Reachal Wang (Duke University), Yuqi Jia (Duke University), Neil Zhenqiang Gong (Duke University)

Prompt injection attacks aim to contaminate the input data of an LLM to mislead it into completing an attacker-chosen task instead of the intended task. In many applications and agents, the input data originates from multiple sources, with each source contributing a segment of the overall input. In these multi-source scenarios, an attacker may control only a subset of the sources and contaminate the corresponding segments, but typically does not know the order in which the segments are arranged within the input. Existing prompt injection attacks either assume that the entire input data comes from a single source under the attacker’s control or ignore the uncertainty in the ordering of segments from different sources. As a result, their success is limited in domains involving multi-source data.

In this work, we propose ObliInjection, the first prompt injection attack targeting LLM applications and agents with multisource input data. ObliInjection introduces two key technical innovations: the order-oblivious loss, which quantifies the likelihood that the LLM will complete the attacker-chosen task regardless of how the clean and contaminated segments are ordered; and the orderGCG algorithm, which is tailored to minimize the order-oblivious loss and optimize the contaminated segments. Comprehensive experiments across three datasets spanning diverse application domains and twelve LLMs demonstrate that ObliInjection is highly effective, even when only one out of 6–100 segments in the input data is contaminated. Our code and data are available at: https://github.com/ReachalWang/ObliInjection.

View More Papers

A Usability Evaluation Method for SOC Tools Using a...

Yukina Okazawa (Toho University), Akira Kanaoka (Toho University), Takumi Yamamoto (Mitsubishi Electric Corporation)

Read More

Better Safe than Sorry: Uncovering the Insecure Resource Management...

Yizhe Shi (Fudan University), Zhemin Yang (Fudan University), Dingyi Liu (Fudan University), Kangwei Zhong (Fudan University), Jiarun Dai (Fudan University), Min Yang (Fudan University)

Read More

BACnet or “BADnet”? On the (In)Security of Implicitly Reserved...

Qiguang Zhang (Southeast University), Junzhou Luo (Southeast University, Fuyao University of Science and Technology), Zhen Ling (Southeast University), Yue Zhang (Shandong University), Chongqing Lei (Southeast University), Christopher Morales (University of Massachusetts Lowell), Xinwen Fu (University of Massachusetts Lowell)

Read More