Papers
Topics
Authors
Recent
Search
2000 character limit reached

PIArena: Prompt Injection Evaluation

Updated 12 April 2026
  • PIArena is a unified and extensible platform for evaluating prompt injection attacks and defenses in LLM systems, featuring formal threat models and standardized metrics.
  • It employs a modular architecture with plug-and-play components—including benchmarks, attack, defense, and evaluator modules—to facilitate rigorous, cross-task evaluation.
  • The platform’s comprehensive benchmarks and adaptive strategy-based attacks reveal key trade-offs between utility and robustness, guiding the development of next-generation LLM defenses.

PIArena is a unified and extensible platform for the evaluation of prompt injection attacks and defenses in LLM systems. Its design addresses the lack of standardized methodology for assessing the robustness and generalization of prompt injection defenses across diverse tasks, datasets, and attack strategies. PIArena includes formal definitions, a modular architecture, comprehensive benchmarks, a dynamic adaptive attack method, and a systematic evaluation protocol grounded in recent empirical findings (Geng et al., 9 Apr 2026).

1. Formal Threat Model and Metrics

PIArena formalizes prompt injection in the black-box setting. Consider a user issuing a target instruction ItI_t (e.g., "Summarize the following document") and providing a context CC to an LLM gg. The canonical response is

R=g(It⊕C)R = g(I_t \oplus C)

where ⊕\oplus is string concatenation. A prompt injection adversary crafts an injected instruction IsI_s and tampered context C′=C⊕IsC' = C \oplus I_s, constructing

R′=g(It⊕C′)R' = g(I_t \oplus C')

with the goal that R′R' fulfills the injected task rather than the user's target task.

Defenses are grouped as:

  • Detection-based: classify C′C' as "clean"/"contaminated," blocking queries if contaminated.
  • Prevention-based: sanitize, re-prompt, or fine-tune so that CC0 executes the intended instruction even under CC1.

Primary evaluation metrics are:

  • Utility (U): Task performance under clean/defended context (e.g., F1, ROUGE-L, or LLM-judge score).
  • Attack Success Rate (ASR): Proportion of contaminated samples where model output completes the injected instruction. Formally, for CC2 samples: CC3 with IsSuccess determined by an LLM-judge.

2. Platform Architecture and Modular Design

PIArena's system is composed of four core plug-and-play modules with standardized interfaces:

Module Input Output / Role
Benchmark JSONL dataset with {target_inst, context, injected_task, ...} Supplies test cases and ground truths
Attack Sample CC4 Generates and injects prompt
Defense Tampered context CC5 Returns model response (possibly sanitized, rejected, or flagged)
Evaluator Model response, sample metadata Computes utility and ASR

The canonical workflow is:

  1. Benchmark yields sample CC6.
  2. Attack generates CC7 and constructs CC8.
  3. Defense processes CC9 (e.g., sanitizes or classifies) and queries LLM gg0.
  4. Evaluator scores utility and ASR via rules and LLM-as-judge assessments.

The open modular design allows arbitrary integration of new attack algorithms, defense mechanisms, or benchmark datasets by implementing their interface.

3. Benchmark Suite and Evaluation Protocol

PIArena provides a portfolio of 1,700 benchmark samples from 14 datasets, facilitating rigorous cross-task evaluation:

  • Task types: question answering (SQuAD v2, Dolly-QA), summarization/information extraction (Dolly), retrieval-augmented generation (NQ, MS-MARCO, HotpotQA), and long-context challenges (LongBench: Qasper, GovReport, MultiNews, etc.).
  • Injected goals: phishing, content promotion, access denial, infrastructure failure (all tasks LLM-generated for contextual realism).
  • Backend LLMs: both open-source (Qwen3-4B, Llama3-70B, gpt-oss-120B) and proprietary (GPT-4o, GPT-5, Claude-4.5, Gemini-3-Pro/Flash).
  • Attack modes: Combined (ensemble heuristics), Direct (undistorted injection), Strategy (adaptive/dynamic).

PIArena's protocols encompass:

  • Attack-only (raw ASR),
  • Defense-only (utility under clean/defended inputs),
  • Combined (full factorial evaluation: all attacks × defenses × datasets × models).

Responses are judged using F1, ROUGE-L, retrieval metrics, or explicitly via LLM-judge YES/NO verdict on whether the output responded to the injected instruction.

4. Adaptive Strategy-Based Attack

A central innovation is the dynamic, feedback-driven attack:

  • Phase 1: Candidate Generation. The base injection gg1 is rewritten by a set of strategies gg2 to produce a diverse pool gg3 of candidate prompts per strategy. Each is tested; immediate successes are returned.
  • Phase 2: Feedback-Guided Refinement. Unsuccessful seeds undergo black-box refinement for up to gg4 iterations. Each iteration, PIArena assesses output:
    • If detected/sanitized, instructs "increase stealth."
    • If ignored, instructs "increase imperativeness."
    • Else, iteratively rewrites to evade the defense, using an attacker LLM for Rewrite(P, guidance).

This loop typically converges in 1–2 iterations for most defenses (worst case 4.6 for the strongest), achieving substantially higher ASR than static approaches.

5. Comparative Analysis of Attacks and Defenses

PIArena's comprehensive cross-benchmark evaluations reveal critical trends:

  • Limited generalizability: Defenses that appear robust (e.g., PISanitizer, SecAlign++) under engineered attacks demonstrate high ASR (11% Direct, 4% Combined, but up to 21% against adaptive attacks; e.g., SecAlign++ falls from 58% utility under no attack vs 74% baseline).
  • Utility-robustness tradeoff: Strategies such as DataSentinel maintain low ASR but with high false positive rates or near-zero utility (e.g., AttentionTracker, 15% utility).
  • Adaptive attack vulnerability: The strategy-based attack achieves 99% ASR when defenses are absent, 86% under PISanitizer, and can surpass 21% under SecAlign++.
  • Closed-source model exposure: All high-performance models, including GPT-4o-mini (76% ASR), GPT-5 (70%), and Claude-4.5 (31% but 97% utility loss on strategy attack), are susceptible.
  • Task-alignment limitations: For injected tasks aligned with the target (e.g., factual disinformation in QA), ASR exceeds 80% for all defenses, indicating the inherent limitation of detection/sanitization methods at the instruction level.

PIArena also integrates and evaluates agentic benchmarks (InjecAgent, AgentDojo, AgentDyn, WASP) and general-purpose benchmarks (OPI, SEP), substantiating that performance failures extend across both general and agent-specific evaluation settings.

6. Implications, Limitations, and Future Directions

PIArena's results crystallize three key recommendations:

  • Require systematic, cross-task evaluation: Defenses must be scrutinized under diverse datasets, attacks, and injection scenarios. PIArena's unified API enables such comprehensive assessments.
  • Adopt adaptive threat models: Relying on static or template-based attacks overestimates defense robustness; development must leverage dynamic adversarial routines.
  • Transition from instruction detection to content verification: Defenses restricted to prompt structure lack efficacy against content-rewriting or knowledge-level attacks (e.g., disinformation), necessitating techniques such as external fact checking, provenance tracing, or semantic validation.

A central limitation is that benchmarks, though broad, do not encompass the entire spectrum of real-world attacks or system configurations; however, current results already expose severe and general weaknesses. PIArena's open-source release invites further community-driven extension.

7. Usage and Extensibility

PIArena is designed for high usability and extensibility:

  • Installation: Via standard Python package management.
  • Integration: New attacks, defenses, and benchmarks are supported by implementing modular interfaces; example code demonstrates one-line instantiation for each.
  • Evaluation routines: Plug-and-play for any combination of attack, defense, benchmark, and model backend.

The platform aims to accelerate empirical progress toward robust prompt injection defense by enforcing rigorous, comprehensive, and reproducible evaluation practices (Geng et al., 9 Apr 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to PIArena.