To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt

Zhilong Wang; Neha Nagaraja; Lan Zhang; Hayretdin Bahsi; Pawan Patil; Peng Liu

doi:10.1109/DSN-S65789.2025.00037

To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt

Zhilong Wang, Neha Nagaraja, Lan Zhang, Hayretdin Bahsi, Pawan Patil, Peng Liu

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

LLM agents are widely used as agents for customer support, content generation, and code assistance. However, they are vulnerable to prompt injection attacks, where adversarial inputs manipulate the model's behavior. Traditional defenses like input sanitization, guard models, and guardrails are either cumbersome or ineffective. In this paper, we propose a novel, lightweight defense mechanism called Polymorphic Prompt Assembling (PPA), which protects against prompt injection with near-zero overhead. The approach is based on the insight that prompt injection requires guessing and breaking the structure of the system prompt. By dynamically varying the structure of system prompts, PPA prevents attackers from predicting the prompt structure, thereby enhancing security without compromising performance. We conducted experiments to evaluate the effectiveness of PPA against existing attacks and compared it with other defense methods.

Original language	English (US)
Title of host publication	Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025
Editors	Marcello Cinque, Domenico Cotroneo, Luigi De Simone, Matthias Eckhart, Patrick P. C. Lee, Saman Zonouz
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	22-28
Number of pages	7
ISBN (Electronic)	9798331512033
DOIs	https://doi.org/10.1109/DSN-S65789.2025.00037
State	Published - 2025
Event	55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025 - Naples, Italy Duration: Jun 23 2025 → Jun 26 2025

Publication series

Name	Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025

Conference

Conference	55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025
Country/Territory	Italy
City	Naples
Period	6/23/25 → 6/26/25

All Science Journal Classification (ASJC) codes

Software
Artificial Intelligence
Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Access to Document

10.1109/DSN-S65789.2025.00037

Cite this

Wang, Z., Nagaraja, N., Zhang, L., Bahsi, H., Patil, P., & Liu, P. (2025). To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt. In M. Cinque, D. Cotroneo, L. De Simone, M. Eckhart, P. P. C. Lee, & S. Zonouz (Eds.), Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025 (pp. 22-28). (Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN-S65789.2025.00037

Wang, Zhilong ; Nagaraja, Neha ; Zhang, Lan et al. / To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt. Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025. editor / Marcello Cinque ; Domenico Cotroneo ; Luigi De Simone ; Matthias Eckhart ; Patrick P. C. Lee ; Saman Zonouz. Institute of Electrical and Electronics Engineers Inc., 2025. pp. 22-28 (Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025).

@inproceedings{9cc6510f6f7648df86ebbeba8509c9c7,

title = "To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt",

abstract = "LLM agents are widely used as agents for customer support, content generation, and code assistance. However, they are vulnerable to prompt injection attacks, where adversarial inputs manipulate the model's behavior. Traditional defenses like input sanitization, guard models, and guardrails are either cumbersome or ineffective. In this paper, we propose a novel, lightweight defense mechanism called Polymorphic Prompt Assembling (PPA), which protects against prompt injection with near-zero overhead. The approach is based on the insight that prompt injection requires guessing and breaking the structure of the system prompt. By dynamically varying the structure of system prompts, PPA prevents attackers from predicting the prompt structure, thereby enhancing security without compromising performance. We conducted experiments to evaluate the effectiveness of PPA against existing attacks and compared it with other defense methods.",

author = "Zhilong Wang and Neha Nagaraja and Lan Zhang and Hayretdin Bahsi and Pawan Patil and Peng Liu",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025 ; Conference date: 23-06-2025 Through 26-06-2025",

year = "2025",

doi = "10.1109/DSN-S65789.2025.00037",

language = "English (US)",

series = "Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "22--28",

editor = "Marcello Cinque and Domenico Cotroneo and \{De Simone\}, Luigi and Matthias Eckhart and Lee, \{Patrick P. C.\} and Saman Zonouz",

booktitle = "Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025",

address = "United States",

}

Wang, Z, Nagaraja, N, Zhang, L, Bahsi, H, Patil, P & Liu, P 2025, To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt. in M Cinque, D Cotroneo, L De Simone, M Eckhart, PPC Lee & S Zonouz (eds), Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025. Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025, Institute of Electrical and Electronics Engineers Inc., pp. 22-28, 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025, Naples, Italy, 6/23/25. https://doi.org/10.1109/DSN-S65789.2025.00037

To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt. / Wang, Zhilong; Nagaraja, Neha; Zhang, Lan et al.
Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025. ed. / Marcello Cinque; Domenico Cotroneo; Luigi De Simone; Matthias Eckhart; Patrick P. C. Lee; Saman Zonouz. Institute of Electrical and Electronics Engineers Inc., 2025. p. 22-28 (Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt

AU - Wang, Zhilong

AU - Nagaraja, Neha

AU - Zhang, Lan

AU - Bahsi, Hayretdin

AU - Patil, Pawan

AU - Liu, Peng

PY - 2025

Y1 - 2025

N2 - LLM agents are widely used as agents for customer support, content generation, and code assistance. However, they are vulnerable to prompt injection attacks, where adversarial inputs manipulate the model's behavior. Traditional defenses like input sanitization, guard models, and guardrails are either cumbersome or ineffective. In this paper, we propose a novel, lightweight defense mechanism called Polymorphic Prompt Assembling (PPA), which protects against prompt injection with near-zero overhead. The approach is based on the insight that prompt injection requires guessing and breaking the structure of the system prompt. By dynamically varying the structure of system prompts, PPA prevents attackers from predicting the prompt structure, thereby enhancing security without compromising performance. We conducted experiments to evaluate the effectiveness of PPA against existing attacks and compared it with other defense methods.

AB - LLM agents are widely used as agents for customer support, content generation, and code assistance. However, they are vulnerable to prompt injection attacks, where adversarial inputs manipulate the model's behavior. Traditional defenses like input sanitization, guard models, and guardrails are either cumbersome or ineffective. In this paper, we propose a novel, lightweight defense mechanism called Polymorphic Prompt Assembling (PPA), which protects against prompt injection with near-zero overhead. The approach is based on the insight that prompt injection requires guessing and breaking the structure of the system prompt. By dynamically varying the structure of system prompts, PPA prevents attackers from predicting the prompt structure, thereby enhancing security without compromising performance. We conducted experiments to evaluate the effectiveness of PPA against existing attacks and compared it with other defense methods.

UR - https://www.scopus.com/pages/publications/105011416473

UR - https://www.scopus.com/inward/citedby.url?scp=105011416473&partnerID=8YFLogxK

U2 - 10.1109/DSN-S65789.2025.00037

DO - 10.1109/DSN-S65789.2025.00037

M3 - Conference contribution

AN - SCOPUS:105011416473

T3 - Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025

SP - 22

EP - 28

BT - Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025

A2 - Cinque, Marcello

A2 - Cotroneo, Domenico

A2 - De Simone, Luigi

A2 - Eckhart, Matthias

A2 - Lee, Patrick P. C.

A2 - Zonouz, Saman

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025

Y2 - 23 June 2025 through 26 June 2025

ER -

Wang Z, Nagaraja N, Zhang L, Bahsi H, Patil P, Liu P. To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt. In Cinque M, Cotroneo D, De Simone L, Eckhart M, Lee PPC, Zonouz S, editors, Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025. Institute of Electrical and Electronics Engineers Inc. 2025. p. 22-28. (Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume, DSN-S 2025). doi: 10.1109/DSN-S65789.2025.00037

To Protect the LLM Agent Against the Prompt Injection Attack with Polymorphic Prompt

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this