Search papers, labs, and topics across Lattice.
This study systematically evaluates five prompting-based defenses against domain-camouflaged injection attacks across three model families and deployment domains, utilizing 3,510 trials. The key finding reveals that paraphrasing retrieved content consistently reduces attack success rates by 55-84%, outperforming other defenses and even the Llama Guard 4 configuration across all models tested. Notably, the effectiveness of these defenses varies significantly by model and domain, highlighting the financial sector as particularly vulnerable with a baseline attack success rate of 26-33%.
Paraphrasing content before processing slashes domain-camouflaged attack success rates by up to 84%, but effectiveness varies drastically by model and domain.
Domain-camouflaged injection attacks embed malicious instructions in retrieved content using domain-appropriate vocabulary, evading standard detectors that rely on syntactic injection markers. When detection fails, practitioners need to know which defense architectures reduce attack success. We evaluate five prompting-based defenses (spotlighting, paraphrasing, prompt sandwiching, and two combinations) against domain-camouflaged injection across three model families (Claude Haiku, Llama 3.1 8B, Gemini 2.0 Flash) and three deployment domains (financial, legal, general) using 3,510 trials. Paraphrasing retrieved content before agent processing is the most consistently effective defense in this benchmark, reducing camouflage attack success rate by 55-84\% depending on model, and achieves lower attack success rates than our Llama Guard 4 configuration on every model tested. Defense effectiveness is strongly model-dependent: spotlighting halves attack success on Claude Haiku but provides no benefit on Llama 3.1 8B. Financial domain deployments face the highest residual risk at 26-33\% baseline attack success rate, with no prompting-based defense fully eliminating the threat on weaker models. These results provide the first systematic evaluation of prompting-based defenses specifically against camouflage-class injection attacks and establish benchmark-based recommendations for practitioners. All tasks use synthetically constructed professional documents; whether these benchmark rankings generalize to real enterprise documents remains an open question.