PromptShield: Deployable Detection for Prompt Injection Attacks
Dennis Jacob, Hend Alzahrani, Zhanhao Hu, Basel Alomair, David Wagner
TL;DR
The paper tackles the practical challenge of detecting prompt injection in LLM-based applications by distinguishing conversational from application-structured data and proposing deployment-focused evaluation. It introduces PromptShield, a curated benchmark and a high-performing detector trained on its train split, with a deployment scheme that targets ultra-low FPRs and demonstrates strong low-FPR detection across architectures. Key findings show that data curation and larger, well-chosen models substantially boost detection, achieving up to $TPR=94.8\%$ at $FPR=1\%$ and $TPR=65.3\%$ at $FPR=0.1\%$ for different setups, significantly beating prior detectors like PromptGuard. The authors release the benchmark and code publicly to spur practical, scalable defenses and encourage further research into data-driven improvements and deployment-aware evaluation for prompt-injection defenses.
Abstract
Application designers have moved to integrate large language models (LLMs) into their products. However, many LLM-integrated applications are vulnerable to prompt injections. While attempts have been made to address this problem by building prompt injection detectors, many are not yet suitable for practical deployment. To support research in this area, we introduce PromptShield, a benchmark for training and evaluating deployable prompt injection detectors. Our benchmark is carefully curated and includes both conversational and application-structured data. In addition, we use insights from our curation process to fine-tune a new prompt injection detector that achieves significantly higher performance in the low false positive rate (FPR) evaluation regime compared to prior schemes. Our work suggests that careful curation of training data and larger models can contribute to strong detector performance.
