PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free

Hao Li; Xiaogeng Liu; Ning Zhang; Chaowei Xiao

doi:10.18653/v1/2025.acl-long.1468

PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free

Hao Li
, Xiaogeng Liu
, Ning Zhang
, Chaowei Xiao

Department of Computer Science & Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Prompt injection attacks pose a critical threat to large language models (LLMs), enabling goal hijacking and data leakage. Prompt guard models, though effective in defense, suffer from over-defense-falsely flagging benign inputs as malicious due to trigger word bias. To address this issue, we introduce NotInject, an evaluation dataset that systematically measures over-defense across various prompt guard models. NotInject contains 339 benign samples enriched with trigger words common in prompt injection attacks, enabling fine-grained evaluation. Our results show that state-of-the-art models suffer from over-defense issues, with accuracy dropping close to random guessing levels (60%). To mitigate this, we propose PIGuard, a novel prompt guard model that incorporates a new training strategy, Mitigating Over-defense for Free (MOF), which significantly reduces the bias on trigger words. PIGuard demonstrates state-of-the-art performance on diverse benchmarks including NotInject, surpassing the existing best model by 30.4%, offering a robust and open-source solution for detecting prompt injection attacks. The code and datasets are released at https://github.com/leolee99/PIGuard.

Original language	English
Title of host publication	Long Papers
Editors	Wanxiang Che, Joyce Nabende, Ekaterina Shutova, Mohammad Taher Pilehvar
Publisher	Association for Computational Linguistics (ACL)
Pages	30420-30437
Number of pages	18
ISBN (Electronic)	9798891762510
DOIs	https://doi.org/10.18653/v1/2025.acl-long.1468
State	Published - 2025
Event	63rd Annual Meeting of the Association for Computational Linguistics, ACL 2025 - Vienna, Austria Duration: Jul 27 2025 → Aug 1 2025

Publication series

Name	Proceedings of the Annual Meeting of the Association for Computational Linguistics
Volume	1
ISSN (Print)	0736-587X

Conference

Conference	63rd Annual Meeting of the Association for Computational Linguistics, ACL 2025
Country/Territory	Austria
City	Vienna
Period	07/27/25 → 08/1/25

Access to Document

10.18653/v1/2025.acl-long.1468

Cite this

Li, H., Liu, X., Zhang, N., & Xiao, C. (2025). PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free. In W. Che, J. Nabende, E. Shutova, & M. T. Pilehvar (Eds.), Long Papers (pp. 30420-30437). (Proceedings of the Annual Meeting of the Association for Computational Linguistics; Vol. 1). Association for Computational Linguistics (ACL). https://doi.org/10.18653/v1/2025.acl-long.1468

Li, Hao ; Liu, Xiaogeng ; Zhang, Ning et al. / PIGuard : Prompt Injection Guardrail via Mitigating Overdefense for Free. Long Papers. editor / Wanxiang Che ; Joyce Nabende ; Ekaterina Shutova ; Mohammad Taher Pilehvar. Association for Computational Linguistics (ACL), 2025. pp. 30420-30437 (Proceedings of the Annual Meeting of the Association for Computational Linguistics).

@inproceedings{ac6b568dec0741e9912e35f49d26f12f,

title = "PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free",

abstract = "Prompt injection attacks pose a critical threat to large language models (LLMs), enabling goal hijacking and data leakage. Prompt guard models, though effective in defense, suffer from over-defense-falsely flagging benign inputs as malicious due to trigger word bias. To address this issue, we introduce NotInject, an evaluation dataset that systematically measures over-defense across various prompt guard models. NotInject contains 339 benign samples enriched with trigger words common in prompt injection attacks, enabling fine-grained evaluation. Our results show that state-of-the-art models suffer from over-defense issues, with accuracy dropping close to random guessing levels (60\%). To mitigate this, we propose PIGuard, a novel prompt guard model that incorporates a new training strategy, Mitigating Over-defense for Free (MOF), which significantly reduces the bias on trigger words. PIGuard demonstrates state-of-the-art performance on diverse benchmarks including NotInject, surpassing the existing best model by 30.4\%, offering a robust and open-source solution for detecting prompt injection attacks. The code and datasets are released at https://github.com/leolee99/PIGuard.",

author = "Hao Li and Xiaogeng Liu and Ning Zhang and Chaowei Xiao",

note = "Publisher Copyright: {\textcopyright} 2025 Association for Computational Linguistics.; 63rd Annual Meeting of the Association for Computational Linguistics, ACL 2025 ; Conference date: 27-07-2025 Through 01-08-2025",

year = "2025",

doi = "10.18653/v1/2025.acl-long.1468",

language = "English",

series = "Proceedings of the Annual Meeting of the Association for Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

pages = "30420--30437",

editor = "Wanxiang Che and Joyce Nabende and Ekaterina Shutova and Pilehvar, \{Mohammad Taher\}",

booktitle = "Long Papers",

}

Li, H, Liu, X, Zhang, N & Xiao, C 2025, PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free. in W Che, J Nabende, E Shutova & MT Pilehvar (eds), Long Papers. Proceedings of the Annual Meeting of the Association for Computational Linguistics, vol. 1, Association for Computational Linguistics (ACL), pp. 30420-30437, 63rd Annual Meeting of the Association for Computational Linguistics, ACL 2025, Vienna, Austria, 07/27/25. https://doi.org/10.18653/v1/2025.acl-long.1468

PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free. / Li, Hao; Liu, Xiaogeng; Zhang, Ning et al.
Long Papers. ed. / Wanxiang Che; Joyce Nabende; Ekaterina Shutova; Mohammad Taher Pilehvar. Association for Computational Linguistics (ACL), 2025. p. 30420-30437 (Proceedings of the Annual Meeting of the Association for Computational Linguistics; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PIGuard

T2 - 63rd Annual Meeting of the Association for Computational Linguistics, ACL 2025

AU - Li, Hao

AU - Liu, Xiaogeng

AU - Zhang, Ning

AU - Xiao, Chaowei

PY - 2025

Y1 - 2025

N2 - Prompt injection attacks pose a critical threat to large language models (LLMs), enabling goal hijacking and data leakage. Prompt guard models, though effective in defense, suffer from over-defense-falsely flagging benign inputs as malicious due to trigger word bias. To address this issue, we introduce NotInject, an evaluation dataset that systematically measures over-defense across various prompt guard models. NotInject contains 339 benign samples enriched with trigger words common in prompt injection attacks, enabling fine-grained evaluation. Our results show that state-of-the-art models suffer from over-defense issues, with accuracy dropping close to random guessing levels (60%). To mitigate this, we propose PIGuard, a novel prompt guard model that incorporates a new training strategy, Mitigating Over-defense for Free (MOF), which significantly reduces the bias on trigger words. PIGuard demonstrates state-of-the-art performance on diverse benchmarks including NotInject, surpassing the existing best model by 30.4%, offering a robust and open-source solution for detecting prompt injection attacks. The code and datasets are released at https://github.com/leolee99/PIGuard.

AB - Prompt injection attacks pose a critical threat to large language models (LLMs), enabling goal hijacking and data leakage. Prompt guard models, though effective in defense, suffer from over-defense-falsely flagging benign inputs as malicious due to trigger word bias. To address this issue, we introduce NotInject, an evaluation dataset that systematically measures over-defense across various prompt guard models. NotInject contains 339 benign samples enriched with trigger words common in prompt injection attacks, enabling fine-grained evaluation. Our results show that state-of-the-art models suffer from over-defense issues, with accuracy dropping close to random guessing levels (60%). To mitigate this, we propose PIGuard, a novel prompt guard model that incorporates a new training strategy, Mitigating Over-defense for Free (MOF), which significantly reduces the bias on trigger words. PIGuard demonstrates state-of-the-art performance on diverse benchmarks including NotInject, surpassing the existing best model by 30.4%, offering a robust and open-source solution for detecting prompt injection attacks. The code and datasets are released at https://github.com/leolee99/PIGuard.

UR - https://www.scopus.com/pages/publications/105021028006

U2 - 10.18653/v1/2025.acl-long.1468

DO - 10.18653/v1/2025.acl-long.1468

M3 - Conference contribution

AN - SCOPUS:105021028006

T3 - Proceedings of the Annual Meeting of the Association for Computational Linguistics

SP - 30420

EP - 30437

BT - Long Papers

A2 - Che, Wanxiang

A2 - Nabende, Joyce

A2 - Shutova, Ekaterina

A2 - Pilehvar, Mohammad Taher

PB - Association for Computational Linguistics (ACL)

Y2 - 27 July 2025 through 1 August 2025

ER -

PIGuard: Prompt Injection Guardrail via Mitigating Overdefense for Free

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this