Cookie Consent
Hi, this website uses essential cookies to ensure its proper operation and tracking cookies to understand how you interact with it. The latter will be set only after consent.
Read our Privacy Policy
Back

Lakera’s Prompt Injection Test (PINT)—A New Benchmark for Evaluating Prompt Injection Solutions 

We've released the first version of a new Prompt Injection Test (PINT) Benchmark that can be used to evaluate any prompt injection detection system with a comprehensive dataset that no model, including ours, is directly trained on.

Lakera Team
April 18, 2024
April 18, 2024
Learn how to protect against the most common LLM vulnerabilities

Download this guide to delve into the most common LLM security risks and ways to mitigate them.

In-context learning

As users increasingly rely on Large Language Models (LLMs) to accomplish their daily tasks, their concerns about the potential leakage of private data by these models have surged.

[Provide the input text here]

[Provide the input text here]

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Lorem ipsum dolor sit amet, Q: I had 10 cookies. I ate 2 of them, and then I gave 5 of them to my friend. My grandma gave me another 2boxes of cookies, with 2 cookies inside each box. How many cookies do I have now?

Title italic

A: At the beginning there was 10 cookies, then 2 of them were eaten, so 8 cookies were left. Then 5 cookieswere given toa friend, so 3 cookies were left. 3 cookies + 2 boxes of 2 cookies (4 cookies) = 7 cookies. Youhave 7 cookies.

English to French Translation:

Q: A bartender had 20 pints. One customer has broken one pint, another has broken 5 pints. A bartender boughtthree boxes, 4 pints in each. How many pints does bartender have now?

Lorem ipsum dolor sit amet, line first
line second
line third

Lorem ipsum dolor sit amet, Q: I had 10 cookies. I ate 2 of them, and then I gave 5 of them to my friend. My grandma gave me another 2boxes of cookies, with 2 cookies inside each box. How many cookies do I have now?

Title italic Title italicTitle italicTitle italicTitle italicTitle italicTitle italic

A: At the beginning there was 10 cookies, then 2 of them were eaten, so 8 cookies were left. Then 5 cookieswere given toa friend, so 3 cookies were left. 3 cookies + 2 boxes of 2 cookies (4 cookies) = 7 cookies. Youhave 7 cookies.

English to French Translation:

Q: A bartender had 20 pints. One customer has broken one pint, another has broken 5 pints. A bartender boughtthree boxes, 4 pints in each. How many pints does bartender have now?

Hide table of contents
Show table of contents

Lakera is excited to release the first version of our new Prompt Injection Test (PINT) Benchmark as an effort to enable the evaluation of prompt defense solutions and improve GenAI security for everyone.

See the code and initial results on GitHub.

Why we built the PINT Benchmark

Evaluating performance in the Generative AI (GenAI) space has become a complicated topic.

A new model sets records on existing evaluations almost weekly, but there are some potentially serious issues with overfitting, the efficacy of various benchmarks, and folks going to great lengths to come up with better ways to evaluate model performance - some going as far as having models play Street Fighter.

Extending this complexity to an already complicated-to-define domain, like prompt injection, is even more challenging. There have been some previous attempts at benchmarking the performance of various prompt injection detection systems in terms of latency, like the Prompt Injection Solutions Benchmark from ProtectAI, and our friends at the Language Model Vulnerabilities and Exposures (LVE) Repository explored the effectiveness of tools like Meta’s Llama Guard against some adversarial prompts, but we couldn’t find much work on evaluating the actual efficacy of prompt injection solutions.

What is the PINT Benchmark?

The PINT Benchmark attempts to provide an objective measure of evaluating prompt injection protection solutions against a representative sample of prompt injection and jailbreak attacks. It aims to evaluate both a solution’s ability to detect true positives as well as minimize false negatives.

The benchmark currently evaluates prompt injection solutions on a dataset of 3,007 English inputs that cover a wide variety of public and proprietary attack techniques, inputs specifically designed to test for false positives, and inputs specifically designed to test for trouble handling large documents.

<div class="table_component" role="region" tabindex="0">
<table>
   <thead>
       <tr>
           <th>Name</th>
           <th>PINT Score</th>
           <th>Test Date</th>
       </tr>
   </thead>
   <tbody>
       <tr>
           <td><a href="https://lakera.ai/">Lakera Guard</a></td>
           <td>97.7129%</td>
           <td>2024-04-09</td>
       </tr>
       <tr>
           <td><a href="https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection#prompt-shields-for-documents">Azure AI Prompt Shield for Documents</a></td>
           <td>
               <p>91.1914%</p>
           </td>
           <td>2024-04-05</td>
       </tr>
       <tr>
           <td><a href="https://huggingface.co/protectai/deberta-v3-base-prompt-injection">protectai/deberta-v3-base-prompt-injection</a></td>
           <td>88.6597%</td>
           <td>2024-04-05</td>
       </tr>
       <tr>
           <td><a href="https://github.com/whylabs/langkit">WhyLabs LangKit</a></td>
           <td>80.0164%</td>
           <td>2024-04-04</td>
       </tr>
       <tr>
           <td><a href="https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection#prompt-shields-for-user-prompts">Azure AI Prompt Shield for User Prompts</a></td>
           <td>77.504%</td>
           <td>2024-04-05</td>
       </tr>
       <tr>
           <td><a href="https://huggingface.co/epivolis/hyperion">Epivolis/Hyperion</a></td>
           <td>62.6572%</td>
           <td>2024-04-12</td>
       </tr>
       <tr>
           <td><a href="https://huggingface.co/fmops/distilbert-prompt-injection">fmops/distilbert-prompt-injection</a></td>
           <td>58.3508%</td>
           <td>2024-04-04</td>
       </tr>
       <tr>
           <td><a href="https://huggingface.co/deepset/deberta-v3-base-injection">deepset/deberta-v3-base-injection</a></td>
           <td>57.7255%</td>
           <td>2024-04-04</td>
       </tr>
       <tr>
           <td><a href="https://huggingface.co/myadav/setfit-prompt-injection-MiniLM-L3-v2">Myadav/setfit-prompt-injection-MiniLM-L3-v2</a></td>
           <td>56.3973%</td>
           <td>2024-04-04</td>
       </tr>
   </tbody>
</table>

Note: Lakera Guard is not - and will never be - directly trained on any of the inputs in the PINT Benchmark dataset.

The ratio of benign and malicious input closely mirrors our real-world observations and includes the following categories:

  • public_prompt_injection: inputs from public prompt injection datasets
  • internal_prompt_injection: inputs from Lakera’s proprietary prompt injection database; this includes some results from our publicly available lakera/gandalf_ignore_instructions dataset derived from inputs to our prompt injection game, Gandalf
  • jailbreak: inputs containing jailbreak directives, like the well-known Do Anything Now (DAN) Jailbreak
  • hard_negatives: inputs that are not prompt injection but seem like they could be due to words, phrases, or patterns that often appear in prompt injections; these test against false positives
  • chat: inputs containing genuine user messages to chatbots
  • documents: inputs containing public documents from various Internet sources

This is the first iteration of the dataset, but future improvements will likely include inputs in multiple languages, more complex injection techniques, and additional categories based on emerging exploits.

How you can use and contribute to the PINT Benchmark

The PINT Benchmark notebook, results, and various examples of how to evaluate your own solution or use your own dataset are all publicly available under the MIT license

The PINT Benchmark dataset is not publicly available in order to prevent the dilution of the PINT Benchmark from overfitting due to training on the inputs. We would love to include a PINT Benchmark score for every prompt injection solution provider.

If you’re a researcher working on prompt injection research that would benefit from access to the dataset or a hacker or prompt injection solution provider who would like to help improve the PINT Benchmark dataset, extend the evaluation code and examples, or add benchmark results for your solution to the official repository, please contact us or follow the instructions in our contributing guide.

We want to hear from and collaborate with you to make this the most robust, comprehensive, and trusted source for evaluating prompt injection solutions.

Lakera LLM Security Playbook
Learn how to protect against the most common LLM vulnerabilities

Download this guide to delve into the most common LLM security risks and ways to mitigate them.

Unlock Free AI Security Guide.

Discover risks and solutions with the Lakera LLM Security Playbook.

Download Free

Master Prompt Injection Attacks.

Learn LLM security, attack strategies, and protection tools. Includes bonus datasets.

Unlock Free Guide

Learn AI Security Basics.

Join our 10-lesson course on core concepts and issues in AI security.

Enroll Now

Optimize LLM Security Solutions.

Use our checklist to evaluate and select the best LLM security tools for your enterprise.

Download Free

Uncover LLM Vulnerabilities.

Explore real-world LLM exploits, case studies, and mitigation strategies with Lakera.

Download Free

Understand AI Security Basics.

Get Lakera's AI Security Guide for an overview of threats and protection strategies.

Download Free

Explore AI Regulations.

Compare the EU AI Act and the White House’s AI Bill of Rights.

Download Free
Lakera Team
Read LLM Security Playbook

Learn about the most common LLM threats and how to prevent them.

Download
You might be interested
10
min read
Product Updates

ChainGuard: Guard Your LangChain Apps with Lakera

In this tutorial, we'll show you how to integrate Lakera Guard into your LangChain applications to protect them from the most common AI security risks, including prompt injections, toxic content, data loss, and more!
Lakera Team
March 15, 2024
2
min read
Product Updates

Lakera releases robustness testing suite for radiology AI teams

Great news for all AI radiology teams—you can now take your medical machine learning testing capabilities to a new level with MLTest. You can now easily test whether your algorithms are robust to radiological artifacts and variations.
Lakera Team
December 1, 2023
Activate
untouchable mode.
Get started for free.

Lakera Guard protects your LLM applications from cybersecurity risks with a single line of code. Get started in minutes. Become stronger every day.

Join our Slack Community.

Several people are typing about AI/ML security. 
Come join us and 1000+ others in a chat that’s thoroughly SFW.