PRSA: Prompt Stealing Attacks against Real-World Prompt Services

📄 arXiv: 2402.19200v3 📥 PDF

作者: Yong Yang, Changjiang Li, Qingming Li, Oubo Ma, Haoyu Wang, Zonghui Wang, Yandong Gao, Wenzhi Chen, Shouling Ji

分类: cs.CR, cs.CL

发布日期: 2024-02-29 (更新: 2025-06-12)

备注: This is the extended version of the paper accepted at the 34th USENIX Security Symposium (USENIX Security 2025)


💡 一句话要点

提出PRSA框架以应对真实环境中的提示盗窃攻击

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 提示盗窃 安全防护 大型语言模型 输入输出分析 知识产权保护 攻击框架 深度学习

📋 核心要点

  1. 现有方法在真实环境中对提示服务的提示泄露问题研究不足,攻击成功率较低。
  2. PRSA框架通过有限的输入输出分析推断提示意图,生成能够复制原始功能的提示。
  3. 实验结果显示,PRSA在提示市场和LLM应用商店的攻击成功率显著提升,且揭示了新的安全隐患。

📝 摘要(中文)

近年来,大型语言模型(LLMs)因其卓越能力而备受关注。提示是LLMs功能和性能的核心,成为高度有价值的资产。随着对高质量提示的依赖增加,提示服务的快速增长也带来了潜在的提示泄露风险,攻击者可能复制原始功能,创建竞争产品,严重侵犯开发者的知识产权。尽管存在这些风险,现实中提示服务的提示泄露问题仍未得到充分探讨。本文提出了PRSA,一个旨在进行提示盗窃的实用攻击框架。PRSA通过有限的输入输出分析推断提示的详细意图,并成功生成能够复制原始功能的盗窃提示。广泛的评估表明,PRSA在两种主要类型的真实提示服务中表现出色。与之前的研究相比,其在提示市场的攻击成功率从17.8%提升至46.1%,在LLM应用商店的成功率从39%提升至52%。

🔬 方法详解

问题定义:本文旨在解决真实环境中提示服务的提示盗窃问题。现有方法在攻击成功率和适用性上存在不足,未能有效应对提示泄露的风险。

核心思路:PRSA框架通过分析输入输出的关系,推断提示的意图,从而生成能够复制原始功能的提示。这种设计使得攻击者能够在信息有限的情况下进行有效的提示盗窃。

技术框架:PRSA的整体架构包括输入输出分析模块、意图推断模块和提示生成模块。首先,通过对输入和输出的分析,提取关键信息;然后,推断出提示的意图;最后,生成相应的盗窃提示。

关键创新:PRSA的主要创新在于其通过有限的输入输出分析实现高效的提示意图推断,显著提高了攻击成功率。这与现有方法依赖大量数据进行攻击的方式形成了鲜明对比。

关键设计:在PRSA中,设计了特定的参数设置和损失函数,以优化提示生成的质量和准确性。此外,采用了深度学习网络结构来增强模型的学习能力和泛化能力。通过这些设计,PRSA能够在多种真实场景中有效运作。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,PRSA在提示市场的攻击成功率从17.8%提升至46.1%,在LLM应用商店的成功率从39%提升至52%。此外,在对OpenAI GPT Store中热门教育应用“Math”的攻击中,PRSA揭示了一个之前未被发现的隐藏彩蛋,进一步验证了其有效性。

🎯 应用场景

该研究的潜在应用领域包括提示服务的安全防护、知识产权保护以及大型语言模型的安全性评估。随着提示服务的普及,PRSA框架能够帮助开发者识别和防范潜在的提示盗窃风险,维护其知识产权,促进安全的AI应用环境。未来,该研究可能推动更多针对提示泄露的防御机制的开发与实施。

📄 摘要(原文)

Recently, large language models (LLMs) have garnered widespread attention for their exceptional capabilities. Prompts are central to the functionality and performance of LLMs, making them highly valuable assets. The increasing reliance on high-quality prompts has driven significant growth in prompt services. However, this growth also expands the potential for prompt leakage, increasing the risk that attackers could replicate original functionalities, create competing products, and severely infringe on developers' intellectual property. Despite these risks, prompt leakage in real-world prompt services remains underexplored. In this paper, we present PRSA, a practical attack framework designed for prompt stealing. PRSA infers the detailed intent of prompts through very limited input-output analysis and can successfully generate stolen prompts that replicate the original functionality. Extensive evaluations demonstrate PRSA's effectiveness across two main types of real-world prompt services. Specifically, compared to previous works, it improves the attack success rate from 17.8% to 46.1% in prompt marketplaces and from 39% to 52% in LLM application stores, respectively. Notably, in the attack on "Math", one of the most popular educational applications in OpenAI's GPT Store with over 1 million conversations, PRSA uncovered a hidden Easter egg that had not been revealed previously. Besides, our analysis reveals that higher mutual information between a prompt and its output correlates with an increased risk of leakage. This insight guides the design and evaluation of two potential defenses against the security threats posed by PRSA. We have reported these findings to the prompt service vendors, including PromptBase and OpenAI, and actively collaborate with them to implement defensive measures.