PromptRiskDBThreat intelligence atlas

LLM Prompt Self-Replication - AI Security Technique

AI Security Technique

An adversary may use a carefully crafted LLM Prompt Injection designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on the system. The self-replicating prompt is typically paired with other malicious instructions (ex: LLM Jailbreak, LLM Data Leakage).

Overview

A source-backed snapshot of this AI security technique.

Tactics1Attacker goals connected to this method.
Mitigations3Defenses that may help against this attack.
AI risks24Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0061
Maturity
demonstrated
Priority score
159
ATLAS tactics
Persistence

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses3 ATLAS mitigation records
  • Public examples1 linked case study records
  • Research risks24 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0020 - Generative AI Guardrails

Guardrails can help prevent replication attacks in model inputs and outputs.

LifecycleML Model Engineering + 2 moreCategoryTechnical - ML
ML Model EngineeringML Model Evaluation+1 more

AML.M0021 - Generative AI Guidelines

Guidelines can help instruct the model to produce more secure output, preventing the model from generating self-replicating outputs.

LifecycleML Model Engineering + 2 moreCategoryTechnical - ML
ML Model EngineeringML Model Evaluation+1 more

AML.M0022 - Generative AI Model Alignment

Model alignment can increase the security of models to self replicating prompt attacks.

LifecycleML Model Engineering + 2 moreCategoryTechnical - ML
ML Model EngineeringML Model Evaluation+1 more

Case studies

Examples from public reports and exercises.

Morris II Worm: RAG-Based Attack

Researchers developed Morris II, a zero-click worm designed to attack generative AI (GenAI) ecosystems and propagate between connected GenAI systems. The worm uses an adversarial self-replicating prompt which uses prompt injection to replicate the prompt as output and perform malicious activity. The researchers demonstrate how this worm can propagate through an email system with a RAG-based assistant. They use a target system that automatically ingests received emails, retrieves past correspondences, and generates a reply for the user. To carry out the attack, they send a malicious email containing the adversarial self-replicating prompt, which ends up in the RAG database. The malicious instructions in the prompt tell the assistant to include sensitive user data in the response. Future requests to the email assistant may retrieve the malicious email. This leads to propagation of the worm due to the self-replicating portion of the prompt, as well as leaking private information due to the malicious instructions.

Date2024-03-05
exercise

Source evidence

Original public records and references for this page.