ProxyPrompt: Securing System Prompts against Prompt Extraction Attacks
Zhixiong Zhuang, Maria-Irina Nicolae, Hui-Po Wang, Mario Fritz
TL;DR
ProxyPrompt addresses the security risk of system prompt leakage by replacing the original prompt with a learnable proxy embedded in continuous space, preserving utility for legitimate use while rendering extracted prompts ineffective. The method jointly optimizes the proxy to minimize changes in normal responses yet maximize divergence when queried by attackers, using a surrogate optimization setup that accounts for unknown attacker strategies. Semantic-level evaluation metrics SM and MS detect rephrased leaks more accurately than traditional token-overlap metrics, and results show substantial protection across 264 configurations (94.70%), with strong performance in real-world deployment on HuggingChat. The work demonstrates practical applicability, discusses limitations and attacker-model considerations, and suggests directions for integrating ProxyPrompt with non-sensitive prompts and refining query sets for broader robustness.
Abstract
The integration of large language models (LLMs) into a wide range of applications has highlighted the critical role of well-crafted system prompts, which require extensive testing and domain expertise. These prompts enhance task performance but may also encode sensitive information and filtering criteria, posing security risks if exposed. Recent research shows that system prompts are vulnerable to extraction attacks, while existing defenses are either easily bypassed or require constant updates to address new threats. In this work, we introduce ProxyPrompt, a novel defense mechanism that prevents prompt leakage by replacing the original prompt with a proxy. This proxy maintains the original task's utility while obfuscating the extracted prompt, ensuring attackers cannot reproduce the task or access sensitive information. Comprehensive evaluations on 264 LLM and system prompt pairs show that ProxyPrompt protects 94.70% of prompts from extraction attacks, outperforming the next-best defense, which only achieves 42.80%.
