual prompt into an LLM to steer it without any explicit injection at its input. |
| Outcome: | The proposed method is able to poison the model's instruction tuning data and show that it is highly effective in steering the model. |
Evaluating the Instruction-Following Robustness of Large Language Models to Prompt Injection (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated exceptional proficiency in instruction-following, making them increasingly integral to various applications. |
| Approach: | They establish a benchmark to evaluate the robustness of instruction-following LLMs against prompt injection attacks, assessing their ability to discern which instructions to follow and which to disregard. |
| Outcome: | The proposed model is overly sensitive to prompt injection attacks, focusing on the latter part of the prompt without fully understanding the context. |
Defenses Against Prompt Attacks Learn Surface Heuristics (2026.acl-long)
Copied to clipboard
| Challenge: | Large language models (LLMs) are increasingly deployed in security-sensitive applications . recent defenses rely on supervised fine-tuning with benign and malicious labels . position bias arises when benign content placed later in a prompt is rejected at much higher rates . |
| Approach: | They analyze three recurring shortcut behaviors induced by supervised fine-tuning . position bias arises when benign content placed later in a prompt is rejected . token trigger bias occurs when strings common in attack data raise rejection probability . |
| Outcome: | The proposed model overrides intended logic when adversarial instructions appear . the proposed model has low rejection rates but narrow correlations in defense data . |
Robustness via Referencing: Defending against Prompt Injection Attacks by Referencing the Executed Instruction (2026.findings-acl)
Copied to clipboard
Yulin Chen, Haoran Li, Yuan Sui, Yue Liu, Yufei He, Xiaoling Bai, Chi Fei, Li Yabo, Haozhe Ma, Yangqiu Song, Bryan Hooi
| Challenge: | Prompt injection attacks manipulate large language models (LLMs) by misleading them to deviate from the original input instructions and execute maliciously injected instructions. |
| Approach: | They propose a prompt injection defense method that suppresses the model's instruction-following tendencies rather than suppressing them. |
| Outcome: | The proposed method outperforms prompt-engineering-based approaches and fine-tuning methods and reduces the ASR to nearly 0% in some scenarios. |
Critical-CoT: A Robust Defense Framework against Reasoning-Level Backdoor Attacks in Large Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) are vulnerable to backdoors that use long-form reasoning to generate a specific word, choice, or class. |
| Approach: | They propose a mechanism that allows LLMs to develop critical thinking behaviors and detect backdoors by a two-stage fine-tuning. |
| Outcome: | The proposed mechanism exhibits strong cross-domain and cross-task generalization. |
LLMs Caught in the Crossfire: Malware Requests and Jailbreak Challenges (2025.acl-long)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have a high vulnerability to jailbreak attacks that leverage crafted prompts to generate malicious outputs. |
| Approach: | They propose to use large language models to test their security against jailbreak attacks that leverage crafted prompts to generate malicious outputs. |
| Outcome: | The proposed model is based on 320 manually crafted malicious code generation requirements, covering 11 jailbreak methods and 29 code functionality categories. |
Defending LLMs against Jailbreak Attacks via Template-Based ICL with a Defensive Suffix (2026.findings-acl)
Copied to clipboard
| Challenge: | State-of-the-art large language models (LLMs) are vulnerable to jailbreak attacks, such as GCG and AutoDAN. |
| Approach: | They propose to take the advances of online In-Context Learning and an offline defensive suffix and optimize them using an iterative algorithm and an online stochastic random search to identify the most effective ICL demonstrations. |
| Outcome: | The proposed method reduces attack success rate to nearly *0% while maintaining the model’s utility on benign tasks and incurring only *negligible* computational overhead. |
Root Defense Strategies: Ensuring Safety of LLM at the Decoding Level (2025.acl-long)
Copied to clipboard
| Challenge: | Existing methods to detect harmful outputs from prefill-level lacks utilization of the model’s decoding outputs, leading to relatively lower effectiveness and robustness. |
| Approach: | They propose a robust decoding mechanism that corrects harmful queries directly rather than rejecting them outright. |
| Outcome: | The proposed model improves model security without compromising reasoning speed. |
Defending against Indirect Prompt Injection by Instruction Detection (2025.findings-emnlp)
Copied to clipboard
Tongyu Wen, Chenglong Wang, Xiyuan Yang, Haoyu Tang, Yueqi Xie, Lingjuan Lyu, Zhicheng Dou, Fangzhao Wu
| Challenge: | Indirect Prompt Injection attacks can be exploited by LLMs that are embedded with external data. |
| Approach: | They propose a detection-based approach that leverages the behavioral states of LLMs to identify potential IPI attacks. |
| Outcome: | The proposed approach reduces the success rate of attacks to 0.03% on the BIPIA benchmark. |