ML Security PapersProactive Hardening of LLM Defenses with HASTE
Henry Chen , Victor Aranda , Samarth Keshari , Ryan Heartfield , Nicole Nichols
Published on arXiv
2601.19051
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Hard-negative mining reduces baseline prompt injection detection by ~64%, but retraining on these hard negatives substantially restores detection efficacy with far fewer iteration loops than baseline strategies.
HASTE (Hard-negative Attack Sample Training Engine)
Novel technique introduced
Prompt-based attack techniques are one of the primary challenges in securely deploying and protecting LLM-based AI systems. LLM inputs are an unbounded, unstructured space. Consequently, effectively defending against these attacks requires proactive hardening strategies capable of continuously generating adaptive attack vectors to optimize LLM defense at runtime. We present HASTE (Hard-negative Attack Sample Training Engine): a systematic framework that iteratively engineers highly evasive prompts, within a modular optimization process, to continuously enhance detection efficacy for prompt-based attack techniques. The framework is agnostic to synthetic data generation methods, and can be generalized to evaluate prompt-injection detection efficacy, with and without fuzzing, for any hard-negative or hard-positive iteration strategy. Experimental evaluation of HASTE shows that hard negative mining successfully evades baseline detectors, reducing malicious prompt detection for baseline detectors by approximately 64%. However, when integrated with detection model re-training, it optimizes the efficacy of prompt detection models with significantly fewer iteration loops compared to relative baseline strategies. The HASTE framework supports both proactive and reactive hardening of LLM defenses and guardrails. Proactively, developers can leverage HASTE to dynamically stress-test prompt injection detection systems; efficiently identifying weaknesses and strengthening defensive posture. Reactively, HASTE can mimic newly observed attack types and rapidly bridge detection coverage by teaching HASTE-optimized detection models to identify them.
Key Contributions
- HASTE: a modular, six-stage closed-loop framework that iteratively engineers evasive prompts via hard-negative mining and fuzzing to stress-test LLM prompt injection detectors
- Experimental demonstration that hard-negative mining reduces malicious prompt detection by ~64% against baseline detectors
- Integration of detection model retraining into the loop, achieving equivalent or better robustness with significantly fewer iteration cycles than baseline strategies