Prompt Obfuscation for Large Language Models

arXiv - CS - Cryptography and Security Pub Date : 2024-09-17 DOI:arxiv-2409.11026

David Pape, Thorsten Eisenhofer, Lea Schönherr

{"title":"Prompt Obfuscation for Large Language Models","authors":"David Pape, Thorsten Eisenhofer, Lea Schönherr","doi":"arxiv-2409.11026","DOIUrl":null,"url":null,"abstract":"System prompts that include detailed instructions to describe the task\nperformed by the underlying large language model (LLM) can easily transform\nfoundation models into tools and services with minimal overhead. Because of\ntheir crucial impact on the utility, they are often considered intellectual\nproperty, similar to the code of a software product. However, extracting system\nprompts is easily possible by using prompt injection. As of today, there is no\neffective countermeasure to prevent the stealing of system prompts and all\nsafeguarding efforts could be evaded with carefully crafted prompt injections\nthat bypass all protection mechanisms.In this work, we propose an alternative\nto conventional system prompts. We introduce prompt obfuscation to prevent the\nextraction of the system prompt while maintaining the utility of the system\nitself with only little overhead. The core idea is to find a representation of\nthe original system prompt that leads to the same functionality, while the\nobfuscated system prompt does not contain any information that allows\nconclusions to be drawn about the original system prompt. We implement an\noptimization-based method to find an obfuscated prompt representation while\nmaintaining the functionality. To evaluate our approach, we investigate eight\ndifferent metrics to compare the performance of a system using the original and\nthe obfuscated system prompts, and we show that the obfuscated version is\nconstantly on par with the original one. We further perform three different\ndeobfuscation attacks and show that with access to the obfuscated prompt and\nthe LLM itself, we are not able to consistently extract meaningful information.\nOverall, we showed that prompt obfuscation can be an effective method to\nprotect intellectual property while maintaining the same utility as the\noriginal system prompt.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"47 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.11026","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

System prompts that include detailed instructions to describe the task performed by the underlying large language model (LLM) can easily transform foundation models into tools and services with minimal overhead. Because of their crucial impact on the utility, they are often considered intellectual property, similar to the code of a software product. However, extracting system prompts is easily possible by using prompt injection. As of today, there is no effective countermeasure to prevent the stealing of system prompts and all safeguarding efforts could be evaded with carefully crafted prompt injections that bypass all protection mechanisms.In this work, we propose an alternative to conventional system prompts. We introduce prompt obfuscation to prevent the extraction of the system prompt while maintaining the utility of the system itself with only little overhead. The core idea is to find a representation of the original system prompt that leads to the same functionality, while the obfuscated system prompt does not contain any information that allows conclusions to be drawn about the original system prompt. We implement an optimization-based method to find an obfuscated prompt representation while maintaining the functionality. To evaluate our approach, we investigate eight different metrics to compare the performance of a system using the original and the obfuscated system prompts, and we show that the obfuscated version is constantly on par with the original one. We further perform three different deobfuscation attacks and show that with access to the obfuscated prompt and the LLM itself, we are not able to consistently extract meaningful information. Overall, we showed that prompt obfuscation can be an effective method to protect intellectual property while maintaining the same utility as the original system prompt.

查看原文本刊更多论文

大型语言模型的提示混淆

系统提示包括详细的指令，用于描述底层大型语言模型（LLM）所执行的任务，能够以最小的开销轻松地将基础模型转化为工具和服务。由于系统提示对实用性的重要影响，它们通常被视为知识产权，类似于软件产品的代码。然而，通过使用提示注入（prompt injection）技术，可以轻松提取系统信息。到目前为止，还没有有效的对策来防止系统提示信息被窃取，精心制作的提示信息注入可以绕过所有保护机制，从而规避所有保护措施。我们引入了提示语混淆技术，以防止系统提示语被提取，同时以极小的开销保持系统本身的实用性。其核心思想是找到一种能实现相同功能的原始系统提示的表示方法，而经过混淆处理的系统提示不包含任何可以得出原始系统提示结论的信息。我们采用了一种基于优化的方法，在保持功能的同时找到混淆的提示表示。为了评估我们的方法，我们研究了八种不同的指标，以比较使用原始系统提示和经过混淆处理的系统提示的系统性能。我们还进一步实施了三种不同的混淆攻击，结果表明，在访问混淆提示和 LLM 本身的情况下，我们无法持续提取有意义的信息。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Cryptography and Security

自引率

0.00%

发文量