You Can't Steal Nothing: Mitigating Prompt Leakages in LLMs via System Vectors

Large language models (LLMs) have been widely adopted across various applications, leveraging customized system prompts for diverse tasks. Facing potential system prompt leakage risks, model developers have implemented strategies to prevent leakage, primarily by disabling LLMs from repeating their context when encountering known attack patterns. However, it remains vulnerable to new and unforeseen prompt-leaking techniques. In this paper, we first introduce a simple yet effective prompt leaking attack to reveal such risks. Our attack is capable of extracting system prompts from various LLM-based application, even from SOTA LLM models such as GPT-4o or Claude 3.5 Sonnet. Our findings further inspire us to search for a fundamental solution to the problems by having no system prompt in the context. To this end, we propose SysVec, a novel method that encodes system prompts as internal representation vectors rather than raw text. By doing so, SysVec minimizes the risk of unauthorized disclosure while preserving the LLM's core language capabilities. Remarkably, this approach not only enhances security but also improves the model's general instruction-following abilities. Experimental results demonstrate that SysVec effectively mitigates prompt leakage attacks, preserves the LLM's functional integrity, and helps alleviate the forgetting issue in long-context scenarios.

Key Contributions

• A simple yet effective prompt leaking attack capable of extracting system prompts from state-of-the-art LLMs including GPT-4o and Claude 3.5 Sonnet
• SysVec: encodes system prompts as internal representation vectors rather than raw text in context, fundamentally eliminating the leakage surface
• Empirical evidence that SysVec preserves LLM instruction-following ability and alleviates long-context forgetting as a secondary benefit

🛡️ Threat Analysis

Details

Similar Papers