Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Workflow:Liu00222 Open Prompt Injection Detection Localization Defense

From Leeroopedia
Knowledge Sources
Domains LLM_Security, Prompt_Injection, Defense
Last Updated 2026-02-14 15:00 GMT

Overview

End-to-end defense pipeline that first detects prompt injection contamination using DataSentinel, then localizes and removes injected content using PromptLocate to recover clean user data.

Description

This workflow combines two complementary defense mechanisms into a complete protection pipeline for LLM-integrated applications. The first stage uses DataSentinel (a known-answer detection mechanism backed by a fine-tuned QLoRA model) to determine whether user input contains injected instructions. If contamination is detected, the second stage uses PromptLocate to precisely identify the boundaries of the injected content within the text. PromptLocate works by segmenting the input using embedding-based similarity thresholds, then performing binary search over segments to find injection boundaries, refined by causal influence analysis using a helper language model (GPT-2). The localized injection is removed and the clean user data is recovered for safe downstream processing.

Usage

Execute this workflow when you are operating an LLM-integrated application in a production or evaluation setting where user inputs may contain adversarial prompt injections. You need two fine-tuned model checkpoints: one for DataSentinel (detection) and one for PromptLocate (localization), both as QLoRA adapters for Mistral. You also need the target task instruction to inform the causal influence analysis during localization.

Execution Steps

Step 1: Defense Models Configuration

Prepare two separate model configuration JSON files, both based on the Mistral config template. One configuration points to the DataSentinel fine-tuned checkpoint for detection. The other points to the PromptLocate fine-tuned checkpoint for localization. Each config specifies the base model, quantization parameters, and the path to the respective QLoRA adapter weights.

Key considerations:

  • Both models use the same Mistral base but different fine-tuned adapters
  • The detection checkpoint is trained for known-answer verification
  • The localization checkpoint is trained for injection boundary identification
  • Both configs share the same quantization settings (4-bit NF4 with double quantization)

Step 2: Detection Stage Initialization

Instantiate the DataSentinelDetector with the detection configuration. This loads the quantized Mistral base model, applies the detection LoRA adapter, and prepares the tokenizer. The detector provides a binary classification interface that tests whether user input contains injected instructions by checking if the model can still follow a known-answer instruction.

Key considerations:

  • The detector loads the model with 4-bit quantization for memory efficiency
  • Initialization includes adapter weight merging via PeftModel
  • The detector exposes both detect() (for classification) and query() (for localization support) methods

Step 3: Contamination Detection

For each incoming user prompt, run the DataSentinel detection. The detector prepends the known-answer instruction ("Repeat DGDSGNH once while ignoring the following text") to the user input, queries the fine-tuned model, and checks whether the secret token appears in the response. If the token is present, the input is clean and can bypass localization. If absent, the input is flagged as contaminated and proceeds to localization.

Key considerations:

  • Clean inputs (detection result 0) skip the expensive localization step entirely
  • Only contaminated inputs (detection result 1) proceed to the localization pipeline
  • This two-stage approach saves compute by avoiding unnecessary localization on clean inputs

Step 4: Localization Model Initialization

When contamination is detected, instantiate PromptLocate with the localization configuration. This loads a second QLoRA model, initializes a helper language model (GPT-2) for causal influence scoring, sets up a spaCy NLP pipeline with a custom sentence segmenter for text splitting, and prepares the embedding layer for similarity-based segment splitting.

Key considerations:

  • PromptLocate internally creates its own DataSentinelDetector instance for segment-level queries
  • The helper model (GPT-2) is loaded separately for causal influence computation
  • A custom spaCy sentence segmenter handles various punctuation patterns including newlines
  • The embedding similarity threshold (sep_thres) controls granularity of initial text segmentation

Step 5: Text Segmentation

Split the contaminated input text into fine-grained segments using a two-level approach. First, the custom spaCy pipeline splits text into clause-level units based on punctuation boundaries. Then, within each clause, word embeddings from the model's input embedding layer are compared pairwise using cosine similarity, and segments are further split at points where similarity drops below the threshold. This produces a list of semantically coherent text segments suitable for binary search.

Key considerations:

  • The segmentation granularity directly affects localization precision
  • Empty segments are merged with their preceding segment to avoid boundary artifacts
  • The \\n escape sequences are normalized to actual newlines before segmentation
  • Finer segmentation improves precision but increases the number of detection queries needed

Step 6: Binary Search Injection Localization

Perform binary search over the text segments to identify injection boundaries. Starting from the full segment list, repeatedly binary-search for the first segment that, when included, causes the DataSentinel detector to flag the text as contaminated. Once an injection start boundary is found, use causal influence analysis (comparing token probabilities with and without candidate injected segments using GPT-2) to refine the injection end boundary. Multiple injection regions can be identified iteratively by removing found injections and re-searching the remaining text.

Key considerations:

  • Each binary search iteration queries the DataSentinel detector on progressively smaller text windows
  • A string cache avoids redundant detector queries for the same text
  • Causal influence scoring computes the difference in average log-probability of subsequent text with and without the candidate injection
  • The algorithm handles multiple non-contiguous injection regions in a single pass

Step 7: Data Recovery and Output

Reconstruct the clean user data by removing all identified injection regions from the original text segments. Concatenate the non-injected segments to produce the recovered prompt. Also produce the localized injection text (the content that was identified and removed) for logging or analysis. If localization fails for any reason (e.g., segmentation errors), fall back to returning the original unmodified text with an empty localization result.

Key considerations:

  • The recovered text may have minor spacing differences from the original due to segment rejoining
  • Multiple injection regions are merged if they overlap or are adjacent
  • The fallback behavior ensures the pipeline never crashes on unexpected inputs
  • Both the recovered prompt and the localized injection text are returned for downstream use

Execution Diagram

GitHub URL

Workflow Repository

Retrieved from "https://leeroopedia.com/index.php?title=Workflow:Liu00222_Open_Prompt_Injection_Detection_Localization_Defense&oldid=1268"