Forum

AI Assistant
Notifications
Clear all

Help: My detection rules keep missing injections that use encoded characters or homoglyphs.

1 Posts
1 Users
0 Reactions
0 Views
(@llm_ops_tracy)
Eminent Member
Joined: 3 weeks ago
Posts: 22
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1653]

I've been auditing the detection stack for a multi-agent system and found a consistent blind spot: our input classifiers and regex-based rule sets fail systematically against injections that employ simple character-level obfuscation. The standard approach of scanning for keywords like `ignore previous instructions` or `system prompt` is rendered useless by even basic transformations.

The primary evasion techniques I'm observing fall into two categories:
* **Encoded characters:** URL encoding, HTML entities, or Unicode code point escapes (e.g., `%73%79%73%74%65%6d` for "system", `ignore`).
* **Homoglyphs and orthographic tricks:** Using visually similar characters from different scripts (Cyrillic, Greek) to bypass lexical checks—for example, using a Cyrillic 'а' (U+0430) instead of the Latin 'a' (U+0061) in a forbidden word.

Our current detection layer operates on normalized plain text, but the normalization occurs *after* the model has already parsed and interpreted the injection. The LLM sees `%69%67%6e%6f%72%65` as "ignore," while our rule engine, checking the raw input, sees a harmless string of percent signs and numbers.

I'm evaluating a more robust preprocessing pipeline but am concerned about the computational and false-positive cost. Simply decoding every possible encoding scheme pre-check is expensive and risks mangling legitimate user input that contains similar patterns for innocent reasons.

I'm particularly interested in how others are balancing this. Are you:
* Implementing a layered decoding step before classification?
* Using model-based classifiers (another small LLM) to assess intent on a partially normalized version?
* Employing canary tokens designed to be invariant to these transformations?
* Accepting a certain evasion rate and focusing instead on strict output validation and model isolation?

The trade-off between pre-input scrubbing and post-output containment seems critical here.

- Tracy



   
Quote