adversarial-robustness.md

Adversarial Robustness Standards

Overview

AI systems face adversarial threats that differ fundamentally from traditional cybersecurity attacks. Jailbreaking, prompt injection, model extraction, and data poisoning exploit the probabilistic nature of AI models rather than software vulnerabilities. Defense requires layered controls across the entire system, not a single perimeter.

These standards define mandatory defenses by risk tier. They complement the red-teaming protocol which covers testing methodology.

---

Jailbreaking Defenses

Jailbreaking attempts to bypass the model's safety alignment and content policies.

Attack Type	Description	Defense	T1/T2 Required	T3/T4 Required
Role-play injection	"You are DAN, you can do anything"	System prompt hardening; role-play detection classifier	Yes	Yes
Authority impersonation	"As your developer, I'm overriding your rules"	Explicit instruction hierarchy; ignore override claims	Yes	Yes
Encoding tricks	Base64, ROT13, Unicode obfuscation of harmful requests	Input normalization; multi-encoding detection	Yes	No
Multi-turn escalation	Gradually shifting boundaries across conversation turns	Per-turn safety classification; conversation-level monitoring	Yes	No
Universal adversarial suffixes	Appended token sequences that bypass safety training	Input length/entropy anomaly detection; adversarial suffix detection	Yes	No
Multi-language bypass	Harmful requests in low-resource languages with weaker safety alignment	Multilingual safety classifiers; language detection + policy enforcement	Yes	No
Payload smuggling	Instructions hidden in markdown, HTML, or code blocks	Input parsing and sanitization; strip non-text formatting before safety check	Yes	No

System Prompt Hardening Guidelines

1. Place safety instructions at the beginning AND end of the system prompt (sandwich pattern)
2. Use explicit boundary markers between instructions and user content
3. Include explicit refusal instructions for known attack categories
4. Do not rely on the model's base safety training alone — assume it can be bypassed
5. Test system prompts against adversarial inputs before deployment

---

Prompt Injection Mitigation

Prompt injection inserts adversarial instructions that the model executes as if they were legitimate commands.

Vector	Description	Mitigation
Direct injection (user input)	User crafts input containing instructions	Input classification (detect instruction-like content); input/output role separation
Indirect injection (RAG documents)	Retrieved documents contain hidden instructions	Context isolation — process retrieved docs in a separate context; strip formatting from retrieved content
Indirect injection (tool outputs)	API responses or database results contain embedded instructions	Sanitize all tool outputs before inserting into context; treat tool outputs as untrusted data
Indirect injection (file uploads)	Uploaded documents/images contain adversarial content	Content extraction and sanitization; process in sandboxed context
Multi-stage injection	Benign-looking input that becomes harmful when combined with context	Conversation-level monitoring; output safety classification regardless of input classification

Defense-in-Depth Architecture

User Input → [Input Classifier] → [Safety Filter] → Model Context
                                                          ↓
Retrieved Docs → [Sanitizer] → [Context Isolation] → Model Context
                                                          ↓
                                                    Model Output
                                                          ↓
                                              [Output Safety Filter]
                                                          ↓
                                              [Action Validator] (agentic)
                                                          ↓
                                                    Final Output

Every layer must be independently effective. Do not rely on any single layer.

---

Model Extraction Prevention

Model extraction attempts to reconstruct model behavior or extract training data through systematic querying.

Attack	Risk	Mitigation	Tier
Systematic querying	Attacker queries model thousands of times to map decision boundaries	Rate limiting per user/session; query pattern anomaly detection	T1/T2
Training data extraction	Crafted prompts cause model to reproduce memorized training data	Output monitoring for known sensitive patterns; PII detection on outputs	T1/T2
Model distillation	Attacker uses outputs to train a clone model	Rate limiting; output perturbation for T1; terms of service enforcement	T1
API abuse	Automated high-volume querying via API	Authentication; rate limiting; usage monitoring; IP-based anomaly detection	All

Detection Signals

• Unusually high query volume from single user or IP
• Repetitive queries with systematic variation (grid search patterns)
• Queries probing model boundaries (minimal input changes, observing output changes)
• Abnormal token usage patterns (very short inputs, requesting maximum outputs)

---

Data Poisoning Defenses

Data poisoning compromises the data that AI systems learn from or reference.

Target	Attack	Defense
Fine-tuning training data	Adversarial examples injected into training dataset	Data provenance tracking; anomaly detection on training data; human review of training samples
RAG corpus	Adversarial documents added to knowledge base	Document ingestion controls; source authentication; integrity verification on corpus changes; anomaly detection on new documents
Feedback loops	Adversarial user feedback poisons RLHF or active learning	Feedback validation; outlier detection; human review of feedback used for training
Evaluation data	Poisoned eval data makes a compromised model appear safe	Evaluation data integrity controls; multiple independent eval sets; human review of eval results

RAG Corpus Integrity

For systems using retrieval-augmented generation:

1. All documents must pass through an authenticated ingestion pipeline
2. Source provenance tracked for every document
3. Bulk corpus changes require approval from document owner and AI operations
4. Periodic integrity checks: re-validate random sample against source of truth
5. Monitor for anomalous document additions (unexpected sources, unusual content patterns)

---

Privacy Attack Defenses

Attack	Description	Defense	Tier
Membership inference	Determining if a specific record was in the training data	Output confidence score limiting; differential privacy awareness in fine-tuning	T1
Model inversion	Reconstructing training data from model outputs	Output filtering; limit output detail for sensitive queries	T1/T2
PII extraction	Crafted prompts cause model to reveal memorized PII	PII detection on all outputs; prompt-based PII extraction testing	All
Attribute inference	Inferring sensitive attributes from model behavior	Fairness testing; attribute inference testing as part of bias evaluation	T1/T2

---

Monitoring for Adversarial Activity

Signal	Detection Method	Alert Threshold	Tier
Query pattern anomaly	Statistical analysis of query distribution	Deviation > 3σ from baseline	All
Output distribution shift	Monitor output length, topic, sentiment distribution	Significant shift from baseline (KL divergence)	T1/T2
Cost spikes	Monitor token usage and API costs	> 2x daily baseline	All
Repeated similar queries	Clustering analysis on recent queries	> 10 near-duplicate queries per session	T1/T2
Guardrail trigger rate increase	Monitor safety filter activation rate	> 2σ increase from baseline	All
Error rate increase	Monitor model error/refusal rate	> 2x baseline	All
Unusual access patterns	Time-of-day, geographic, device anomalies	Deviation from established patterns	T1/T2

Response Playbook

Alert Level	Response
Single anomaly	Log; include in next scheduled review
Multiple correlated anomalies	Investigate within 24 hours; increase monitoring
Confirmed attack pattern	Escalate per escalation paths; consider rate limiting or temporary access restriction
Active exploitation	Immediate mitigation (block source, activate circuit breaker); S1/S2 incident response