Combining PromptGuard-2 And AlignmentCheck: A Guide

Hello! It's great to hear you're exploring the capabilities of LlamaFirewall, and specifically, how to combine PromptGuard-2 and AlignmentCheck. You're on the right track aiming for a lower Attack Success Rate (ASR) against prompt injections, particularly within the AgentDojo benchmark. However, it sounds like you've encountered a common challenge: a high false positive rate. Let's dive into how we can address this.

Understanding the Challenge: Lowering ASR While Minimizing False Positives

In the world of AI safety and security, prompt injection attacks are a significant concern. These attacks involve crafting malicious prompts that can manipulate the behavior of large language models (LLMs), potentially leading to unintended or harmful outputs. PromptGuard-2 and AlignmentCheck are powerful tools designed to mitigate these risks. However, effectively combining them requires careful configuration to strike a balance between security and usability.

The goal is to achieve a low ASR, meaning the system effectively blocks malicious prompts, while simultaneously minimizing false positives. False positives occur when legitimate prompts are incorrectly flagged as malicious, disrupting the user experience. This balance is crucial for practical application.

Your current configurations, while well-intentioned, seem to be overly sensitive, resulting in a high false positive rate. This indicates that the rules and thresholds within PromptGuard-2 and AlignmentCheck might be too strict, causing them to flag benign inputs. To resolve this, we need to understand how these tools work and how to fine-tune them for optimal performance. The key here is to find the sweet spot where the combination of PromptGuard-2 and AlignmentCheck provides robust protection without being overly restrictive. Let's explore how we can achieve this balance by examining the roles and configurations within your setup.

Analyzing Your Current Settings

Let's break down the configurations you've tried and identify potential areas for adjustment:

    "promptguard_assistant_only": {
        Role.ASSISTANT: [ScannerType.PROMPT_GUARD, ScannerType.AGENT_ALIGNMENT],
    },
    "promptguard_toolcheck_alignmentcheck_normal": {
        Role.ASSISTANT: [ScannerType.PROMPT_GUARD, ScannerType.AGENT_ALIGNMENT],
        Role.TOOL: [ScannerType.PROMPT_GUARD],
    },
    "promptguard_toolcheck_only_alignmentcheck_normal": {
        Role.ASSISTANT: [ScannerType.AGENT_ALIGNMENT],
        Role.TOOL: [ScannerType.PROMPT_GUARD],
    },
    "promptguard_toolcheck": {
        Role.ASSISTANT: [ScannerType.PROMPT_GUARD, ScannerType.AGENT_ALIGNMENT],
        Role.TOOL: [ScannerType.PROMPT_GUARD, ScannerType.AGENT_ALIGNMENT],
    }

• "promptguard_assistant_only": This setting applies both PromptGuard-2 and AlignmentCheck to the assistant's role. While comprehensive, it might be too strict, leading to false positives if the assistant's responses are being overly scrutinized. The assistant might generate responses that, while harmless, trigger the security checks.
• "promptguard_toolcheck_alignmentcheck_normal": Here, both PromptGuard-2 and AlignmentCheck are applied to the assistant, while only PromptGuard-2 is used for the tool role. This configuration attempts to differentiate between the assistant and tool interactions, but the double-layered security for the assistant could still be a source of false positives. It's crucial to consider whether the tool interactions require the same level of scrutiny as the assistant's primary responses.
• "promptguard_toolcheck_only_alignmentcheck_normal": This configuration focuses AlignmentCheck on the assistant and PromptGuard-2 on the tool. While this reduces the double-checking on the assistant, it may not fully leverage the combined power of both tools. It's a step in the right direction by reducing redundancy, but we need to assess whether the individual checks are sufficient.
• "promptguard_toolcheck": This setting applies both PromptGuard-2 and AlignmentCheck to both the assistant and the tool. This is the most aggressive configuration and is likely the primary culprit for the high false positive rate. The redundancy in checks across both roles significantly increases the chance of benign interactions being flagged.

To effectively combine PromptGuard-2 and AlignmentCheck, we need to refine these configurations to be more targeted and less prone to false positives. Let's explore some strategies for doing just that.

Strategies for Effective Combination

To effectively combine PromptGuard-2 and AlignmentCheck, consider these strategies:

1. Role-Based Configuration: Instead of applying both tools indiscriminately, tailor their use based on the role. The assistant and tool roles might have different security needs. The assistant, being the primary interface, might need a more comprehensive check, while the tool, performing specific tasks, might benefit from a more focused approach.
2. Threshold Tuning: Both PromptGuard-2 and AlignmentCheck likely have sensitivity thresholds. Experiment with adjusting these thresholds to find the optimal balance. Lowering the sensitivity might reduce false positives but could also increase the risk of missed prompt injections. Careful tuning is essential.
3. Prioritize Specific Scenarios: Identify the specific scenarios where prompt injection is most likely. Focus the combined power of PromptGuard-2 and AlignmentCheck on these areas. For example, if certain tool interactions are more vulnerable, apply stricter checks there.
4. Leverage Tool-Specific Checks: PromptGuard-2 might have features tailored for tool interactions. Ensure you're leveraging these to their full potential. These specialized checks can provide more accurate assessments and reduce false positives.
5. Iterative Testing and Refinement: The key to success is iterative testing. Implement a change, test it thoroughly, and refine based on the results. This process will help you progressively improve the configuration and achieve the desired balance between security and usability.
6. Understanding the Strengths of Each Tool: PromptGuard-2 excels at identifying malicious patterns and syntax in prompts, while AlignmentCheck focuses on ensuring the model's responses align with intended behavior and safety guidelines. By understanding these strengths, you can strategically deploy each tool where it's most effective. For instance, use PromptGuard-2 to scrutinize incoming prompts for injection attempts and AlignmentCheck to monitor the model's output for harmful content or deviations from expected behavior.

A Potential Working Example

Based on your setup and the strategies discussed, here’s a potential configuration to try:

    "combined_security_config": {
        Role.ASSISTANT: [
            {
                "scanner": ScannerType.PROMPT_GUARD,
                "threshold": "medium" // Adjust as needed
            },
            {
                "scanner": ScannerType.AGENT_ALIGNMENT,
                "threshold": "medium" // Adjust as needed
            }
        ],
        Role.TOOL: [
            {
                "scanner": ScannerType.PROMPT_GUARD,
                "threshold": "low" // Less strict for tools
            }
        ]
    }

In this example:

• For the Assistant, both PromptGuard-2 and AlignmentCheck are used with a “medium” threshold. This provides a strong level of security while being less aggressive than your initial configurations. The threshold can be adjusted based on testing.
• For the Tool, only PromptGuard-2 is used with a “low” threshold. This acknowledges that tool interactions might be less prone to injection attacks and reduces the chance of false positives.

This configuration aims to strike a better balance by reducing the redundancy of checks and tailoring the security level to the role. Remember, this is just a starting point. You'll need to test and refine these settings based on your specific use case and data.

Practical Steps to Implementation

To implement these strategies effectively, follow these steps:

1. Start with a Baseline: Begin with a known good configuration, perhaps one of your existing settings or the example provided above. This serves as a reference point for comparison.
2. Make Incremental Changes: Change one setting at a time. This allows you to isolate the impact of each adjustment and understand its effect on ASR and false positives. Changing multiple settings simultaneously can make it difficult to diagnose issues.
3. Automated Testing: Set up automated tests using the AgentDojo benchmark or a similar evaluation suite. This ensures consistent and repeatable results. Manual testing is valuable, but automation provides a more rigorous assessment.
4. Monitor Key Metrics: Track ASR, false positive rate, and any other relevant metrics. This data provides the insights needed to make informed decisions about configuration adjustments. Visualizing this data through dashboards can help identify trends and patterns.
5. Document Your Process: Keep detailed records of the changes you make and the results you observe. This documentation will be invaluable for future reference and troubleshooting.

The Importance of Continuous Improvement

Securing LLMs against prompt injection is an ongoing process. The threat landscape is constantly evolving, and new attack vectors emerge regularly. Therefore, it’s crucial to adopt a mindset of continuous improvement. Regularly review and update your security configurations to stay ahead of potential threats.

Engage with the Community

Don't hesitate to engage with the Purple Llama community and other AI security experts. Sharing experiences, insights, and best practices can benefit everyone. Community forums, conferences, and online discussions are excellent venues for collaboration and learning.

Stay Updated on Research

Keep abreast of the latest research in AI security, prompt injection, and LLM vulnerabilities. Academic papers, blog posts, and industry reports can provide valuable insights into emerging threats and mitigation techniques.

By adopting a proactive and iterative approach to security, you can build robust defenses against prompt injection attacks and ensure the safe and reliable operation of your LLM-powered applications. The combination of PromptGuard-2 and AlignmentCheck, when properly configured, is a powerful tool in this endeavor.

Conclusion

Combining PromptGuard-2 and AlignmentCheck for lower ASR and reduced false positives is achievable with careful configuration and iterative testing. By understanding the strengths of each tool, tailoring their application to specific roles, and continuously monitoring performance, you can create a robust defense against prompt injection attacks while maintaining a positive user experience. Remember, the key is to find the sweet spot through experimentation and refinement.

For more in-depth information and resources on AI safety and security, consider exploring reputable sources like OWASP Foundation, which offers valuable insights and best practices in web application security.