Saved in:
Bibliographic Details
Main Authors: Sekar, Anirudh, Agarwal, Mrinal, Sharma, Rachel, Tanaka, Akitsugu, Zhang, Jasmine, Damerla, Arjun, Zhu, Kevin
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.12359
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908774138118144
author Sekar, Anirudh
Agarwal, Mrinal
Sharma, Rachel
Tanaka, Akitsugu
Zhang, Jasmine
Damerla, Arjun
Zhu, Kevin
author_facet Sekar, Anirudh
Agarwal, Mrinal
Sharma, Rachel
Tanaka, Akitsugu
Zhang, Jasmine
Damerla, Arjun
Zhu, Kevin
contents Prompt injection attacks have become an increasing vulnerability for LLM applications, where adversarial prompts exploit indirect input channels such as emails or user-generated content to circumvent alignment safeguards and induce harmful or unintended outputs. Despite advances in alignment, even state-of-the-art LLMs remain broadly vulnerable to adversarial prompts, underscoring the urgent need for robust, productive, and generalizable detection mechanisms beyond inefficient, model-specific patches. In this work, we propose Zero-Shot Embedding Drift Detection (ZEDD), a lightweight, low-engineering-overhead framework that identifies both direct and indirect prompt injection attempts by quantifying semantic shifts in embedding space between benign and suspect inputs. ZEDD operates without requiring access to model internals, prior knowledge of attack types, or task-specific retraining, enabling efficient zero-shot deployment across diverse LLM architectures. Our method uses adversarial-clean prompt pairs and measures embedding drift via cosine similarity to capture subtle adversarial manipulations inherent to real-world injection attacks. To ensure robust evaluation, we assemble and re-annotate the comprehensive LLMail-Inject dataset spanning five injection categories derived from publicly available sources. Extensive experiments demonstrate that embedding drift is a robust and transferable signal, outperforming traditional methods in detection accuracy and operational efficiency. With greater than 93% accuracy in classifying prompt injections across model architectures like Llama 3, Qwen 2, and Mistral and a false positive rate of <3%, our approach offers a lightweight, scalable defense layer that integrates into existing LLM pipelines, addressing a critical gap in securing LLM-powered systems to withstand adaptive adversarial threats.
format Preprint
id arxiv_https___arxiv_org_abs_2601_12359
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Zero-Shot Embedding Drift Detection: A Lightweight Defense Against Prompt Injections in LLMs
Sekar, Anirudh
Agarwal, Mrinal
Sharma, Rachel
Tanaka, Akitsugu
Zhang, Jasmine
Damerla, Arjun
Zhu, Kevin
Cryptography and Security
Computation and Language
Prompt injection attacks have become an increasing vulnerability for LLM applications, where adversarial prompts exploit indirect input channels such as emails or user-generated content to circumvent alignment safeguards and induce harmful or unintended outputs. Despite advances in alignment, even state-of-the-art LLMs remain broadly vulnerable to adversarial prompts, underscoring the urgent need for robust, productive, and generalizable detection mechanisms beyond inefficient, model-specific patches. In this work, we propose Zero-Shot Embedding Drift Detection (ZEDD), a lightweight, low-engineering-overhead framework that identifies both direct and indirect prompt injection attempts by quantifying semantic shifts in embedding space between benign and suspect inputs. ZEDD operates without requiring access to model internals, prior knowledge of attack types, or task-specific retraining, enabling efficient zero-shot deployment across diverse LLM architectures. Our method uses adversarial-clean prompt pairs and measures embedding drift via cosine similarity to capture subtle adversarial manipulations inherent to real-world injection attacks. To ensure robust evaluation, we assemble and re-annotate the comprehensive LLMail-Inject dataset spanning five injection categories derived from publicly available sources. Extensive experiments demonstrate that embedding drift is a robust and transferable signal, outperforming traditional methods in detection accuracy and operational efficiency. With greater than 93% accuracy in classifying prompt injections across model architectures like Llama 3, Qwen 2, and Mistral and a false positive rate of <3%, our approach offers a lightweight, scalable defense layer that integrates into existing LLM pipelines, addressing a critical gap in securing LLM-powered systems to withstand adaptive adversarial threats.
title Zero-Shot Embedding Drift Detection: A Lightweight Defense Against Prompt Injections in LLMs
topic Cryptography and Security
Computation and Language
url https://arxiv.org/abs/2601.12359