Module SDD-B09 — Prompt Injection Detection Models

Prompt Injection Detection Models

B2's Layer 4 uses a secondary model to check 'does this content contain overriding instructions?' before inserting it into the agent's context. This deep-dive expands Layer 4 into the full detection-model analysis: the two families (dedicated classifiers like DeBERTa/RoBERTa fine-tunes, Llama Prompt Guard, ProtectAI; and the secondary-LLM-as-detector approach), their accuracy in practice (benchmark 95-99%+ vs deployment 84-90% vs adversarial out-of-distribution lower still), how attackers evade them (the cat-and-mouse dynamic, the dual-injection problem where a payload must evade the detector AND compromise the primary, the correlated-bypass weakness when detector and primary share a model class), and how to compose them into a defense-in-depth stack where they are a layer, not a silver bullet. The detector is itself a model, and models are injectable. External placement stops DISABLE but not EVADE. Covers the five-step measurement methodology (in-dist + OOD corpus, per-detector bypass, false-positive tax, end-to-end, correlated-bypass test) and the state of the art: detection is necessary but not sufficient; deterministic layers bound the worst case.

45
minutes
8
artifacts
3
sub-sections
B2's Layer 4 uses a secondary model to check 'does this content contain overriding instructions?' before inserting it into the agent's context. This deep-dive expands Layer 4 into the full detection-model analysis: the two families (dedicated classifiers like DeBERTa/RoBERTa fine-tunes, Llama Prompt Guard, ProtectAI; and the secondary-LLM-as-detector approach), their accuracy in practice (benchmark 95-99%+ vs deployment 84-90% vs adversarial out-of-distribution lower still), how attackers evade them (the cat-and-mouse dynamic, the dual-injection problem where a payload must evade the detector AND compromise the primary, the correlated-bypass weakness when detector and primary share a model class), and how to compose them into a defense-in-depth stack where they are a layer, not a silver bullet. The detector is itself a model, and models are injectable. External placement stops DISABLE but not EVADE. Covers the five-step measurement methodology (in-dist + OOD corpus, per-detector bypass, false-positive tax, end-to-end, correlated-bypass test) and the state of the art: detection is necessary but not sufficient; deterministic layers bound the worst case.
Key Claims
Load-Bearing Claims

The detection model is itself a model, and models are injectable. External placement protects the detector from being DISABLED by a compromised agent (the Course 1 Module 0.2 principle); it does NOT protect it from being EVADED by an input crafted against its decision boundary. The detector runs; it classifies the adversarial payload as benign. This is SDD-B08's load-bearing vulnerability restated at the detector layer.

Benchmark accuracy is 95-99%+; real-world, false-positive-constrained accuracy is 84-90%; adversarial, out-of-distribution accuracy is lower still and decays over time. The gap is an adversarial property with three causes: distribution shift, the false-positive tax, and adversarial adaptation. The number you operate on is the out-of-distribution, FP-constrained, adversarially-adapted rate — and no vendor reports it.

The dual-injection problem: an indirect payload must simultaneously evade the detector AND compromise the primary model. The dual constraint helps against naive attackers but is a targeting signal for adaptive ones — the detector's fixed decision boundary is probeable, and a payload engineered into its false-negative region while still carrying the injection is the attacker's goal. The correlated case (detector and primary share a model class) makes this easier than the independence assumption predicts.

The detector is the highest-value single layer for indirect-injection defense, but it is a layer, not a boundary. The only layers without an evasion surface are the deterministic ones (IronCurtain, the harness scope gate). The end-to-end bypass rate is the product of the model-layer residuals, floored by the harness gate. Detection is necessary; it is not sufficient. The boundary is deterministic; the detector bounds the volume of adversarial traffic the boundary and the primary model must handle.

After This Module
01
Explain the two families of prompt-injection detection models — dedicated classifier models (DeBERTa/RoBERTa fine-tunes, Llama Prompt Guard, ProtectAI) and the secondary-LLM-as-detector approach — and the tradeoffs of each: latency, cost, false-positive rate, and adversarial evasion surface.
02
Describe how detection models are trained, what they classify (the overriding-instruction signal), and why benchmark accuracy (95-99%+) diverges from real-world bypass rates (84-90% with meaningful false-positive ceilings).
03
Analyze the cat-and-mouse dynamic: a detection model is a model, and an attacker can craft inputs against the detector's own surface (adversarial evasion, the dual-injection problem, the correlated-bypass weakness).
04
Apply the five-step measurement methodology: per-detector and end-to-end bypass rates over N attempts, the false-positive tax, and the correlated-bypass test.
05
Compose detection models into B2's defense-in-depth stack: detector as Layer 4, composed with input/output rails, the deterministic boundary, and harness controls — where the detector bounds volume and deterministic layers bound the worst case.
06
Articulate the state of the art: the benchmark-vs-deployment gap, the adversarial arms race, and why detection is necessary-but-not-sufficient for indirect-injection defense.
Artifacts