Search papers, labs, and topics across Lattice.
This paper introduces ICON, a novel defense framework against Indirect Prompt Injection (IPI) attacks in LLM agents that addresses the over-refusal problem of existing methods. ICON leverages a Latent Space Trace Prober to detect IPI attacks by identifying over-focusing signatures in the latent space. It then employs a Mitigating Rectifier to selectively steer attention, suppressing adversarial query key dependencies while amplifying task-relevant elements, thereby restoring the LLM's intended trajectory.
LLM agents can now defend against indirect prompt injection attacks without sacrificing task performance, thanks to a new method that surgically manipulates attention based on latent space analysis.
Large Language Model (LLM) agents are susceptible to Indirect Prompt Injection (IPI) attacks, where malicious instructions in retrieved content hijack the agent's execution. Existing defenses typically rely on strict filtering or refusal mechanisms, which suffer from a critical limitation: over-refusal, prematurely terminating valid agentic workflows. We propose ICON, a probing-to-mitigation framework that neutralizes attacks while preserving task continuity. Our key insight is that IPI attacks leave distinct over-focusing signatures in the latent space. We introduce a Latent Space Trace Prober to detect attacks based on high intensity scores. Subsequently, a Mitigating Rectifier performs surgical attention steering that selectively manipulate adversarial query key dependencies while amplifying task relevant elements to restore the LLM's functional trajectory. Extensive evaluations on multiple backbones show that ICON achieves a competitive 0.4% ASR, matching commercial grade detectors, while yielding a over 50% task utility gain. Furthermore, ICON demonstrates robust Out of Distribution(OOD) generalization and extends effectively to multi-modal agents, establishing a superior balance between security and efficiency.
