Search papers, labs, and topics across Lattice.
This paper introduces a three-layer security framework designed to mitigate prompt injection vulnerabilities in retrieval-augmented generation (RAG) chatbots, addressing a critical issue identified by the OWASP Top 10 for LLM Applications. The framework employs a combination of input screening, provenance-based instruction enforcement, and output auditing to significantly reduce the Attack Success Rate (ASR) from 71.4% to 11.3%, while maintaining a low false positive rate and manageable latency. Evaluation across multiple LLMs confirms that the layered approach provides superior protection compared to existing single-layer defenses, highlighting the importance of comprehensive security in AI applications.
A three-layer security framework slashes prompt injection attack success rates from 71.4% to just 11.3%, showcasing the necessity of multi-faceted defenses in RAG chatbots.
Prompt injection is ranked as the most critical vulnerability in large language model (LLM) deployments by the OWASP Top 10 for LLM Applications, yet existing defenses operate at isolated pipeline stages and remain incomplete. Input filters cannot inspect retrieved documents, while output monitors cannot prevent malicious payloads from reaching the model. Consequently, retrieval-augmented generation (RAG) chatbots remain vulnerable to indirect injection, where a poisoned knowledge-base document compromises every user whose query retrieves it. We present a three-layer framework that intercepts both direct and indirect prompt injection throughout the inference pipeline. Layer 1 screens user input using a rule-based pattern library and a fine-tuned semantic anomaly classifier. Layer 2 enforces a provenance-based instruction hierarchy during context assembly, preventing retrieved content from overriding operator policy. Layer 3 audits model output using a policy rule engine and semantic drift detector before delivery. A continuous audit loop aggregates structured logs and supports retraining to adapt the classifier to emerging attack patterns. The framework is model-agnostic and deploys as middleware without modifying the underlying LLM. Evaluation on 5,080 samples across GPT-4o, Llama 3, and Mistral 7B shows that the framework reduces Attack Success Rate (ASR) from 71.4\% to 11.3\%, outperforming the best single-layer baseline by 27.3 percentage points and a published guardrail system by 23.8 percentage points, while maintaining a 4.8\% false positive rate and a median latency overhead of 61.2 ms. Ablation studies confirm that all three layers provide complementary protection and that their combined effect exceeds the sum of individual contributions.