Saved in:
Bibliographic Details
Main Authors: Hackett, William, Birch, Lewis, Trawicki, Stefan, Suri, Neeraj, Garraghan, Peter
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.11168
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909687679549440
author Hackett, William
Birch, Lewis
Trawicki, Stefan
Suri, Neeraj
Garraghan, Peter
author_facet Hackett, William
Birch, Lewis
Trawicki, Stefan
Suri, Neeraj
Garraghan, Peter
contents Large Language Models (LLMs) guardrail systems are designed to protect against prompt injection and jailbreak attacks. However, they remain vulnerable to evasion techniques. We demonstrate two approaches for bypassing LLM prompt injection and jailbreak detection systems via traditional character injection methods and algorithmic Adversarial Machine Learning (AML) evasion techniques. Through testing against six prominent protection systems, including Microsoft's Azure Prompt Shield and Meta's Prompt Guard, we show that both methods can be used to evade detection while maintaining adversarial utility achieving in some instances up to 100% evasion success. Furthermore, we demonstrate that adversaries can enhance Attack Success Rates (ASR) against black-box targets by leveraging word importance ranking computed by offline white-box models. Our findings reveal vulnerabilities within current LLM protection mechanisms and highlight the need for more robust guardrail systems.
format Preprint
id arxiv_https___arxiv_org_abs_2504_11168
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Bypassing LLM Guardrails: An Empirical Analysis of Evasion Attacks against Prompt Injection and Jailbreak Detection Systems
Hackett, William
Birch, Lewis
Trawicki, Stefan
Suri, Neeraj
Garraghan, Peter
Cryptography and Security
Artificial Intelligence
Machine Learning
I.2.7
Large Language Models (LLMs) guardrail systems are designed to protect against prompt injection and jailbreak attacks. However, they remain vulnerable to evasion techniques. We demonstrate two approaches for bypassing LLM prompt injection and jailbreak detection systems via traditional character injection methods and algorithmic Adversarial Machine Learning (AML) evasion techniques. Through testing against six prominent protection systems, including Microsoft's Azure Prompt Shield and Meta's Prompt Guard, we show that both methods can be used to evade detection while maintaining adversarial utility achieving in some instances up to 100% evasion success. Furthermore, we demonstrate that adversaries can enhance Attack Success Rates (ASR) against black-box targets by leveraging word importance ranking computed by offline white-box models. Our findings reveal vulnerabilities within current LLM protection mechanisms and highlight the need for more robust guardrail systems.
title Bypassing LLM Guardrails: An Empirical Analysis of Evasion Attacks against Prompt Injection and Jailbreak Detection Systems
topic Cryptography and Security
Artificial Intelligence
Machine Learning
I.2.7
url https://arxiv.org/abs/2504.11168