Safeguarding System Prompts: A Surrogate-Based Defense Against Injection Attacks

Download PDF

Rong Dai, Yonggang Zhang, Ming Pei, Ang Li, Tongliang Liu, Xun Yang, Bo Han

25 Sept 2024 (modified: 03 Dec 2024)ICLR 2025 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: LLM safety;
Abstract: System prompts, essential for guiding model outputs, play a pivotal role as large language models proliferate across diverse applications. Despite their importance, these prompts are highly vulnerable to injection attacks. Intuitively, adding defensive prompts and implementing output filtering could offer strong protection, but these defenses rely on direct access to the system prompt—a luxury increasingly unavailable in today’s evolving prompt market and third-party defense scenarios, where prompts must remain concealed and confidential. To address this pressing limitation, we introduce SurF (Surrogate-based Filtering), a novel approach that compensates for the lack of system prompt access by utilizing a surrogate prompt pool. Namely, we leverage the prompt pool as the surrogate of the system prompt. Once a potential leak from this pool is identified, the input is classified as harmful, and the system resists generating a response. Experiments on various models, including both offline and online LLM services, demonstrate SurF’s effectiveness in reducing attack success rates. Furthermore, we evaluate the trade-off between defense robustness and response consistency on natural inputs using a response-following metric. Our findings indicate that while stronger defenses reduce attack success, they may also degrade the quality of legitimate responses.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 4436

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview