We've released the first version of a new Prompt Injection Test (PINT) Benchmark that can be used to evaluate any prompt injection detection system with a comprehensive dataset that no model, including ours, is directly trained on.
Download this guide to delve into the most common LLM security risks and ways to mitigate them.
In-context learning
As users increasingly rely on Large Language Models (LLMs) to accomplish their daily tasks, their concerns about the potential leakage of private data by these models have surged.
[Provide the input text here]
[Provide the input text here]
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, Q: I had 10 cookies. I ate 2 of them, and then I gave 5 of them to my friend. My grandma gave me another 2boxes of cookies, with 2 cookies inside each box. How many cookies do I have now?
Title italic
A: At the beginning there was 10 cookies, then 2 of them were eaten, so 8 cookies were left. Then 5 cookieswere given toa friend, so 3 cookies were left. 3 cookies + 2 boxes of 2 cookies (4 cookies) = 7 cookies. Youhave 7 cookies.
English to French Translation:
Q: A bartender had 20 pints. One customer has broken one pint, another has broken 5 pints. A bartender boughtthree boxes, 4 pints in each. How many pints does bartender have now?
Lorem ipsum dolor sit amet, line first
line second
line third
Lorem ipsum dolor sit amet, Q: I had 10 cookies. I ate 2 of them, and then I gave 5 of them to my friend. My grandma gave me another 2boxes of cookies, with 2 cookies inside each box. How many cookies do I have now?
Title italic Title italicTitle italicTitle italicTitle italicTitle italicTitle italic
A: At the beginning there was 10 cookies, then 2 of them were eaten, so 8 cookies were left. Then 5 cookieswere given toa friend, so 3 cookies were left. 3 cookies + 2 boxes of 2 cookies (4 cookies) = 7 cookies. Youhave 7 cookies.
English to French Translation:
Q: A bartender had 20 pints. One customer has broken one pint, another has broken 5 pints. A bartender boughtthree boxes, 4 pints in each. How many pints does bartender have now?
Lakera is excited to release the first version of our new Prompt Injection Test (PINT) Benchmark as an effort to enable the evaluation of prompt defense solutions and improve GenAI security for everyone.
See the code and initial results on GitHub.
Evaluating performance in the Generative AI (GenAI) space has become a complicated topic.
A new model sets records on existing evaluations almost weekly, but there are some potentially serious issues with overfitting, the efficacy of various benchmarks, and folks going to great lengths to come up with better ways to evaluate model performance - some going as far as having models play Street Fighter.
Extending this complexity to an already complicated-to-define domain, like prompt injection, is even more challenging. There have been some previous attempts at benchmarking the performance of various prompt injection detection systems in terms of latency, like the Prompt Injection Solutions Benchmark from ProtectAI, and our friends at the Language Model Vulnerabilities and Exposures (LVE) Repository explored the effectiveness of tools like Meta’s Llama Guard against some adversarial prompts, but we couldn’t find much work on evaluating the actual efficacy of prompt injection solutions.
The PINT Benchmark attempts to provide an objective measure of evaluating prompt injection protection solutions against a representative sample of prompt injection and jailbreak attacks. It aims to evaluate both a solution’s ability to detect true positives as well as minimize false negatives.
The benchmark currently evaluates prompt injection solutions on a dataset of 3,007 English inputs that cover a wide variety of public and proprietary attack techniques, inputs specifically designed to test for false positives, and inputs specifically designed to test for trouble handling large documents.
<div class="table_component" role="region" tabindex="0">
<table>
<thead>
<tr>
<th>Name</th>
<th>PINT Score</th>
<th>Test Date</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://lakera.ai/">Lakera Guard</a></td>
<td>97.7129%</td>
<td>2024-04-09</td>
</tr>
<tr>
<td><a href="https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection#prompt-shields-for-documents">Azure AI Prompt Shield for Documents</a></td>
<td>
<p>91.1914%</p>
</td>
<td>2024-04-05</td>
</tr>
<tr>
<td><a href="https://huggingface.co/protectai/deberta-v3-base-prompt-injection">protectai/deberta-v3-base-prompt-injection</a></td>
<td>88.6597%</td>
<td>2024-04-05</td>
</tr>
<tr>
<td><a href="https://github.com/whylabs/langkit">WhyLabs LangKit</a></td>
<td>80.0164%</td>
<td>2024-04-04</td>
</tr>
<tr>
<td><a href="https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection#prompt-shields-for-user-prompts">Azure AI Prompt Shield for User Prompts</a></td>
<td>77.504%</td>
<td>2024-04-05</td>
</tr>
<tr>
<td><a href="https://huggingface.co/epivolis/hyperion">Epivolis/Hyperion</a></td>
<td>62.6572%</td>
<td>2024-04-12</td>
</tr>
<tr>
<td><a href="https://huggingface.co/fmops/distilbert-prompt-injection">fmops/distilbert-prompt-injection</a></td>
<td>58.3508%</td>
<td>2024-04-04</td>
</tr>
<tr>
<td><a href="https://huggingface.co/deepset/deberta-v3-base-injection">deepset/deberta-v3-base-injection</a></td>
<td>57.7255%</td>
<td>2024-04-04</td>
</tr>
<tr>
<td><a href="https://huggingface.co/myadav/setfit-prompt-injection-MiniLM-L3-v2">Myadav/setfit-prompt-injection-MiniLM-L3-v2</a></td>
<td>56.3973%</td>
<td>2024-04-04</td>
</tr>
</tbody>
</table>
Note: Lakera Guard is not - and will never be - directly trained on any of the inputs in the PINT Benchmark dataset.
The ratio of benign and malicious input closely mirrors our real-world observations and includes the following categories:
This is the first iteration of the dataset, but future improvements will likely include inputs in multiple languages, more complex injection techniques, and additional categories based on emerging exploits.
The PINT Benchmark notebook, results, and various examples of how to evaluate your own solution or use your own dataset are all publicly available under the MIT license.
The PINT Benchmark dataset is not publicly available in order to prevent the dilution of the PINT Benchmark from overfitting due to training on the inputs. We would love to include a PINT Benchmark score for every prompt injection solution provider.
If you’re a researcher working on prompt injection research that would benefit from access to the dataset or a hacker or prompt injection solution provider who would like to help improve the PINT Benchmark dataset, extend the evaluation code and examples, or add benchmark results for your solution to the official repository, please contact us or follow the instructions in our contributing guide.
We want to hear from and collaborate with you to make this the most robust, comprehensive, and trusted source for evaluating prompt injection solutions.
Download this guide to delve into the most common LLM security risks and ways to mitigate them.
Subscribe to our newsletter to get the recent updates on Lakera product and other news in the AI LLM world. Be sure you’re on track!
.png)
Lakera Guard protects your LLM applications from cybersecurity risks with a single line of code. Get started in minutes. Become stronger every day.
Several people are typing about AI/ML security. Come join us and 1000+ others in a chat that’s thoroughly SFW.
