• Stars
    star
    291
  • Rank 142,563 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 1 year ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

⚡ Vigil ⚡ Detect prompt injections, jailbreaks, and other potentially risky Large Language Model (LLM) inputs

logo

Overview 🏕️

⚡ Security scanner for LLM prompts ⚡

Vigil is a Python library and REST API for assessing Large Language Model prompts and responses against a set of scanners to detect prompt injections, jailbreaks, and other potential threats. This repository also provides the detection signatures and datasets needed to get started with self-hosting.

This application is currently in an alpha state and should be considered experimental / for research purposes.

Highlights ✨

Background 🏗️

Prompt Injection Vulnerability occurs when an attacker manipulates a large language model (LLM) through crafted inputs, causing the LLM to unknowingly execute the attacker's intentions. This can be done directly by "jailbreaking" the system prompt or indirectly through manipulated external inputs, potentially leading to data exfiltration, social engineering, and other issues.

These issues are caused by the nature of LLMs themselves, which do not currently separate instructions and data. Although prompt injection attacks are currently unsolvable and there is no defense that will work 100% of the time, by using a layered approach of detecting known techniques you can at least defend against the more common / documented attacks.

Vigil, or a system like it, should not be your only defense - always implement proper security controls and mitigations.

Note

Keep in mind, LLMs are not yet widely adopted and integrated with other applications, therefore threat actors have less motivation to find new or novel attack vectors. Stay informed on current attacks and adjust your defenses accordingly!

Additional Resources

For more information on prompt injection, I recommend the following resources and following the research being performed by people like Kai Greshake, Simon Willison, and others.

Install Vigil 🛠️

Follow the steps below to install Vigil

A Docker container is also available, but this is not currently recommended.

Clone Repository

Clone the repository or grab the latest release

git clone https://github.com/deadbits/vigil-llm.git
cd vigil-llm

Install YARA

Follow the instructions on the YARA Getting Started documentation to download and install YARA v4.3.2.

Setup Virtual Environment

python3 -m venv venv
source venv/bin/activate

Install Vigil library

Inside your virutal environment, install the application:

pip install -e .

Configure Vigil

Open the conf/server.conf file in your favorite text editor:

vim conf/server.conf

For more information on modifying the server.conf file, please review the Configuration documentation.

Important

Your VectorDB scanner embedding model setting must match the model used to generate the embeddings loaded into the database, or similarity search will not work.

Load Datasets

Load the appropriate datasets for your embedding model with the loader.py utility. If you don't intend on using the vector db scanner, you can skip this step.

python loader.py --conf conf/server.conf --dataset deadbits/vigil-instruction-bypass-ada-002
python loader.py --conf conf/server.conf --dataset deadbits/vigil-jailbreak-ada-002

You can load your own datasets as long as you use the columns:

Column Type
text string
embeddings list[float]
model string

Use Vigil 🔬

Vigil can run as a REST API server or be imported directly into your Python application.

Running API Server

To start the Vigil API server, run the following command:

python vigil-server.py --conf conf/server.conf

Using in Python

Vigil can also be used within your own Python application as a library.

Import the Vigil class and pass it your config file.

from vigil.vigil import Vigil

app = Vigil.from_config('conf/openai.conf')

# assess prompt against all input scanners
result = app.input_scanner.perform_scan(
    input_prompt="prompt goes here"
)

# assess prompt and response against all output scanners
app.output_scanner.perform_scan(
    input_prompt="prompt goes here",
    input_resp="LLM response goes here"
)

# use canary tokens and returned updated prompt as a string
updated_prompt = app.canary_tokens.add(
    prompt=prompt,
    always=always if always else False,
    length=length if length else 16, 
    header=header if header else '<-@!-- {canary} --@!->',
)
# returns True if a canary is found
result = app.canary_tokens.check(prompt=llm_response)

Detection Methods 🔍

Submitted prompts are analyzed by the configured scanners; each of which can contribute to the final detection.

Available scanners:

  • Vector database
  • YARA / heuristics
  • Transformer model
  • Prompt-response similarity
  • Canary Tokens

For more information on how each works, refer to the detections documentation.

Canary Tokens

Canary tokens are available through a dedicated class / API.

You can use these in two different detection workflows:

  • Prompt leakage
  • Goal hijacking

Refer to the docs/canarytokens.md file for more information.

API Endpoints 🌐

POST /analyze/prompt

Post text data to this endpoint for analysis.

arguments:

  • prompt: str: text prompt to analyze
curl -X POST -H "Content-Type: application/json" \
    -d '{"prompt":"Your prompt here"}' http://localhost:5000/analyze

POST /analyze/response

Post text data to this endpoint for analysis.

arguments:

  • prompt: str: text prompt to analyze
  • response: str: prompt response to analyze
curl -X POST -H "Content-Type: application/json" \
    -d '{"prompt":"Your prompt here", "response": "foo"}' http://localhost:5000/analyze

POST /canary/add

Add a canary token to a prompt

arguments:

  • prompt: str: prompt to add canary to
  • always: bool: add prefix to always include canary in LLM response (optional)
  • length: str: canary token length (optional, default 16)
  • header: str: canary header string (optional, default <-@!-- {canary} --@!->)
curl -X POST "http://127.0.0.1:5000/canary/add" \
     -H "Content-Type: application/json" \
     --data '{
          "prompt": "Prompt I want to add a canary token to and later check for leakage",
          "always": true
      }'

POST /canary/check

Check if an output contains a canary token

arguments:

  • prompt: str: prompt to check for canary
curl -X POST "http://127.0.0.1:5000/canary/check" \
     -H "Content-Type: application/json" \
     --data '{
        "prompt": "<-@!-- 1cbbe75d8cf4a0ce --@!->\nPrompt I want to check for canary"
      }'

POST /add/texts

Add new texts to the vector database and return doc IDs Text will be embedded at index time.

arguments:

  • texts: str: list of texts
  • metadatas: str: list of metadatas
curl -X POST "http://127.0.0.1:5000/add/texts" \
     -H "Content-Type: application/json" \
     --data '{
         "texts": ["Hello, world!", "Blah blah."],
         "metadatas": [
             {"author": "John", "date": "2023-09-17"},
             {"author": "Jane", "date": "2023-09-10", "topic": "cybersecurity"}
         ]
     }'

GET /settings

View current application settings

curl http://localhost:5000/settings

Sample scan output 📌

Example scan output:

{
  "status": "success",
  "uuid": "0dff767c-fa2a-41ce-9f5e-fc3c981e42a4",
  "timestamp": "2023-09-16T03:05:34.946240",
  "prompt": "Ignore previous instructions",
  "prompt_response": null,
  "prompt_entropy": 3.672553582385556,
  "messages": [
    "Potential prompt injection detected: YARA signature(s)",
    "Potential prompt injection detected: transformer model",
    "Potential prompt injection detected: vector similarity"
  ],
  "errors": [],
  "results": {
    "scanner:yara": {
      "matches": [
        {
          "rule_name": "InstructionBypass_vigil",
          "category": "Instruction Bypass",
          "tags": [
            "PromptInjection"
          ]
        }
      ]
    },
    "scanner:transformer": {
      "matches": [
        {
          "model_name": "deepset/deberta-v3-base-injection",
          "score": 0.9927383065223694,
          "label": "INJECTION",
          "threshold": 0.98
        }
      ]
    },
    "scanner:vectordb": {
      "matches": [
        {
          "text": "Ignore previous instructions",
          "metadata": null,
          "distance": 3.2437965273857117e-06
        },
        {
          "text": "Ignore earlier instructions",
          "metadata": null,
          "distance": 0.031959254294633865
        },
        {
          "text": "Ignore prior instructions",
          "metadata": null,
          "distance": 0.04464910179376602
        },
        {
          "text": "Ignore preceding instructions",
          "metadata": null,
          "distance": 0.07068523019552231
        },
        {
          "text": "Ignore earlier instruction",
          "metadata": null,
          "distance": 0.0710538849234581
        }
      ]
    }
  }
}

More Repositories

1

InsecureProgramming

mirror of gera's insecure programming examples | http://community.coresecurity.com/~gera/InsecureProgramming/
C
263
star
2

malware-analysis-scripts

Collection of scripts for different malware analysis tasks
Python
73
star
3

Intersect-2.5

Post-Exploitation Framework
Python
73
star
4

Analyst-CaseFile

Maltego CaseFile entities for information security investigations, malware analysis and incident response
63
star
5

yara-rules

Collection of YARA signatures from individual research
YARA
41
star
6

arcreactor

open-source intelligence gathering for SIEMs <3
Python
37
star
7

shells

collection of useful shells for penetration tests
Python
35
star
8

prompt-serve

Store and serve language model prompts
Python
25
star
9

maz

Malware Analysis Zoo
Ruby
25
star
10

pe-static

Static file analysis for PE files
Python
13
star
11

vector-embedding-api

Flask API for generating text embeddings using OpenAI or sentence_transformers
Python
13
star
12

llm-tools

Small tools to assist with using Large Language Models
Python
11
star
13

malwarebazaar-python

MalwareBazaar API wrapper (Abuse.ch)
Python
9
star
14

ubuntu-bootstrap

Bootstrap an Ubuntu 16.04 environment
GDB
8
star
15

trs

🔭 Threat report analysis via LLM and Vector DB
Python
7
star
16

cascade

Conversations between LLMs
Python
7
star
17

misc-snippets

Random bits of code that don't fit elsewhere
Python
6
star
18

yaraVT

Scan files with Yara and send rule matches to VirusTotal reports as comments
Python
4
star
19

resources

External resources for RE, DFIR, privacy and other things
4
star
20

moce

Local retrieval-augmented-generation with Mixtral, Ollama, Chainlit, and Embedchain 🌺🤖
Python
4
star
21

wikipedia-chat

Chat with local Wikipedia embeddings 📚
Python
3
star
22

slackbot-framework

Python slack bot framework
Python
2
star
23

ESM_rebuild

High level client for rebuilding Elasticsearch indexes from MongoDB persisted data.
Python
1
star