ReasAlign: Reasoning Enhanced Safety Alignment against Prompt Injection Attack
Hao Li, Yankai Yang, G. Edward Suh, Ning Zhang, Chaowei Xiao
TL;DR
ReasAlign tackles prompt-injection threats in open-ended LLM-based agents by embedding structured reasoning into safety alignment and using a test-time judge to select the most reliable reasoning trajectory. The approach maintains utility close to undefended models while delivering strong security, exemplified by a CySE evaluation showing $94.6%$ utility and $3.6%$ ASR, and by outperforming prior guardrails like Meta SecAlign across diverse tasks. Key contributions include constructing a structured reasoning dataset with explicit injection identification, applying LoRA-based safety alignment, and introducing a judge-driven, test-time scaling mechanism with $N$-node beam search (default $N=3$). Overall, ReasAlign demonstrates a robust, practical defense against prompt injection in general knowledge, instruction-following, and agentic workflows, with notable improvements in security without sacrificing task performance.
Abstract
Large Language Models (LLMs) have enabled the development of powerful agentic systems capable of automating complex workflows across various fields. However, these systems are highly vulnerable to indirect prompt injection attacks, where malicious instructions embedded in external data can hijack agent behavior. In this work, we present ReasAlign, a model-level solution to improve safety alignment against indirect prompt injection attacks. The core idea of ReasAlign is to incorporate structured reasoning steps to analyze user queries, detect conflicting instructions, and preserve the continuity of the user's intended tasks to defend against indirect injection attacks. To further ensure reasoning logic and accuracy, we introduce a test-time scaling mechanism with a preference-optimized judge model that scores reasoning steps and selects the best trajectory. Comprehensive evaluations across various benchmarks show that ReasAlign maintains utility comparable to an undefended model while consistently outperforming Meta SecAlign, the strongest prior guardrail. On the representative open-ended CyberSecEval2 benchmark, which includes multiple prompt-injected tasks, ReasAlign achieves 94.6% utility and only 3.6% ASR, far surpassing the state-of-the-art defensive model of Meta SecAlign (56.4% utility and 74.4% ASR). These results demonstrate that ReasAlign achieves the best trade-off between security and utility, establishing a robust and practical defense against prompt injection attacks in real-world agentic systems. Our code and experimental results could be found at https://github.com/leolee99/ReasAlign.
