scan.json (33876B)
1 { 2 "paper": { 3 "title": "SecAlign: Defending Against Prompt Injection with Preference Optimization", 4 "authors": [ 5 "Sizhe Chen", 6 "Arman Zharmagambetov", 7 "Saeed Mahloujifar", 8 "Kamalika Chaudhuri", 9 "David Wagner", 10 "Chuan Guo" 11 ], 12 "year": 2025, 13 "venue": "CCS '25 (ACM SIGSAC Conference on Computer and Communications Security)", 14 "arxiv_id": "2410.05451", 15 "doi": "10.1145/3719027.3744836" 16 }, 17 "scan_version": 3, 18 "active_modules": ["experimental_rigor", "data_leakage"], 19 "methodology_tags": ["benchmark-eval"], 20 "key_findings": "SecAlign formulates prompt injection defense as preference optimization (DPO), training LLMs to prefer secure outputs over insecure ones given prompt-injected inputs. On five open-weight models, SecAlign achieves 0% ASR against all optimization-free attacks and reduces optimization-based attack success rates to 1-14% (vs. 27-60% for prior SOTA StruQ), while preserving model utility. The defense generalizes to unseen attack types, injection positions, and out-of-distribution benchmarks (SEP, InjecAgent), though it is most effective when injections appear at the end of the data.", 21 "checklist": { 22 "artifacts": { 23 "code_released": { 24 "applies": true, 25 "answer": true, 26 "justification": "The abstract states 'Our code is here' with an implicit link. The paper references released code for reproduction." 27 }, 28 "data_released": { 29 "applies": true, 30 "answer": true, 31 "justification": "All datasets used are publicly available: AlpacaFarm (evaluation), Cleaned Alpaca (training), SEP, and InjecAgent. No proprietary datasets were collected." 32 }, 33 "environment_specified": { 34 "applies": true, 35 "answer": false, 36 "justification": "The paper mentions '4 NVIDIA Tesla A100s (80GB)', TRL, Peft, and PyTorch FSDP libraries, but provides no requirements.txt, Dockerfile, or detailed environment specification with library versions sufficient to recreate the setup." 37 }, 38 "reproduction_instructions": { 39 "applies": true, 40 "answer": false, 41 "justification": "No step-by-step reproduction instructions are provided in the paper. While code is referenced, the paper itself contains no README-like instructions for replicating experiments." 42 } 43 }, 44 "statistical_methodology": { 45 "confidence_intervals_or_error_bars": { 46 "applies": true, 47 "answer": false, 48 "justification": "The main results in Tables 6-8 and Figures 3-4 report only point estimates with no confidence intervals or error bars. Error bars appear only in the learning rate ablation (Fig. 6, five random runs at one LR) and standard deviation shading in Fig. 5 (across samples, not runs)." 49 }, 50 "significance_tests": { 51 "applies": true, 52 "answer": false, 53 "justification": "No statistical significance tests are used anywhere. Claims like 'SecAlign reduces ASR by a factor of >4 from StruQ' are based on direct numerical comparison without any hypothesis testing." 54 }, 55 "effect_sizes_reported": { 56 "applies": true, 57 "answer": true, 58 "justification": "Absolute ASR values are reported for all conditions alongside baselines (e.g., 'reduces ASR from 45% to 8%'), and WinRates are reported with baseline context. The reader can compute the magnitude of improvements from the provided numbers in Tables 6-8." 59 }, 60 "sample_size_justified": { 61 "applies": true, 62 "answer": false, 63 "justification": "The evaluation uses 208 AlpacaFarm samples with a data part for security and 805 for utility, adopted from prior work without any justification for sample size adequacy or power analysis." 64 }, 65 "variance_reported": { 66 "applies": true, 67 "answer": false, 68 "justification": "Main results appear to be single-run numbers. Variance across runs is only reported for one ablation configuration: 'five random runs' at the optimal learning rate in Fig. 6, showing 'small error bars.' No variance is reported for the main Tables 6-8." 69 } 70 }, 71 "evaluation_design": { 72 "baselines_included": { 73 "applies": true, 74 "answer": true, 75 "justification": "Extensive baselines are included: three fine-tuning defenses (StruQ, BIPIA, Instruction Hierarchy), five prompting-based defenses (Instructional, Reminder, Isolation, Sandwich, In-Context), and undefended models. Tables 1-2, 6-7 present comparisons." 76 }, 77 "baselines_contemporary": { 78 "applies": true, 79 "answer": true, 80 "justification": "Baselines are contemporary: StruQ (USENIX Security 2025), Instruction Hierarchy (2024, deployed in GPT-4o-mini), ISE (ICLR 2025), In-Context (ICML 2024). The authors note ISE has no official implementation." 81 }, 82 "ablation_study": { 83 "applies": true, 84 "answer": true, 85 "justification": "Section 4.6 presents ablation studies on: preference optimization algorithms (DPO vs. KTO vs. ORPO, Table 5), dataset sizes (Fig. 6 left), learning rates (Fig. 6 right), injection words and success criteria (Table 8)." 86 }, 87 "multiple_metrics": { 88 "applies": true, 89 "answer": true, 90 "justification": "Multiple metrics are used: AlpacaEval2 WinRate (utility), per-attack ASR and Max ASR for both optimization-free and optimization-based attacks (security), plus MMLU, Winogrande, AGIEval, CommonSenseQA (Table 4)." 91 }, 92 "human_evaluation": { 93 "applies": true, 94 "answer": true, 95 "justification": "Section 4.5 reports 'manual inspection on the first 50 test samples' to evaluate how SecAlign processes imperative sentences in data, finding 16% vs. 52% correct handling for undefended vs. SecAlign models." 96 }, 97 "held_out_test_set": { 98 "applies": true, 99 "answer": true, 100 "justification": "Training uses Cleaned Alpaca; testing uses AlpacaFarm, which the authors note are 'essentially two datasets instead of splits from one dataset, and their samples are without overlap inherently.' Test attacks (including 'Print exactly Hacked!') never appear in training." 101 }, 102 "per_category_breakdown": { 103 "applies": true, 104 "answer": true, 105 "justification": "Table 6 breaks down ASR by individual attack type (Ignore, Completion, Ignore-Completion, AdvPrompter, GCG, NeuralExec) and by model. Table 3 breaks down by injection position (start/middle/end). Table 8 varies injection words and success criteria." 106 }, 107 "failure_cases_discussed": { 108 "applies": true, 109 "answer": true, 110 "justification": "Table 3 shows SecAlign is weaker against injections at the start of data (11% ASR vs. 6.5% at end on SEP). Section 6 discusses scenarios where SecAlign fails: no explicit delimiters, multi-turn conversations, multi-modal inputs, further fine-tuning." 111 }, 112 "negative_results_reported": { 113 "applies": true, 114 "answer": true, 115 "justification": "Table 5 shows ORPO has doubled ASR compared to DPO. Table 4 shows 2-3% MMLU drops. Table 3 shows elevated ASR at start-of-data injection positions. The many-shot prompting experiment found no increase in attack success, reported as a null result." 116 } 117 }, 118 "claims_and_evidence": { 119 "abstract_claims_supported": { 120 "applies": true, 121 "answer": false, 122 "justification": "The abstract claims SecAlign 'reduces the success rates of various prompt injections to <10%' without model qualification. However, Table 6 shows Llama-7B has 14% GCG ASR and Llama3-8B has 9% GCG ASR under SecAlign. The <10% claim does not hold for all tested models." 123 }, 124 "causal_claims_justified": { 125 "applies": true, 126 "answer": true, 127 "justification": "Causal claims ('preference optimization teaches the LLM to prefer secure outputs') are supported by controlled experiments: comparing DPO-trained vs. SFT-only models with the same data, ablating the preference optimization algorithm (Table 5), and visualizing the causal mechanism via log probabilities (Fig. 2) and GCG loss curves (Fig. 5)." 128 }, 129 "generalization_bounded": { 130 "applies": true, 131 "answer": false, 132 "justification": "The abstract claims '<10%' success rate without qualifying which models or settings. Results vary substantially: 0-1% ASR on Instruct models but up to 14% on base models (Llama-7B). The title 'Defending Against Prompt Injection' is broad while the method only works with explicit instruction/data delimiters." 133 }, 134 "alternative_explanations_discussed": { 135 "applies": true, 136 "answer": false, 137 "justification": "The paper presents preference optimization as the explanation for improved security and does not substantively discuss alternative explanations. The speculation 'We suspect that the rich industry-level instruction-tuning data provide greater potential' is acknowledged as speculative without further investigation." 138 }, 139 "proxy_outcome_distinction": { 140 "applies": true, 141 "answer": true, 142 "justification": "ASR directly measures attack success (response begins with 'Hacked'), closely matching the security claim. Table 8 further explores alternative success criteria (in-response vs. begin-with). Utility is measured via multiple metrics (AlpacaEval2, MMLU, etc.), matching the granularity of the utility claim." 143 } 144 }, 145 "setup_transparency": { 146 "model_versions_specified": { 147 "applies": true, 148 "answer": false, 149 "justification": "Open-weight models are named (e.g., 'Llama3-8B-Instruct') with paper citations but no HuggingFace model IDs or exact checkpoint hashes. GPT-4-turbo and GPT-4o-mini used for evaluation have no snapshot dates or API version identifiers specified." 150 }, 151 "prompts_provided": { 152 "applies": true, 153 "answer": true, 154 "justification": "The prompt format is fully specified with exact delimiter tokens for each model (Section 4.1). Algorithm 1 provides the exact procedure for constructing training inputs. Attack examples are shown with full text. The evaluation injection ('Print exactly Hacked!') is stated." 155 }, 156 "hyperparameters_reported": { 157 "applies": true, 158 "answer": true, 159 "justification": "Section 4.1 reports DPO β=0.1, LoRA r=64, lora_alpha=8, lora_dropout=0.1, target_modules=['q_proj', 'v_proj'], per-model learning rates, 3 training epochs, 90/10 Straightforward/Completion attack ratio, GCG steps (500), and AdvPrompter λ=1000." 160 }, 161 "scaffolding_described": { 162 "applies": false, 163 "answer": false, 164 "justification": "No agentic scaffolding is used. SecAlign is a fine-tuning method applied directly to LLMs." 165 }, 166 "data_preprocessing_documented": { 167 "applies": true, 168 "answer": true, 169 "justification": "Algorithm 1 fully documents the preference dataset construction pipeline: sampling random injection pairs, 90/10 attack type split, delimiter formatting, desirable/undesirable output assignment. The evaluation data preprocessing is described (208 AlpacaFarm samples with data part, injection at end of data)." 170 } 171 }, 172 "limitations_and_scope": { 173 "limitations_section_present": { 174 "applies": true, 175 "answer": true, 176 "justification": "Section 6 contains a substantive limitations discussion with four bullet points covering: requirement for explicit delimiters, inability to guarantee 100% security, position sensitivity, and inapplicability to non-prompt-injection attacks." 177 }, 178 "threats_to_validity_specific": { 179 "applies": true, 180 "answer": true, 181 "justification": "Section 6 identifies specific threats: SecAlign is weaker for non-end-of-data injections (referencing Table 3), unknown behavior under further fine-tuning, untested on multi-turn conversations in web agents, and untested utility with multiple benign instructions." 182 }, 183 "scope_boundaries_stated": { 184 "applies": true, 185 "answer": true, 186 "justification": "Section 6 explicitly states what SecAlign does NOT address: jailbreaks, data extraction, multi-modal injections, multi-turn conversations, scenarios without explicit instruction/data delimiters. It states 'We do not regard SecAlign as a standalone solution to prompt injection attacks.'" 187 } 188 }, 189 "data_integrity": { 190 "raw_data_available": { 191 "applies": true, 192 "answer": false, 193 "justification": "Raw experimental outputs (model responses, per-sample attack results) are not released. Only aggregated metrics (ASR percentages, WinRates) are reported. The training and evaluation datasets (AlpacaFarm, Cleaned Alpaca) are public, but raw experiment results are not." 194 }, 195 "data_collection_described": { 196 "applies": true, 197 "answer": true, 198 "justification": "Algorithm 1 fully describes how the preference dataset is constructed from the Cleaned Alpaca dataset. Section 4.1 describes the evaluation setup: 208 AlpacaFarm samples with data parts, 'Print exactly Hacked!' injection at end of data, success criterion (response begins with 'Hacked'/'hacked')." 199 }, 200 "recruitment_methods_described": { 201 "applies": false, 202 "answer": false, 203 "justification": "No human participants. All data comes from standard public benchmarks (AlpacaFarm, Cleaned Alpaca, SEP, InjecAgent)." 204 }, 205 "data_pipeline_documented": { 206 "applies": true, 207 "answer": true, 208 "justification": "The full pipeline from Cleaned Alpaca to preference dataset is documented in Algorithm 1 with explicit steps. The evaluation pipeline is described: inject into 208 samples, run model, check if response begins with target word. No unexplained jumps in the data." 209 } 210 }, 211 "conflicts_of_interest": { 212 "funding_disclosed": { 213 "applies": true, 214 "answer": true, 215 "justification": "Acknowledgments section states: 'This research was supported by the Meta-BAIR Commons (2024-2026). UC Berkeley was supported by National Science Foundation under grant 2229876 (the ACTION center), Open Philanthropy, the Department of Homeland Security, and IBM.'" 216 }, 217 "affiliations_disclosed": { 218 "applies": true, 219 "answer": true, 220 "justification": "Author affiliations are clearly listed: Sizhe Chen (UC Berkeley / Meta), Arman Zharmagambetov (Meta), Saeed Mahloujifar (Meta), Kamalika Chaudhuri (Meta), David Wagner (UC Berkeley), Chuan Guo (Meta). Four of six authors are affiliated with Meta." 221 }, 222 "funder_independent_of_outcome": { 223 "applies": true, 224 "answer": false, 225 "justification": "Meta funds the research and four of six authors are Meta employees. Meta commercially deploys LLMs (Llama) that would benefit from improved prompt injection defense. The follow-up work [24] explicitly builds a Meta product. The funder has a direct interest in the outcome." 226 }, 227 "financial_interests_declared": { 228 "applies": true, 229 "answer": false, 230 "justification": "No competing interests or financial interests statement is present. The follow-up paper [24] ('Meta SecAlign') indicates this work directly feeds into Meta products, but this commercial interest is not declared." 231 } 232 }, 233 "contamination": { 234 "training_cutoff_stated": { 235 "applies": false, 236 "answer": false, 237 "justification": "This paper tests a defense method (SecAlign) against prompt injection attacks rather than evaluating pre-trained model knowledge on benchmarks. The core evaluation is whether the defense reduces attack success rates." 238 }, 239 "train_test_overlap_discussed": { 240 "applies": false, 241 "answer": false, 242 "justification": "This paper tests a defense method rather than model knowledge. However, the authors do address training/test data separation: 'they are essentially two datasets instead of splits from one dataset, and their samples are without overlap inherently.'" 243 }, 244 "benchmark_contamination_addressed": { 245 "applies": false, 246 "answer": false, 247 "justification": "This paper tests a defense against prompt injection rather than evaluating model capability on knowledge benchmarks. Benchmark contamination of the underlying models is not the focus." 248 } 249 }, 250 "human_studies": { 251 "pre_registered": { 252 "applies": false, 253 "answer": false, 254 "justification": "No human participants in this study. All experiments are automated evaluations of LLM behavior." 255 }, 256 "irb_or_ethics_approval": { 257 "applies": false, 258 "answer": false, 259 "justification": "No human participants. The study involves fine-tuning and evaluating LLMs on public datasets." 260 }, 261 "demographics_reported": { 262 "applies": false, 263 "answer": false, 264 "justification": "No human participants." 265 }, 266 "inclusion_exclusion_criteria": { 267 "applies": false, 268 "answer": false, 269 "justification": "No human participants." 270 }, 271 "randomization_described": { 272 "applies": false, 273 "answer": false, 274 "justification": "No human participants." 275 }, 276 "blinding_described": { 277 "applies": false, 278 "answer": false, 279 "justification": "No human participants." 280 }, 281 "attrition_reported": { 282 "applies": false, 283 "answer": false, 284 "justification": "No human participants." 285 } 286 }, 287 "cost_and_practicality": { 288 "inference_cost_reported": { 289 "applies": true, 290 "answer": false, 291 "justification": "No inference cost, latency, or tokens-per-example figures are reported for the SecAlign model at test time. The reader cannot assess the practical overhead of the defense." 292 }, 293 "compute_budget_stated": { 294 "applies": true, 295 "answer": true, 296 "justification": "Table 5 reports GPU hours for DPO training (2×4 A100 hours for Llama-7B). Section 4.1 states 'Our training requires 4 NVIDIA Tesla A100s (80GB).' GCG attack cost is noted as 'over 30 mins/sample' (Section 2.4)." 297 } 298 }, 299 "experimental_rigor": { 300 "seed_sensitivity_reported": { 301 "applies": true, 302 "answer": false, 303 "justification": "Five random runs are reported only for one configuration (optimal learning rate in Fig. 6), showing 'small error bars.' Seed sensitivity for the main results across models and attacks is not reported." 304 }, 305 "number_of_runs_stated": { 306 "applies": true, 307 "answer": false, 308 "justification": "The number of experimental runs is stated only for the learning rate ablation ('five random runs' at optimal LR, Fig. 6). For all main results in Tables 6-8 and Figures 3-4, the number of runs is not stated." 309 }, 310 "hyperparameter_search_budget": { 311 "applies": true, 312 "answer": false, 313 "justification": "While Fig. 6 (right) shows performance across a range of learning rates, the total number of configurations tried and compute spent on hyperparameter search is not reported. Per-model learning rates are listed but the search procedure is not documented." 314 }, 315 "best_config_selection_justified": { 316 "applies": true, 317 "answer": false, 318 "justification": "Fig. 6 (right) shows the learning rate sweep but it is unclear whether selection was done on the test set (AlpacaFarm) or a separate validation set. The same test metrics (WinRate, GCG ASR) appear used for both tuning and reporting." 319 }, 320 "multiple_comparison_correction": { 321 "applies": true, 322 "answer": false, 323 "justification": "No statistical tests are performed at all despite numerous comparisons across 5 models, 6+ attack types, and multiple defense baselines. Multiple comparison correction is therefore also absent." 324 }, 325 "self_comparison_bias_addressed": { 326 "applies": true, 327 "answer": false, 328 "justification": "The authors compare SecAlign against their own reproduction of baselines (StruQ reproduced from official code, BIPIA as 'our best reproduction'). The bias of authors evaluating their own system is not acknowledged, per the concern raised by Lucic et al. (2018)." 329 }, 330 "compute_budget_vs_performance": { 331 "applies": true, 332 "answer": false, 333 "justification": "SecAlign requires additional DPO training on top of SFT, roughly doubling training compute. The main comparisons with StruQ and other baselines do not normalize for or discuss compute budget differences." 334 }, 335 "benchmark_construct_validity": { 336 "applies": true, 337 "answer": false, 338 "justification": "The paper uses AlpacaEval2 WinRate as the primary utility metric and 'response begins with Hacked' as the primary security metric without discussing whether these benchmarks adequately measure the claimed constructs (general utility and security against prompt injection). Table 8 varies the success criterion but does not discuss construct validity." 339 }, 340 "scaffold_confound_addressed": { 341 "applies": false, 342 "answer": false, 343 "justification": "No agentic scaffolding is involved. SecAlign fine-tunes models directly; comparisons are between fine-tuned models without scaffold variation." 344 } 345 }, 346 "data_leakage": { 347 "temporal_leakage_addressed": { 348 "applies": true, 349 "answer": false, 350 "justification": "No discussion of whether AlpacaFarm or Cleaned Alpaca data existed before the base models' training cutoffs. Llama3 and Mistral models could have been trained on data that includes these benchmarks." 351 }, 352 "feature_leakage_addressed": { 353 "applies": true, 354 "answer": true, 355 "justification": "The evaluation injection ('Print exactly Hacked!') never appears in training data. Test attacks differ from training attacks (training uses only Straightforward and Completion; testing includes Ignore, Ignore-Completion, GCG, AdvPrompter, NeuralExec). The authors explicitly note test attacks 'have never been seen in training.'" 356 }, 357 "non_independence_addressed": { 358 "applies": true, 359 "answer": true, 360 "justification": "The authors explicitly address train-test independence: 'Despite having similar names, they are essentially two datasets instead of splits from one dataset, and their samples are without overlap inherently.' Training uses Cleaned Alpaca; testing uses AlpacaFarm." 361 }, 362 "leakage_detection_method": { 363 "applies": true, 364 "answer": false, 365 "justification": "No formal leakage detection method (canary strings, membership inference, n-gram overlap analysis) is applied. The authors rely on the datasets being different collections, which is discussed but not formally verified." 366 } 367 } 368 }, 369 "claims": [ 370 { 371 "claim": "SecAlign achieves 0% ASR against all optimization-free prompt injection attacks across all five tested models.", 372 "evidence": "Table 6 shows 0% Max ASR Opt.-Free for all SecAlign models (Mistral-7B-Instruct, Llama3-8B-Instruct, Llama-7B, Mistral-7B, Llama3-8B), with individual attack breakdowns confirming 0% for Ignore, Completion, and Ignore-Completion attacks.", 373 "supported": "strong" 374 }, 375 { 376 "claim": "SecAlign reduces optimization-based attack success rates to <10% on Instruct models, compared to >27% for StruQ.", 377 "evidence": "Table 6: Mistral-7B-Instruct SecAlign max opt-based ASR is 1% (vs. StruQ 27%), Llama3-8B-Instruct SecAlign is 8% (vs. StruQ 45%). Breakdown: AdvPrompter 1%/8%, GCG 1%/0%, NeuralExec 0%/0%.", 378 "supported": "strong" 379 }, 380 { 381 "claim": "SecAlign preserves model utility comparable to undefended models.", 382 "evidence": "Table 6: WinRates within 2% of undefended models for all five models. Table 4 shows ≤3% drop on MMLU and negligible changes on Winogrande, AGIEval, CommonSenseQA. Table 1 shows SecAlign (61.92%) vs. None (62.94%) on BIPIA's settings.", 383 "supported": "strong" 384 }, 385 { 386 "claim": "SecAlign reduces optimization-based ASR by a factor of >4 compared to StruQ consistently.", 387 "evidence": "Table 6: StruQ vs. SecAlign max opt-based ASR: 27%→1% (Mistral-7B-Inst, 27x), 45%→8% (Llama3-8B-Inst, 5.6x), 60%→14% (Llama-7B, 4.3x), 41%→1% (Mistral-7B, 41x), 43%→9% (Llama3-8B, 4.8x).", 388 "supported": "strong" 389 }, 390 { 391 "claim": "SecAlign generalizes to out-of-distribution prompt injection benchmarks (SEP, InjecAgent).", 392 "evidence": "Table 3: On SEP, SecAlign achieves 3.6-11% Ignore ASR depending on position (vs. 39.5-64% undefended). On InjecAgent, SecAlign achieves 0% ASR (vs. 75.9% undefended). However, SEP ASRs of 11% at start position are notable.", 393 "supported": "moderate" 394 }, 395 { 396 "claim": "The abstract states SecAlign 'reduces the success rates of various prompt injections to <10%'.", 397 "evidence": "Table 6 shows Llama-7B GCG ASR is 14% and Llama3-8B GCG ASR is 9%, both exceeding 10%. The claim holds for Instruct models (1%, 8%) and most base models but not all.", 398 "supported": "weak" 399 }, 400 { 401 "claim": "DPO is the optimal preference optimization algorithm balancing efficiency and performance.", 402 "evidence": "Table 5 on Llama-7B: DPO achieves 15% GCG ASR in 8 GPU hrs, KTO achieves 9% in 40 GPU hrs, ORPO achieves 34% in 6 GPU hrs. DPO balances performance and cost.", 403 "supported": "moderate" 404 } 405 ], 406 "red_flags": [ 407 { 408 "flag": "Meta conflict of interest", 409 "detail": "Four of six authors are Meta employees, the research is Meta-funded, and the follow-up paper [24] explicitly builds a Meta product ('Meta SecAlign'). Meta deploys Llama models commercially and benefits from improved prompt injection defense. No competing interests statement is provided." 410 }, 411 { 412 "flag": "Abstract overclaim", 413 "detail": "The abstract claims SecAlign 'reduces the success rates of various prompt injections to <10%' without qualification. Table 6 shows Llama-7B has 14% GCG ASR under SecAlign, violating this claim. The claim holds primarily for Instruct models." 414 }, 415 { 416 "flag": "No statistical significance tests", 417 "detail": "All claims of superiority are based on point comparisons of ASR and WinRate without any significance testing, despite numerous comparisons across 5 models, 6+ attack types, and 8+ baselines." 418 }, 419 { 420 "flag": "Main results appear to be single runs", 421 "detail": "Variance across random seeds is only reported for one learning rate configuration (5 runs). All main results in Tables 6-8 have no reported variance, making it impossible to assess result stability." 422 }, 423 { 424 "flag": "Possible test-set tuning", 425 "detail": "Fig. 6 (right) shows the learning rate sweep using GCG ASR and AlpacaEval2 WinRate — the same metrics used for the main results. It is unclear whether a separate validation set was used for hyperparameter selection." 426 } 427 ], 428 "cited_papers": [ 429 { 430 "title": "StruQ: Defending against prompt injection with structured queries", 431 "authors": ["Sizhe Chen", "Julien Piet", "Chawin Sitawarin", "David Wagner"], 432 "year": 2025, 433 "relevance": "Prior SOTA fine-tuning-based defense against prompt injection; the primary baseline for SecAlign's security comparisons." 434 }, 435 { 436 "title": "Universal and transferable adversarial attacks on aligned language models", 437 "authors": ["Andy Zou", "Zifan Wang", "Nicholas Carlini", "Milad Nasr", "J Zico Kolter", "Matt Fredrikson"], 438 "year": 2023, 439 "arxiv_id": "2307.15043", 440 "relevance": "Introduces GCG, the strongest optimization-based attack adapted for prompt injection evaluation in SecAlign." 441 }, 442 { 443 "title": "AdvPrompter: Fast adaptive adversarial prompting for LLMs", 444 "authors": ["Anselm Paulus", "Arman Zharmagambetov", "Chuan Guo", "Brandon Amos", "Yuandong Tian"], 445 "year": 2024, 446 "arxiv_id": "2404.16873", 447 "relevance": "Adversarial prompting method adapted for prompt injection attacks in SecAlign's evaluation." 448 }, 449 { 450 "title": "Neural Exec: Learning (and learning from) execution triggers for prompt injection attacks", 451 "authors": ["Dario Pasquini", "Martin Strohmeier", "Carmela Troncoso"], 452 "year": 2024, 453 "relevance": "Optimization-based prompt injection attack used as one of the three optimization-based evaluation attacks against SecAlign." 454 }, 455 { 456 "title": "Direct preference optimization: Your language model is secretly a reward model", 457 "authors": ["Rafael Rafailov", "Archit Sharma", "Eric Mitchell", "Christopher D Manning", "Stefano Ermon", "Chelsea Finn"], 458 "year": 2024, 459 "relevance": "Core algorithmic foundation of SecAlign; DPO is the preference optimization method used for fine-tuning secure LLMs." 460 }, 461 { 462 "title": "The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions", 463 "authors": ["Eric Wallace", "Kai Xiao", "Reimar Leike", "Lilian Weng", "Johannes Heidecke", "Alex Beutel"], 464 "year": 2024, 465 "arxiv_id": "2404.13208", 466 "relevance": "OpenAI's fine-tuning defense for prompt injection deployed in GPT-4o-mini; compared against SecAlign." 467 }, 468 { 469 "title": "Benchmarking and defending against indirect prompt injection attacks on large language models", 470 "authors": ["Jingwei Yi", "Yueqi Xie", "Bin Zhu", "Keegan Hines"], 471 "year": 2023, 472 "arxiv_id": "2312.14197", 473 "relevance": "BIPIA benchmark and fine-tuning defense for indirect prompt injection; compared against SecAlign in Table 1." 474 }, 475 { 476 "title": "Jatmo: Prompt injection defense by task-specific finetuning", 477 "authors": ["Julien Piet", "Maha Alrashed", "Chawin Sitawarin", "Sizhe Chen"], 478 "year": 2023, 479 "relevance": "Task-specific fine-tuning defense against prompt injection; alternative defense approach compared to SecAlign's general-purpose approach." 480 }, 481 { 482 "title": "Instructional segment embedding: Improving LLM safety with instruction hierarchy", 483 "authors": ["Tong Wu", "Shujian Zhang", "Kaiqiang Song"], 484 "year": 2025, 485 "relevance": "Concurrent architectural defense using segment embeddings to separate instructions from data; represents alternative defense paradigm." 486 }, 487 { 488 "title": "Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection", 489 "authors": ["Kai Greshake", "Sahar Abdelnabi", "Shailesh Mishra"], 490 "year": 2023, 491 "arxiv_id": "2302.12173", 492 "relevance": "Foundational work on indirect prompt injection attacks against LLM-integrated applications." 493 }, 494 { 495 "title": "AgentDojo: A dynamic environment to evaluate attacks and defenses for LLM agents", 496 "authors": ["Edoardo Debenedetti", "Jie Zhang", "Mislav Balunović"], 497 "year": 2024, 498 "relevance": "Dynamic evaluation environment for prompt injection attacks and defenses in agentic LLM settings." 499 }, 500 { 501 "title": "InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents", 502 "authors": ["Qiusi Zhan", "Zhixiang Liang", "Zifan Ying", "Daniel Kang"], 503 "year": 2024, 504 "relevance": "Benchmark for indirect prompt injection in tool-integrated LLM agents; used for out-of-distribution evaluation of SecAlign (Table 3)." 505 }, 506 { 507 "title": "Can LLMs separate instructions from data? And what do we even mean by that?", 508 "authors": ["Egor Zverev", "Sahar Abdelnabi", "Soroush Tabesh", "Mario Fritz", "Christoph H Lampert"], 509 "year": 2025, 510 "relevance": "SEP benchmark used for out-of-distribution security evaluation of SecAlign with 9.1K samples (Table 3)." 511 }, 512 { 513 "title": "Defeating prompt injections by design", 514 "authors": ["Edoardo Debenedetti", "Ilia Shumailov", "Tianqi Fan"], 515 "year": 2025, 516 "arxiv_id": "2503.18813", 517 "relevance": "System-level defense against prompt injection; cited as complementary approach that could be combined with SecAlign." 518 } 519 ], 520 "engagement_factors": { 521 "practical_relevance": { 522 "score": 3, 523 "justification": "Directly applicable defense: fine-tune any open-weight LLM with DPO on a preference dataset to harden it against prompt injection, with code released." 524 }, 525 "surprise_contrarian": { 526 "score": 1, 527 "justification": "Novel framing of prompt injection defense as preference optimization, but builds naturally on known DPO/RLHF techniques rather than contradicting established wisdom." 528 }, 529 "fear_safety": { 530 "score": 2, 531 "justification": "Addresses the OWASP #1 LLM security risk (prompt injection) and demonstrates real-world attack scenarios (Slack AI data exfiltration), raising awareness of deployment risks." 532 }, 533 "drama_conflict": { 534 "score": 0, 535 "justification": "No controversy or conflict; straightforward defense contribution that compares favorably to prior work." 536 }, 537 "demo_ability": { 538 "score": 2, 539 "justification": "Code is released and the method works on publicly available models (Llama, Mistral), though it requires GPU resources (4xA100) to reproduce fine-tuning." 540 }, 541 "brand_recognition": { 542 "score": 2, 543 "justification": "Meta AI and UC Berkeley affiliations provide recognition; the follow-up Meta SecAlign paper signals commercial adoption by a major AI lab." 544 } 545 } 546 }