Abstract
Large language models (LLMs) are increasingly used in interactive and retrieval-augmented systems, but they remain vulnerable to prompt injection attacks, where injected secondary prompts force the model to deviate from the user’s instructions to execute a potentially malicious task defined by the adversary. Recent work shows that ML models trained on activation shifts from LLMs’ hidden layers can detect such drift.
In this paper, we demonstrate that these detectors are not robust to adaptive adversaries. We propose a multi-probe evasion attack that appends an adversarially optimised suffix to poisoned inputs, jointly optimising a universal suffix to simultaneously fool all layer-wise drift detectors while preserving the effectiveness of the underlying injection. Using a modified Greedy Coordinate Gradient (GCG) approach, we generate universal suffixes that make prompt injections consistently evasive across multiple probes simultaneously. On Phi-3 3.8B and Llama-3 8B, a single suffix achieves attack success rates of 93.91% and 99.63% in successfully evading all detectors simultaneously. These results show that activation-based task drift detectors are highly vulnerable to adaptive prompt injection attacks, motivating stronger defences against such threats. We also propose a defence based on adversarial suffix augmentation: we generate multiple suffixes, append one at random during forward passes, and train detectors on the resulting activations. This approach is found to be effective against evasive attacks.
In this paper, we demonstrate that these detectors are not robust to adaptive adversaries. We propose a multi-probe evasion attack that appends an adversarially optimised suffix to poisoned inputs, jointly optimising a universal suffix to simultaneously fool all layer-wise drift detectors while preserving the effectiveness of the underlying injection. Using a modified Greedy Coordinate Gradient (GCG) approach, we generate universal suffixes that make prompt injections consistently evasive across multiple probes simultaneously. On Phi-3 3.8B and Llama-3 8B, a single suffix achieves attack success rates of 93.91% and 99.63% in successfully evading all detectors simultaneously. These results show that activation-based task drift detectors are highly vulnerable to adaptive prompt injection attacks, motivating stronger defences against such threats. We also propose a defence based on adversarial suffix augmentation: we generate multiple suffixes, append one at random during forward passes, and train detectors on the resulting activations. This approach is found to be effective against evasive attacks.
| Original language | English |
|---|---|
| Title of host publication | 2026 International Joint Conference on Neural Networks (IJCNN): Proceedings |
| Publisher | IEEE |
| Publication status | Accepted - 01 Apr 2026 |
| Event | IEEE International Joint Conference on Neural Networks (IJCNN 2026) - Maastricht, Netherlands Duration: 21 Jun 2026 → 26 Jun 2026 |
Publication series
| Name | International Joint Conference on Neural Networks (IJCNN) |
|---|---|
| Publisher | IEEE |
| ISSN (Print) | 2161-4393 |
| ISSN (Electronic) | 2161-4407 |
Conference
| Conference | IEEE International Joint Conference on Neural Networks (IJCNN 2026) |
|---|---|
| Country/Territory | Netherlands |
| City | Maastricht |
| Period | 21/06/2026 → 26/06/2026 |
Fingerprint
Dive into the research topics of 'Bypassing prompt injection detectors through evasive injections'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver