Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 156 tok/s
Gemini 2.5 Pro 46 tok/s Pro
GPT-5 Medium 23 tok/s Pro
GPT-5 High 25 tok/s Pro
GPT-4o 58 tok/s Pro
Kimi K2 187 tok/s Pro
GPT OSS 120B 435 tok/s Pro
Claude Sonnet 4.5 39 tok/s Pro
2000 character limit reached

Prompt Leakage effect and defense strategies for multi-turn LLM interactions (2404.16251v3)

Published 24 Apr 2024 in cs.CR, cs.AI, and cs.CL

Abstract: Prompt leakage poses a compelling security and privacy threat in LLM applications. Leakage of system prompts may compromise intellectual property, and act as adversarial reconnaissance for an attacker. A systematic evaluation of prompt leakage threats and mitigation strategies is lacking, especially for multi-turn LLM interactions. In this paper, we systematically investigate LLM vulnerabilities against prompt leakage for 10 closed- and open-source LLMs, across four domains. We design a unique threat model which leverages the LLM sycophancy effect and elevates the average attack success rate (ASR) from 17.7% to 86.2% in a multi-turn setting. Our standardized setup further allows dissecting leakage of specific prompt contents such as task instructions and knowledge documents. We measure the mitigation effect of 7 black-box defense strategies, along with finetuning an open-source model to defend against leakage attempts. We present different combination of defenses against our threat model, including a cost analysis. Our study highlights key takeaways for building secure LLM applications and provides directions for research in multi-turn LLM interactions

Definition Search Book Streamline Icon: https://streamlinehq.com
References (37)
  1. Bioasq: A challenge on large-scale biomedical semantic indexing and question answering. In Multimodal Retrieval in the Medical Domain: First International Workshop, MRMD 2015, Vienna, Austria, March 29, 2015, Revised Selected Papers, pp.  26–39. Springer, 2015.
  2. Extracting training data from large language models, 2021.
  3. Fnspid: A comprehensive financial news dataset in time series, 2024.
  4. Coercing llms to do and reveal (almost) anything, 2024.
  5. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection, 2023.
  6. Are large pre-trained language models leaking your personal information? arXiv preprint arXiv:2205.12628, 2022.
  7. Preventing generation of verbatim memorization in language models gives a false sense of privacy. In C. Maria Keet, Hung-Yi Lee, and Sina Zarrieß (eds.), Proceedings of the 16th International Natural Language Generation Conference, pp.  28–53, Prague, Czechia, September 2023. Association for Computational Linguistics. doi: 10.18653/v1/2023.inlg-main.3. URL https://aclanthology.org/2023.inlg-main.3.
  8. Baseline defenses for adversarial attacks against aligned language models. arXiv preprint arXiv:2309.00614, 2023.
  9. Mistral 7b. arXiv preprint arXiv:2310.06825, 2023.
  10. Mixtral of experts. arXiv preprint arXiv:2401.04088, 2024.
  11. Pubmedqa: A dataset for biomedical research question answering. arXiv preprint arXiv:1909.06146, 2019.
  12. Propile: Probing privacy leakage in large language models. Advances in Neural Information Processing Systems, 36, 2024.
  13. Billsum: A corpus for automatic summarization of us legislation. In Proceedings of the 2nd Workshop on New Frontiers in Summarization, pp.  48–56, 2019.
  14. Are you sure? challenging llms leads to performance drops in the flipflop experiment. arXiv preprint arXiv:2311.08596, 2023.
  15. Multi-step jailbreaking privacy attacks on chatgpt. arXiv preprint arXiv:2304.05197, 2023.
  16. Query rewriting via large language models, 2024.
  17. Prompt injection attack against llm-integrated applications. arXiv preprint arXiv:2306.05499, 2023.
  18. Query rewriting for retrieval-augmented large language models, 2023.
  19. OpenAI. Gpt-4 technical report. ArXiv, abs/2303.08774, 2023.
  20. Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:2211.09527, 2022.
  21. Follow my instruction and spill the beans: Scalable data extraction from retrieval-augmented generation systems, 2024.
  22. In-context retrieval-augmented language models. Transactions of the Association for Computational Linguistics, 11:1316–1331, 2023.
  23. Prompt stealing attacks against large language models, 2024.
  24. Towards understanding sycophancy in language models. ArXiv, abs/2310.13548, 2023. URL https://api.semanticscholar.org/CorpusID:264405698.
  25. Gemini: a family of highly capable multimodal models. arXiv preprint arXiv:2312.11805, 2023.
  26. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
  27. The art of defending: A systematic evaluation and analysis of llm defense strategies on safety and over-defensiveness. arXiv preprint arXiv:2401.00287, 2023.
  28. A new era in llm security: Exploring security concerns in real-world llm-based systems, 2024.
  29. Llm jailbreak attack versus defense techniques – a comprehensive study, 2024.
  30. Prsa: Prompt reverse stealing attacks against large language models, 2024.
  31. Benchmarking and defending against indirect prompt injection attacks on large language models, 2023.
  32. The good and the bad: Exploring privacy issues in retrieval-augmented generation (rag), 2024.
  33. Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents, 2024.
  34. Effective prompt extraction from language models, 2024a.
  35. Intention analysis prompting makes large language models a good jailbreak defender. arXiv preprint arXiv:2401.06561, 2024b.
  36. Defending large language models against jailbreaking attacks through goal prioritization, 2023.
  37. Autodan: Interpretable gradient-based adversarial attacks on large language models, 2023.
Citations (6)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

This paper has been mentioned in 4 tweets and received 1 like.

Upgrade to Pro to view all of the tweets about this paper:

Start a free 7-day Pro trial