An Early Categorization of Prompt Injection Attacks on Large Language Models
Sippo Rossi, Alisia Marianne Michel, Raghava Rao Mukkamala, Jason Bennett Thatcher
TL;DR
Prompt injections threaten the safety and controllability of large language models by enabling outputs that bypass safeguards or reveal internal prompts. The authors synthesize academic and online sources to produce a concrete taxonomy that splits attacks into direct and indirect families (6 direct, 4 indirect) and enumerates 17 variations with examples. The work provides a practical checklist for developers and end users, discusses ethical considerations, and outlines implications for research and system design. This taxonomy lays groundwork for standard testing, defense development, and responsible deployment of LLM-based interfaces in real-world settings.
Abstract
Large language models and AI chatbots have been at the forefront of democratizing artificial intelligence. However, the releases of ChatGPT and other similar tools have been followed by growing concerns regarding the difficulty of controlling large language models and their outputs. Currently, we are witnessing a cat-and-mouse game where users attempt to misuse the models with a novel attack called prompt injections. In contrast, the developers attempt to discover the vulnerabilities and block the attacks simultaneously. In this paper, we provide an overview of these emergent threats and present a categorization of prompt injections, which can guide future research on prompt injections and act as a checklist of vulnerabilities in the development of LLM interfaces. Moreover, based on previous literature and our own empirical research, we discuss the implications of prompt injections to LLM end users, developers, and researchers.