Goal-guided Generative Prompt Injection Attack on Large Language Models

Chong Zhang; Mingyu Jin; Qinkai Yu; Chengzhi Liu; Haochen Xue; Xiaobo Jin

doi:10.1109/ICDM59182.2024.00119

Goal-guided Generative Prompt Injection Attack on Large Language Models

Chong Zhang, Mingyu Jin, Qinkai Yu, Chengzhi Liu, Haochen Xue, Xiaobo Jin^*

^*Corresponding author for this work

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

35 Downloads (Pure)

Abstract

Current large language models (LLMs) provide a strong foundation for large-scale user-oriented natural language tasks. Numerous users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges. Although there is much research on prompt injection attacks, most black-box attacks use heuristic strategies. It is unclear how these heuristic strategies relate to the success rate of attacks and thus effectively improve model robustness. To solve this problem, we redefine the goal of the attack: to maximize the KL divergence between the conditional probabilities of the clean text and the adversarial text. Furthermore, we prove that maximizing the KL divergence is equivalent to maximizing the Mahalanobis distance between the embedded representation $x$ and $x'$ of the clean text and the adversarial text when the conditional probability is a Gaussian distribution and gives a quantitative relationship on $x$ and $x'$. Then we designed a simple and effective goal-guided generative prompt injection strategy (G2PIA) to find an injection text that satisfies specific constraints to achieve the optimal attack effect approximately. Notably, our attack method is a query-free black-box attack method with a low computational cost. Experimental results on seven LLM models and four datasets show the effectiveness of our attack method.

Original language	English
Title of host publication	Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024
Editors	Elena Baralis, Kun Zhang, Ernesto Damiani, Merouane Debbah, Panos Kalnis, Xindong Wu
Chapter	1
Pages	941-946
Number of pages	6
ISBN (Electronic)	979-8-3315-0668-1
DOIs	https://doi.org/10.1109/ICDM59182.2024.00119
Publication status	Published - 21 Feb 2025

Publication series

Name	Proceedings - IEEE International Conference on Data Mining, ICDM
ISSN (Print)	1550-4786

Keywords

Prompt Injection
KL-divergence
LLM
Mahalanobis Distance

Access to Document

10.1109/ICDM59182.2024.00119

Goal-Guided_Generative_Prompt_Injection_Attack_on_Large_Language_ModelsFinal published version, 547 KBLicence: CC BY

https://ieeexplore.ieee.org/document/10884369

Cite this

Zhang, C., Jin, M., Yu, Q., Liu, C., Xue, H., & Jin, X. (2025). Goal-guided Generative Prompt Injection Attack on Large Language Models. In E. Baralis, K. Zhang, E. Damiani, M. Debbah, P. Kalnis, & X. Wu (Eds.), Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024 (pp. 941-946). Article 266 (Proceedings - IEEE International Conference on Data Mining, ICDM). https://doi.org/10.1109/ICDM59182.2024.00119

Zhang, Chong ; Jin, Mingyu ; Yu, Qinkai et al. / Goal-guided Generative Prompt Injection Attack on Large Language Models. Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024. editor / Elena Baralis ; Kun Zhang ; Ernesto Damiani ; Merouane Debbah ; Panos Kalnis ; Xindong Wu. 2025. pp. 941-946 (Proceedings - IEEE International Conference on Data Mining, ICDM).

@inproceedings{ebce79a0b6634c0ea075949ef70e6275,

title = "Goal-guided Generative Prompt Injection Attack on Large Language Models",

abstract = "Current large language models (LLMs) provide a strong foundation for large-scale user-oriented natural language tasks. Numerous users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges. Although there is much research on prompt injection attacks, most black-box attacks use heuristic strategies. It is unclear how these heuristic strategies relate to the success rate of attacks and thus effectively improve model robustness. To solve this problem, we redefine the goal of the attack: to maximize the KL divergence between the conditional probabilities of the clean text and the adversarial text. Furthermore, we prove that maximizing the KL divergence is equivalent to maximizing the Mahalanobis distance between the embedded representation $x$ and $x'$ of the clean text and the adversarial text when the conditional probability is a Gaussian distribution and gives a quantitative relationship on $x$ and $x'$. Then we designed a simple and effective goal-guided generative prompt injection strategy (G2PIA) to find an injection text that satisfies specific constraints to achieve the optimal attack effect approximately. Notably, our attack method is a query-free black-box attack method with a low computational cost. Experimental results on seven LLM models and four datasets show the effectiveness of our attack method.",

keywords = "Prompt Injection, KL-divergence, LLM, Mahalanobis Distance",

author = "Chong Zhang and Mingyu Jin and Qinkai Yu and Chengzhi Liu and Haochen Xue and Xiaobo Jin",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.",

year = "2025",

month = feb,

day = "21",

doi = "10.1109/ICDM59182.2024.00119",

language = "English",

isbn = "979-8-3315-0669-8",

series = "Proceedings - IEEE International Conference on Data Mining, ICDM",

pages = "941--946",

editor = "Elena Baralis and Kun Zhang and Ernesto Damiani and Merouane Debbah and Panos Kalnis and Xindong Wu",

booktitle = "Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024",

}

Zhang, C, Jin, M, Yu, Q, Liu, C, Xue, H & Jin, X 2025, Goal-guided Generative Prompt Injection Attack on Large Language Models. in E Baralis, K Zhang, E Damiani, M Debbah, P Kalnis & X Wu (eds), Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024., 266, Proceedings - IEEE International Conference on Data Mining, ICDM, pp. 941-946. https://doi.org/10.1109/ICDM59182.2024.00119

Goal-guided Generative Prompt Injection Attack on Large Language Models. / Zhang, Chong; Jin, Mingyu; Yu, Qinkai et al.
Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024. ed. / Elena Baralis; Kun Zhang; Ernesto Damiani; Merouane Debbah; Panos Kalnis; Xindong Wu. 2025. p. 941-946 266 (Proceedings - IEEE International Conference on Data Mining, ICDM).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - Goal-guided Generative Prompt Injection Attack on Large Language Models

AU - Zhang, Chong

AU - Jin, Mingyu

AU - Yu, Qinkai

AU - Liu, Chengzhi

AU - Xue, Haochen

AU - Jin, Xiaobo

PY - 2025/2/21

Y1 - 2025/2/21

N2 - Current large language models (LLMs) provide a strong foundation for large-scale user-oriented natural language tasks. Numerous users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges. Although there is much research on prompt injection attacks, most black-box attacks use heuristic strategies. It is unclear how these heuristic strategies relate to the success rate of attacks and thus effectively improve model robustness. To solve this problem, we redefine the goal of the attack: to maximize the KL divergence between the conditional probabilities of the clean text and the adversarial text. Furthermore, we prove that maximizing the KL divergence is equivalent to maximizing the Mahalanobis distance between the embedded representation $x$ and $x'$ of the clean text and the adversarial text when the conditional probability is a Gaussian distribution and gives a quantitative relationship on $x$ and $x'$. Then we designed a simple and effective goal-guided generative prompt injection strategy (G2PIA) to find an injection text that satisfies specific constraints to achieve the optimal attack effect approximately. Notably, our attack method is a query-free black-box attack method with a low computational cost. Experimental results on seven LLM models and four datasets show the effectiveness of our attack method.

AB - Current large language models (LLMs) provide a strong foundation for large-scale user-oriented natural language tasks. Numerous users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges. Although there is much research on prompt injection attacks, most black-box attacks use heuristic strategies. It is unclear how these heuristic strategies relate to the success rate of attacks and thus effectively improve model robustness. To solve this problem, we redefine the goal of the attack: to maximize the KL divergence between the conditional probabilities of the clean text and the adversarial text. Furthermore, we prove that maximizing the KL divergence is equivalent to maximizing the Mahalanobis distance between the embedded representation $x$ and $x'$ of the clean text and the adversarial text when the conditional probability is a Gaussian distribution and gives a quantitative relationship on $x$ and $x'$. Then we designed a simple and effective goal-guided generative prompt injection strategy (G2PIA) to find an injection text that satisfies specific constraints to achieve the optimal attack effect approximately. Notably, our attack method is a query-free black-box attack method with a low computational cost. Experimental results on seven LLM models and four datasets show the effectiveness of our attack method.

KW - Prompt Injection

KW - KL-divergence

KW - LLM

KW - Mahalanobis Distance

UR - http://www.scopus.com/inward/record.url?scp=86000212437&partnerID=8YFLogxK

U2 - 10.1109/ICDM59182.2024.00119

DO - 10.1109/ICDM59182.2024.00119

M3 - Conference Proceeding

SN - 979-8-3315-0669-8

T3 - Proceedings - IEEE International Conference on Data Mining, ICDM

SP - 941

EP - 946

BT - Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024

A2 - Baralis, Elena

A2 - Zhang, Kun

A2 - Damiani, Ernesto

A2 - Debbah, Merouane

A2 - Kalnis, Panos

A2 - Wu, Xindong

ER -

Zhang C, Jin M, Yu Q, Liu C, Xue H , Jin X. Goal-guided Generative Prompt Injection Attack on Large Language Models. In Baralis E, Zhang K, Damiani E, Debbah M, Kalnis P, Wu X, editors, Proceedings - 24th IEEE International Conference on Data Mining, ICDM 2024. 2025. p. 941-946. 266. (Proceedings - IEEE International Conference on Data Mining, ICDM). doi: 10.1109/ICDM59182.2024.00119

Goal-guided Generative Prompt Injection Attack on Large Language Models

Abstract

Publication series

Keywords

Access to Document

Other files and links

Fingerprint

Cite this