benchmark 2025

Towards Reliable and Practical LLM Security Evaluations via Bayesian Modelling

Mary Llewellyn 1, Annie Gray 1, Josh Collyer 2,1, Michael Harries 1

1 The Alan Turing Institute

2 Loughborough University

0 citations · 74 references · arXiv
α

Published on arXiv

2510.05709

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Considering output variability produces less definitive vulnerability conclusions, but some attacks reveal notably higher susceptibility in both Transformer and Mamba variants when training data and mathematical ability are held constant.

Bayesian hierarchical model with embedding-space clustering

Novel technique introduced

Before adopting a new large language model (LLM) architecture, it is critical to understand vulnerabilities accurately. Existing evaluations can be difficult to trust, often drawing conclusions from LLMs that are not meaningfully comparable, relying on heuristic inputs or employing metrics that fail to capture the inherent uncertainty. In this paper, we propose a principled and practical end-to-end framework for evaluating LLM vulnerabilities to prompt injection attacks. First, we propose practical approaches to experimental design, tackling unfair LLM comparisons by considering two practitioner scenarios: when training an LLM and when deploying a pre-trained LLM. Second, we address the analysis of experiments and propose a Bayesian hierarchical model with embedding-space clustering. This model is designed to improve uncertainty quantification in the common scenario that LLM outputs are not deterministic, test prompts are designed imperfectly, and practitioners only have a limited amount of compute to evaluate vulnerabilities. We show the improved inferential capabilities of the model in several prompt injection attack settings. Finally, we demonstrate the pipeline to evaluate the security of Transformer versus Mamba architectures. Our findings show that consideration of output variability can suggest less definitive findings. However, for some attacks, we find notably increased Transformer and Mamba-variant vulnerabilities across LLMs with the same training data or mathematical ability.

Key Contributions

  • Principled experimental design for fair LLM architecture comparisons that controls for confounding variables (training data, hyperparameters, mathematical ability)
  • Bayesian hierarchical model with embedding-space clustering for uncertainty-aware quantification of prompt injection vulnerability under limited compute and imperfect test prompts
  • Empirical case study showing that accounting for output variability yields less definitive but more reliable vulnerability findings when comparing Transformer vs. Mamba architectures

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
black_boxinference_time
Applications
llm security evaluationarchitecture comparison
Read PDF arXiv DOI

Similar Papers

benchmark

Say It Differently: Linguistic Styles as Jailbreak Vectors

2025 1 cit.
100%
benchmark

Steering Externalities: Benign Activation Steering Unintentionally Increases Jailbreak Risk for Large Language Models

2026 0 cit.
100%
benchmark

Replicating TEMPEST at Scale: Multi-Turn Adversarial Attacks Against Trillion-Parameter Frontier Models

2025 0 cit.
100%
benchmark

Are LLMs Vulnerable to Preference-Undermining Attacks (PUA)? A Factorial Analysis Methodology for Diagnosing the Trade-off between Preference Alignment and Real-World Validity

2026 0 cit.
100%
benchmark

The Facade of Truth: Uncovering and Mitigating LLM Susceptibility to Deceptive Evidence

2026 0 cit.
100%
benchmark

Hidden-in-Plain-Text: A Benchmark for Social-Web Indirect Prompt Injection in RAG

2026 3 cit.
100%
benchmark

Learning the Wrong Lessons: Syntactic-Domain Spurious Correlations in Language Models

2025 2 cit.
100%
benchmark

AI Security Beyond Core Domains: Resume Screening as a Case Study of Adversarial Vulnerabilities in Specialized LLM Applications

2025 1 cit.
100%