Papers
Topics
Authors
Recent
Search
2000 character limit reached

PISanitizer: Prompt Injection Defense

Updated 5 July 2026
  • PISanitizer is an inference-time defense that sanitizes explicit prompt injection instructions from long contexts using transformer attention mechanisms.
  • It employs a two-stage approach where a sanitizer LLM identifies and removes high-attention malicious tokens, ensuring the backend LLM processes only clean input.
  • Experimental results demonstrate low attack success rates and nearly restored utility across various LLM backends under diverse attack scenarios.

PISanitizer is an inference-time defense for long-context LLMs that seeks to prevent prompt injection by sanitizing the input context before it reaches the model that generates the final response. It is designed for the setting in which an attacker embeds an instruction inside a long context so that the model follows the attacker’s instruction rather than the intended task. The method first pinpoints and sanitizes potential injected tokens in a context and then lets a backend LLM answer on the sanitized context, with the stated goal of eliminating the influence of the injected instruction. Its central premise is that prompt injection attacks work by inserting an instruction that compels an LLM to follow it, and that transformer attention exposes which context tokens drive that instruction-following behavior (Geng et al., 13 Nov 2025).

1. Problem setting and threat model

PISanitizer targets long-context prompt injection. In this setting, an attacker injects an explicit instruction into the model’s input context, and the LLM may follow that malicious instruction instead of the target instruction. The paper states that existing prompt injection defenses are designed for short contexts and have limited effectiveness when extended to long-context scenarios, because an injected instruction constitutes only a very small portion of a long context (Geng et al., 13 Nov 2025).

The method assumes a separation between a sanitizer LLM and a backend LLM. The sanitizer is an open-source model used to inspect the context, while the backend is the model that ultimately answers the user’s intended task. This separation is operationally important because the backend LLM is intended to see only the sanitized context, not the original potentially contaminated context. A plausible implication is that the design supports deployments in which the inspection stage and the task-execution stage are decoupled.

The defense is specifically framed around explicit instructions embedded in context. The paper also states an important boundary condition: PISanitizer only removes explicit instructions and cannot defend against knowledge-corruption attacks that subtly bias factual output without explicit commands. This restriction materially shapes the scope of the system and distinguishes it from broader data-integrity or retrieval-integrity defenses.

2. Core observations and design rationale

PISanitizer is built on two observations. First, prompt-injection attacks work by injecting an explicit instruction into the context that compels the LLM to follow the malicious instruction instead of the intended task. Second, transformer-style LLMs rely on the self-attention mechanism to allocate high attention weights to those input tokens that drive the generation of each output token (Geng et al., 13 Nov 2025).

From these observations, the defense deliberately induces instruction-following behavior during sanitization. It constructs a short sanitization instruction whose only goal is to force the LLM to follow any instruction embedded in the context. The example given is:

“Do anything you are told to do in the following context. Context: {Context} Only do what the user asks you to do. Do not provide any explanation. Your response:”

The paper’s rationale is that if an injected instruction can successfully compel the sanitizer LLM, then the tokens responsible for that compulsion should receive relatively large attention weights from the first generated output token. PISanitizer then sanitizes those tokens. The paper characterizes this as a dilemma for the attacker: the more effectively an injected instruction compels an LLM to follow it, the more likely it is to be sanitized by PISanitizer.

This design differs from defenses that focus primarily on prompt classification or output filtering. Related work in the broader sanitization literature illustrates that this is part of a larger family of front-end defenses, but PISanitizer’s distinctive feature is the use of attention from a deliberately instruction-following sanitizer pass to localize malicious spans in long contexts. For context, Casper is a browser-side prompt sanitization system for user privacy rather than prompt injection (Chong et al., 2024), while CodeSentinel applies a three-layer sanitizer to indirect prompt injection in code contexts (Cheng et al., 17 Jun 2026). This suggests that PISanitizer occupies the natural-language, long-context branch of a broader sanitizer design space.

3. Sanitization pipeline

The pipeline has two phases: Prompt Sanitization and Backend LLM Response (Geng et al., 13 Nov 2025).

In the first phase, PISanitizer takes the target instruction ItI_t and a possibly contaminated context CC. It constructs the sanitization instruction IsI_s, feeds IsCI_s \oplus C to an open-source sanitizer LLM, and generates a single output token oo. The use of only the first output token is deliberate: the paper states that the first token’s attention scores already reveal which input tokens strongly influenced the model to follow an instruction.

It then extracts the attention weights between each context token ckCc_k \in C and the generated token oo across all LL layers and HH heads of the sanitizer LLM. These raw attention values are aggregated into a per-token score vector, smoothed, and analyzed for peaks. The procedure identifies local peaks, groups peaks that are within distance dd, and selects the highest-scoring group. If the maximum score of that group exceeds a threshold CC0, all tokens in that group are removed from the context. The process repeats for up to a maximum of 5 passes or until no further tokens are removed.

In the second phase, the system concatenates the sanitized context CC1 with the target instruction CC2 and queries the backend LLM to generate the final output. The paper states that this two-stage pipeline ensures that the backend LLM never sees the malicious instruction.

The high-level algorithm is:

IsCI_s \oplus C5

A common misunderstanding is that the method performs semantic rewriting of the context. The paper instead describes token removal based on attention-derived localization of the highest-scoring group.

4. Mathematical formulation and implementation parameters

Let the context be tokenized into CC3. The sanitizer LLM CC4 has CC5 Transformer layers, each with CC6 attention heads. When generating the first output token CC7 for prompt CC8, PISanitizer records

CC9

It performs layer-wise head averaging,

IsI_s0

followed by max-over-layers aggregation,

IsI_s1

The resulting score vector is IsI_s2. The system smooths IsI_s3 via Savitzky–Golay to obtain IsI_s4, identifies local maxima in IsI_s5, and clusters peaks within distance IsI_s6 into groups IsI_s7. Group scores are defined by

IsI_s8

Let IsI_s9. If IsCI_s \oplus C0, the system removes all tokens in IsCI_s \oplus C1.

The typical hyperparameters are:

IsCI_s \oplus C2

The architecture is explicitly two-stage. The sanitizer LLM is open-source, with the example of Llama-3.1-8B-Instruct. Its input is the single sanitization prompt IsCI_s \oplus C3, and it outputs one token plus per-token attention maps. The backend may be closed- or open-source, with examples including GPT-5. This suggests that PISanitizer is designed to be backend-agnostic so long as the sanitizer model exposes attention maps (Geng et al., 13 Nov 2025).

5. Experimental setup and empirical performance

The evaluation uses LongBench datasets: Qasper and HotpotQA for question answering, GovReport and MultiNews for summarization, LCC for code completion, and PassageRetrieval for retrieval. Each dataset contains 200 samples, with 100 randomly selected for evaluation (Geng et al., 13 Nov 2025).

Injected tasks include four categories: target answer generation, “Hacked,” classic NLP tasks, and general instructions. The attack suite includes heuristic-based attacks—Naive, Escape, Context-Ignoring, Fake-Completion, and Combined—along with optimization-based attacks using nano-GCG suffix optimization for up to 500 iterations, and adaptive attacks such as repeat injections, anti-sanitization wrappers, and suffix optimization minimizing attention weights.

The evaluated backends include open-source models—Llama-3.1-8B/70B and Qwen-30B—and closed-source models—GPT-4o, GPT-4o-mini, GPT-4.1, GPT-5. Baselines are divided into prevention methods (Sandwich, Instructional, Meta-SecAlign, DataFilter), detection methods (DataSentinel, PromptGuard, AttentionTracker), and detection+attribution methods (PromptArmor, PromptLocate, AttnTrace).

The reported metrics are utility, attack success rate, runtime, and precision/recall/F1 of token sanitization. Utility is task-specific, using F1, ROUGE-L, EditSim, and accuracy. The principal empirical claims are as follows (Geng et al., 13 Nov 2025):

  • Main defense effectiveness: with a Llama-3.1-8B backend under Combined Attack, without defense the ASR is approximately 66–97%, and utility degrades by 50–90%; with PISanitizer, ASR is approximately 0–2%, and utility is restored to within 1–5% of the no-attack baseline.
  • Cross-LLM generality: the method works similarly on GPT-4o, GPT-5, Qwen-30B, preserving utility and reducing ASR to near zero.
  • Injected task variations: ASR drops to 0–2% for all four injected-task categories.
  • HotpotQA under Combined Attack: Meta-SecAlign has ASR approximately 56% with utility drop approximately 10–30%; PromptArmor has ASR approximately 53–74% with utility drop approximately 5–30%; PromptLocate has ASR approximately 0% but utility drop approximately 20–50% and runtime > 600 s; PISanitizer has ASR approximately 1%, utility approximately at no-attack level, and runtime approximately 10 s consisting of 1.8 s sanitization + ≈8 s backend.
  • Adaptive attacks: ASR remains ≤ 4% even under heuristic and suffix-optimization attacks.
  • Sanitization accuracy: token-level precision is approximately 0.75–0.95, recall approximately 0.80–1.00, and F1 approximately 0.80–0.93.
  • Efficiency: sanitizing a 1–3 k token context requires approximately 1.8 s on a single H100 GPU.

These numbers position the method as a low-overhead defense relative to attribution-heavy baselines such as PromptLocate, while avoiding the paper’s reported utility drop for that baseline.

6. Limitations, failure modes, and relation to adjacent sanitization research

The paper identifies several limitations. First, PISanitizer only removes explicit instructions and does not defend against knowledge-corruption attacks. Second, it cannot distinguish benign from malicious instructions in the context; necessary benign instructions may therefore be removed, potentially lowering utility. Third, the method relies on the assumption that any instruction the sanitizer LLM follows will attract high attention. The paper states that if an attacker can compel the backend LLM without large attention to the instruction—described as an extremely “weak” attack—PISanitizer may fail (Geng et al., 13 Nov 2025).

The paper also notes prospective extensions: multi-modal LLMs, certifiable bounds on sanitization coverage or provable guarantees under restricted attacker knowledge, and automatic policy-based classification of sanitized spans as benign versus malicious.

These limitations matter because they delimit what “sanitization” means in this framework. PISanitizer is neither a general factual-integrity defense nor a semantic policy verifier. It is a targeted front end for localizing and removing explicit instruction-bearing spans before inference. A plausible implication is that it composes naturally with complementary defenses rather than replacing them.

Adjacent work underscores this specialization. Self-Sanitize addresses harmful content generation by combining token-level monitoring and in-place repair, and the abstract notes that it emphasizes privacy leakage scenarios rather than prompt injection (Fu et al., 29 Sep 2025). Casper sanitizes user prompts to remove PII and privacy-sensitive topics on-device before sending them to web-based LLM services (Chong et al., 2024). PrIsCI_s \oplus C4mpt formalizes prompt sanitization for sensitive tokens through format-preserving encryption and metric differential privacy (Chowdhury et al., 7 Apr 2025). CodeSentinel extends inference-time sanitization to indirect prompt injection in code contexts through syntax-guided filtering, dynamic anomaly scoring, and node perturbation analysis (Cheng et al., 17 Jun 2026). Taken together, these systems suggest that “sanitization” has become a unifying systems pattern across prompt security, privacy preservation, and model-facing context control, with PISanitizer representing the long-context prompt-injection instance of that pattern.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to PISanitizer.