Challenge: Large language model (LLM)-integrated applications face security vulnerabilities from prompt injection (PI) attacks.
Approach: They propose a model enhancement method that synthesizes diverse training data and employs instruction-level chain-of-thought fine-tuning to enable LLMs to effectively identify and reject malicious instructions regardless of their source or position in the context.
Outcome: The proposed method outperforms baselines in three critical dimensions while maintaining utility performance without degradation.

Similar Papers

Defense Against Prompt Injection Attack by Leveraging Attack Techniques (2025.acl-long)

Copied to clipboard

Challenge: Recent attacks leverage LLMs’ instruction-following abilities and their inabilities to distinguish instructions injected in the data content.
Approach: They invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods by repeating the attack process with the original input instruction rather than the injected instruction.
Outcome: The proposed methods outperform existing defense approaches, achieving state-of-the-art results.
Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection (2024.naacl-long)

Copied to clipboard

Challenge: Instruction-tuned Large Language Models (LLMs) can modulate responses based on human instructions, but they can be maliciously steered to impact society in subtle but persistent ways.
Approach: They propose a backdoor attack setting that allows an attacker to inject a virtual prompt into an LLM to steer it without any explicit injection at its input.
Outcome: The proposed method is able to poison the model's instruction tuning data and show that it is highly effective in steering the model.
Evaluating the Instruction-Following Robustness of Large Language Models to Prompt Injection (2024.emnlp-main)

Copied to clipboard

Challenge: Large Language Models (LLMs) have demonstrated exceptional proficiency in instruction-following, making them increasingly integral to various applications.
Approach: They establish a benchmark to evaluate the robustness of instruction-following LLMs against prompt injection attacks, assessing their ability to discern which instructions to follow and which to disregard.
Outcome: The proposed model is overly sensitive to prompt injection attacks, focusing on the latter part of the prompt without fully understanding the context.
Defenses Against Prompt Attacks Learn Surface Heuristics (2026.acl-long)

Copied to clipboard

Challenge: Large language models (LLMs) are increasingly deployed in security-sensitive applications . recent defenses rely on supervised fine-tuning with benign and malicious labels . position bias arises when benign content placed later in a prompt is rejected at much higher rates .
Approach: They analyze three recurring shortcut behaviors induced by supervised fine-tuning . position bias arises when benign content placed later in a prompt is rejected . token trigger bias occurs when strings common in attack data raise rejection probability .
Outcome: The proposed model overrides intended logic when adversarial instructions appear . the proposed model has low rejection rates but narrow correlations in defense data .
Robustness via Referencing: Defending against Prompt Injection Attacks by Referencing the Executed Instruction (2026.findings-acl)

Copied to clipboard

Challenge: Prompt injection attacks manipulate large language models (LLMs) by misleading them to deviate from the original input instructions and execute maliciously injected instructions.
Approach: They propose a prompt injection defense method that suppresses the model's instruction-following tendencies rather than suppressing them.
Outcome: The proposed method outperforms prompt-engineering-based approaches and fine-tuning methods and reduces the ASR to nearly 0% in some scenarios.
Critical-CoT: A Robust Defense Framework against Reasoning-Level Backdoor Attacks in Large Language Models (2026.acl-long)

Copied to clipboard

Challenge: Large Language Models (LLMs) are vulnerable to backdoors that use long-form reasoning to generate a specific word, choice, or class.
Approach: They propose a mechanism that allows LLMs to develop critical thinking behaviors and detect backdoors by a two-stage fine-tuning.
Outcome: The proposed mechanism exhibits strong cross-domain and cross-task generalization.
LLMs Caught in the Crossfire: Malware Requests and Jailbreak Challenges (2025.acl-long)

Copied to clipboard

Challenge: Large Language Models (LLMs) have a high vulnerability to jailbreak attacks that leverage crafted prompts to generate malicious outputs.
Approach: They propose to use large language models to test their security against jailbreak attacks that leverage crafted prompts to generate malicious outputs.
Outcome: The proposed model is based on 320 manually crafted malicious code generation requirements, covering 11 jailbreak methods and 29 code functionality categories.
Defending LLMs against Jailbreak Attacks via Template-Based ICL with a Defensive Suffix (2026.findings-acl)

Copied to clipboard

Challenge: State-of-the-art large language models (LLMs) are vulnerable to jailbreak attacks, such as GCG and AutoDAN.
Approach: They propose to take the advances of online In-Context Learning and an offline defensive suffix and optimize them using an iterative algorithm and an online stochastic random search to identify the most effective ICL demonstrations.
Outcome: The proposed method reduces attack success rate to nearly *0% while maintaining the model’s utility on benign tasks and incurring only *negligible* computational overhead.
Root Defense Strategies: Ensuring Safety of LLM at the Decoding Level (2025.acl-long)

Copied to clipboard

Challenge: Existing methods to detect harmful outputs from prefill-level lacks utilization of the model’s decoding outputs, leading to relatively lower effectiveness and robustness.
Approach: They propose a robust decoding mechanism that corrects harmful queries directly rather than rejecting them outright.
Outcome: The proposed model improves model security without compromising reasoning speed.
Defending against Indirect Prompt Injection by Instruction Detection (2025.findings-emnlp)

Copied to clipboard

Challenge: Indirect Prompt Injection attacks can be exploited by LLMs that are embedded with external data.
Approach: They propose a detection-based approach that leverages the behavioral states of LLMs to identify potential IPI attacks.
Outcome: The proposed approach reduces the success rate of attacks to 0.03% on the BIPIA benchmark.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations