Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficient Jailbreak Mitigation Using Semantic Linear Classification in a Multi-Staged Pipeline

Akshaj Prashanth Rao, Advait Singh, Saumya Kumaar Saksena, Dhruv Kumar

TL;DR

The paper addresses persistent prompt injection and jailbreaking threats in LLM-driven pipelines. It introduces a lightweight semantic defense based on text normalization, TF-IDF features, and a Linear SVM, embedded in a modular multi-stage pipeline with complementary detectors. On a curated corpus of over 30,000 labeled prompts, the LSVM stage achieves 93.4% accuracy and 96.5% specificity, and the full system reduces Attack Success Rate to zero while maintaining benign prompt performance; latency is dramatically reduced compared to a model-based baseline. The work demonstrates that layered, resource-efficient defenses can robustly secure modern LLM applications and provides open data and code to support reproducible benchmarking.

Abstract

Prompt injection and jailbreaking attacks pose persistent security challenges to large language model (LLM)-based systems. We present an efficient and systematically evaluated defense architecture that mitigates these threats through a lightweight, multi-stage pipeline. Its core component is a semantic filter based on text normalization, TF-IDF representations, and a Linear SVM classifier. Despite its simplicity, this module achieves 93.4% accuracy and 96.5% specificity on held-out data, substantially reducing attack throughput while incurring negligible computational overhead. Building on this efficient foundation, the full pipeline integrates complementary detection and mitigation mechanisms that operate at successive stages, providing strong robustness with minimal latency. In comparative experiments, our SVM-based configuration improves overall accuracy from 35.1% to 93.4% while reducing average time to completion from approximately 450s to 47s, yielding over 10 times lower latency than ShieldGemma. These results demonstrate that the proposed design simultaneously advances defensive precision and efficiency, addressing a core limitation of current model-based moderators. Evaluation across a curated corpus of over 30,000 labeled prompts, including benign, jailbreak, and application-layer injections, confirms that staged, resource-efficient defenses can robustly secure modern LLM-driven applications.

Efficient Jailbreak Mitigation Using Semantic Linear Classification in a Multi-Staged Pipeline

TL;DR

The paper addresses persistent prompt injection and jailbreaking threats in LLM-driven pipelines. It introduces a lightweight semantic defense based on text normalization, TF-IDF features, and a Linear SVM, embedded in a modular multi-stage pipeline with complementary detectors. On a curated corpus of over 30,000 labeled prompts, the LSVM stage achieves 93.4% accuracy and 96.5% specificity, and the full system reduces Attack Success Rate to zero while maintaining benign prompt performance; latency is dramatically reduced compared to a model-based baseline. The work demonstrates that layered, resource-efficient defenses can robustly secure modern LLM applications and provides open data and code to support reproducible benchmarking.

Abstract

Prompt injection and jailbreaking attacks pose persistent security challenges to large language model (LLM)-based systems. We present an efficient and systematically evaluated defense architecture that mitigates these threats through a lightweight, multi-stage pipeline. Its core component is a semantic filter based on text normalization, TF-IDF representations, and a Linear SVM classifier. Despite its simplicity, this module achieves 93.4% accuracy and 96.5% specificity on held-out data, substantially reducing attack throughput while incurring negligible computational overhead. Building on this efficient foundation, the full pipeline integrates complementary detection and mitigation mechanisms that operate at successive stages, providing strong robustness with minimal latency. In comparative experiments, our SVM-based configuration improves overall accuracy from 35.1% to 93.4% while reducing average time to completion from approximately 450s to 47s, yielding over 10 times lower latency than ShieldGemma. These results demonstrate that the proposed design simultaneously advances defensive precision and efficiency, addressing a core limitation of current model-based moderators. Evaluation across a curated corpus of over 30,000 labeled prompts, including benign, jailbreak, and application-layer injections, confirms that staged, resource-efficient defenses can robustly secure modern LLM-driven applications.

Paper Structure

This paper contains 43 sections, 1 figure, 3 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Detection and Mitigation of Prompt Injection.
  4. Token- and Context-Manipulation Attacks.
  5. General Prompt Optimization and Black-Box Jailbreaking.
  6. Methodology
  7. Design overview
  8. Pipeline configuration
  9. Dataset
  10. Data sources.
  11. Labeling and taxonomy.
  12. Dataset splits and usage.
  13. Reproducibility and release.
  14. Defense Suite Implementation
  15. Text processing + LSVM (primary contribution)
  16. ...and 28 more sections

Figures (1)

  • Figure 1: The layered Defense Pipeline for LLM Security Evaluation. The framework processes adversarial prompts through all the marked defense stages. Only the prompts deemed safe by all layers are passed to the LLM, all others are blocked.