ICL-EVADER: Zero-Query Black-Box Evasion Attacks on In-Context Learning and Their Defenses
Ningyuan He, Ronghong Huang, Qianqian Tang, Hongyu Wang, Xianghang Mi, Shanqing Guo
TL;DR
This work addresses the security of in-context learning under a realistic zero-query black-box threat model. It introduces three novel evasion strategies—Fake Claim, Template, and Needle-in-a-Haystack—that drastically degrade ICL classifier performance across sentiment, toxicity, and illicit promotion tasks, outperforming traditional NLP attacks that rely on model queries. The authors systematically explore defense primitives and demonstrate that a joint defense combining adversarial demonstrations, cautionary warnings, and prompt structure randomization can nearly eliminate attack success while preserving accuracy within a 5% loss. They operationalize these insights into an automated defense tool and provide open-source code to facilitate practical hardening of ICL systems, highlighting both vulnerabilities and actionable mitigations for robust ICL deployments.
Abstract
In-context learning (ICL) has become a powerful, data-efficient paradigm for text classification using large language models. However, its robustness against realistic adversarial threats remains largely unexplored. We introduce ICL-Evader, a novel black-box evasion attack framework that operates under a highly practical zero-query threat model, requiring no access to model parameters, gradients, or query-based feedback during attack generation. We design three novel attacks, Fake Claim, Template, and Needle-in-a-Haystack, that exploit inherent limitations of LLMs in processing in-context prompts. Evaluated across sentiment analysis, toxicity, and illicit promotion tasks, our attacks significantly degrade classifier performance (e.g., achieving up to 95.3% attack success rate), drastically outperforming traditional NLP attacks which prove ineffective under the same constraints. To counter these vulnerabilities, we systematically investigate defense strategies and identify a joint defense recipe that effectively mitigates all attacks with minimal utility loss (<5% accuracy degradation). Finally, we translate our defensive insights into an automated tool that proactively fortifies standard ICL prompts against adversarial evasion. This work provides a comprehensive security assessment of ICL, revealing critical vulnerabilities and offering practical solutions for building more robust systems. Our source code and evaluation datasets are publicly available at: https://github.com/ChaseSecurity/ICL-Evader .
