More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models

AI-generated keywords: Large Language Models (LLMs)

AI-generated Key Points

The license of the paper does not allow us to build upon its content and the key points are generated using the paper metadata rather than the full article.

  • Significant advancements in Large Language Models (LLMs) are being integrated into various systems such as IDEs and search engines.
  • LLMs can be controlled through natural language prompts, but their internal functionality remains implicit and unassessable.
  • Prompt Injection (PI) attacks have been introduced as a way to misalign LLMs, allowing adversaries to manipulate them and produce malicious content.
  • Application-Integrated LLMs augment LLMs with retrieval and API calling capabilities, enabling them to process poisoned content retrieved from the web.
  • Attackers can indirectly perform PI attacks using Application-Integrated LLMs by injecting pre-selected malicious prompts into the retrieved content.
  • The authors systematically analyze the threat landscape of Application-Integrated LLMs and discuss new attack vectors to validate their practical viability.
  • Synthetic applications are used to demonstrate specific scenarios within this research.
  • There is an urgent need for evaluating current mitigation techniques and investigating whether new techniques are required to defend against these threats.
Also access our AI generated: Comprehensive summary, Lay summary, Blog-like article; or ask questions about this paper to our AI assistant.

Authors: Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, Mario Fritz

Abstract: We are currently witnessing dramatic advances in the capabilities of Large Language Models (LLMs). They are already being adopted in practice and integrated into many systems, including integrated development environments (IDEs) and search engines. The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable. This property, which makes them adaptable to even unseen tasks, might also make them susceptible to targeted adversarial prompting. Recently, several ways to misalign LLMs using Prompt Injection (PI) attacks have been introduced. In such attacks, an adversary can prompt the LLM to produce malicious content or override the original instructions and the employed filtering schemes. Recent work showed that these attacks are hard to mitigate, as state-of-the-art LLMs are instruction-following. So far, these attacks assumed that the adversary is directly prompting the LLM. In this work, we show that augmenting LLMs with retrieval and API calling capabilities (so-called Application-Integrated LLMs) induces a whole new set of attack vectors. These LLMs might process poisoned content retrieved from the Web that contains malicious prompts pre-injected and selected by adversaries. We demonstrate that an attacker can indirectly perform such PI attacks. Based on this key insight, we systematically analyze the resulting threat landscape of Application-Integrated LLMs and discuss a variety of new attack vectors. To demonstrate the practical viability of our attacks, we implemented specific demonstrations of the proposed attacks within synthetic applications. In summary, our work calls for an urgent evaluation of current mitigation techniques and an investigation of whether new techniques are needed to defend LLMs against these threats.

Submitted to arXiv on 23 Feb. 2023

Ask questions about this paper to our AI assistant

You can also chat with multiple papers at once here.

The license of the paper does not allow us to build upon its content and the AI assistant only knows about the paper metadata rather than the full article.

AI assistant instructions?

Results of the summarizing process for the arXiv paper: 2302.12173v1

This paper's license doesn't allow us to build upon its content and the summarizing process is here made with the paper's metadata rather than the article.

We are witnessing significant advancements in Large Language Models (LLMs), which are being integrated into various systems such as integrated development environments (IDEs) and search engines. These LLMs can be controlled through natural language prompts, but their internal functionality remains implicit and unassessable. While this adaptability makes them suitable for unseen tasks, it also exposes them to targeted adversarial prompting. Prompt Injection (PI) attacks have recently been introduced as a way to misalign LLMs. In these attacks, an adversary can manipulate the LLM to produce malicious content or override the original instructions and filtering schemes. However, these attacks have assumed that the adversary directly prompts the LLM. This work introduces a new set of attack vectors by augmenting LLMs with retrieval and API calling capabilities, known as Application-Integrated LLMs. These LLMs can process poisoned content retrieved from the web, which contains pre-injected malicious prompts selected by adversaries. The authors demonstrate that attackers can indirectly perform PI attacks using these Application-Integrated LLMs. Based on this insight, the authors systematically analyze the resulting threat landscape of Application-Integrated LLMs and discuss various new attack vectors to validate their practical viability. To further evaluate their findings, they implement specific demonstrations within synthetic applications. In summary, this work highlights the urgent need for evaluating current mitigation techniques and investigating whether new techniques are required to defend against these threats to LLMs.
Created on 17 Nov. 2023
Available in other languages: fr

Assess the quality of the AI-generated content by voting

Score: 0

Why do we need votes?

Votes are used to determine whether we need to re-run our summarizing tools. If the count reaches -10, our tools can be restarted.

The previous summary was created more than a year ago and can be re-run (if necessary) by clicking on the Run button below.

The license of this specific paper does not allow us to build upon its content and the summarizing tools will be run using the paper metadata rather than the full article. However, it still does a good job, and you can also try our tools on papers with more open licenses.

Similar papers summarized with our AI tools

Navigate through even more similar papers through a

tree representation

Look for similar papers (in beta version)

By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.

Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.