Prompt Injection Detection Models

SDD-B09 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · B2's Layer 4 expanded into the full detection-model analysis

A secondary model checks "does this content contain overriding instructions?" before it enters the agent's context. The detector is itself a model — and models are injectable.

Deep-Dives

The Layer 4 pitch — and why it is not a silver bullet

B2's Layer 4: before untrusted content (retrieved doc, email, web page, tool result) enters the agent's context, a secondary model evaluates it for overriding instructions. Flag it, quarantine it. Feels solved.
It is not. The detection model is a model. A dedicated classifier has a probeable decision boundary. A secondary LLM carries the full injection surface of any LLM. Benchmark accuracy is 95–99%+; real-world, adversarially-adapted accuracy is 84–90%. The detector is a layer, not a boundary.

B09.1 — The detection landscape

Two families, what they classify, the accuracy numbers

Two families of detectors

Family 1 — Dedicated classifier
DeBERTa/RoBERTa fine-tunes, Llama Prompt Guard (86M/22M), ProtectAI, Lakera Guard. Fast (19–600ms), cheap, tunable threshold. Fixed boundary — ages with its corpus.
Family 2 — Secondary-LLM-as-detector
A second LLM prompted: "does this contain overriding instructions?" Flexible, re-promptable, feeds human review. Itself an LLM — full injection surface.
Default: dedicated classifier as the high-volume gate; secondary LLM as a second-pass reviewer for flagged-ambiguous content. Neither is a boundary.

What they classify — and the accuracy gap

The signal: overriding instructions — text that changes the model's task, role, or constraints. Direct, indirect, encoded, multi-step.

NumberRangeSource
Benchmark95–99%+In-distribution test set (vendor model card)
Deployment84–90%Real traffic, tolerable false-positive ceiling
Adversariallower, decaysOut-of-distribution, adaptive attacker — the one that matters
No vendor puts the adversarial number on the model card. Prompt Guard AUC ~0.998 on benchmark; one eval found 26.7% detection at 50% FPR. Galileo: 56% of production LLMs successfully injected.

B09.2 — The cat-and-mouse dynamic

Evasion, the dual-injection problem, why the gap is adversarial

The detector is a model — and models are injectable

The SDD-B08 insight, restated one layer down. External placement protects the detector from being DISABLED by a compromised agent. It does NOT protect it from being EVADED by an input crafted against its decision boundary. The detector runs; it classifies the adversarial payload as benign.
Empirical evasion is substantial: arXiv:2504.11168 shows high benchmark accuracy does not translate to robustness against adaptive attackers. Promptfoo catalogs guardrail-evasion as reproducible artifacts.

The dual-injection problem

ADVERSARIAL PAYLOAD
        │
        ▼
  ┌─ Evades DETECTOR? (classified benign)
  │     NO → CAUGHT (quarantined)
  │     YES ↓
  └─ Compromises PRIMARY MODEL? (executes)
        NO → useless (evaded but moved nothing)
        YES → ATTACKER SUCCESS (dual-injection satisfied)

  CORRELATED CASE: detector + primary share model class
  → evasion against one has elevated prob. against other
  → independence assumption FAILS, end-to-end rate > product
The dual constraint helps against naive attackers. Against adaptive ones, it is a targeting signal: probe the detector's boundary, find the false-negative region, craft the payload to sit there.

B09.3 — Composing the detector into the stack

Defense-in-depth, measurement, state of the art

The detector is Layer 4, not the boundary

LayerWhat it doesSurface
L1-2 Input rails + IronCurtainCatches gross violations, bounds worst caseDeterministic
L4 Detection modelCatches the BULK of indirect injectionsModel — evasion surface
L5 Output rails + refusalBackstop if L4 is evadedModel — evasion surface
Harness scope gateHard stop — disallowed action blockedDeterministic — the floor
Only deterministic layers have no evasion surface. End-to-end bypass = product of residuals, floored by the harness gate. The detector bounds volume; deterministic layers bound the worst case.

Measurement: the five steps

  1. Assemble the corpus — in-distribution + a held-out out-of-distribution set (the number that matters).
  2. Per-detector bypass rate — false-negative rate at the deployed threshold.
  3. False-positive tax — run legitimate content; set threshold where FPR is tolerable. Detection rate at THAT threshold is the real number.
  4. End-to-end bypass rate — full stack; fraction of injections → disallowed action.
  5. Correlated-bypass test — if detector + primary share a model class, test whether evasion transfers.
Defensible measurement: "Detector L4: 91% in-dist / 74% OOD at 2% FPR; end-to-end 3.2% full stack / 5.8% correlated; harness gate is the floor."

State of the art — and where it is heading

Defenders: larger corpora push OOD accuracy up (96.9% frontier); ensemble detectors so evasion against one doesn't evade all; better secondary-LLM output constraints.
Attackers: automated adversarial-prompt generation (RedAgent machinery, applied to the detector surface); dual-injection crafting; shared-model-class correlation makes it easier.
Forecast: detection remains high-value, OOD accuracy improves but never reaches 100% against an adaptive adversary. Winners compose the detector with deterministic layers and measure the residual — they don't deploy a detector and trust the model card. Necessary, not sufficient.

Lab & what's next

Lab (07): build a simulated detection stack — a dedicated classifier proxy, a secondary-LLM heuristic proxy, an in-distribution + out-of-distribution corpus, and a measurement harness reporting per-detector, end-to-end, and correlated-bypass rates. No GPU.

Next — SDD-B10: Academic Offensive Harnesses. PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — re-examined as methodologies for attacking AI systems. HPTSA's hierarchical planning is directly relevant to the zero-click chain. This is the "where is this heading" deep-dive that closes the course's offensive material.