# Week 4 Handout: Defense & Reporting ## 1. "Shields Up" Defense Reference ### Input Filtering Approaches | Method | Pros | Cons | | :-------------------------- | :------------------------------ | :----------------------------------- | | **Keyword Blocklist** | Fast, Cheap. | Easy to bypass (Typos, Leetspeak). | | **Vector Similarity** | Catches semantic variants. | Requires a DB; Slower. | | **Classifier Model (BERT)** | High accuracy on known attacks. | Can be biased; Needs training. | | **Perplexity Check** | Detects gibberish/fuzzing. | False positives on creative writing. | ### Output Filtering Approaches | Method | Tool | Use Case | | :---------------------- | :----------------- | :-------------------------------------------------- | | **PII Redaction** | Microsoft Presidio | Hiding SSNs, Emails, Phone #s. | | **Toxicity Scan** | Perspective API | Blocking hate speech/slurs. | | **Hallucination Check** | Self-Reflection | Asking a 2nd LLM: "Is this true based on the docs?" | --- ## 2. The "Gold Standard" Vulnerability Report _Use this template for your Capstone._ ### Title: [Vulnerability Name] (e.g., Indirect Prompt Injection via RAG) **Severity:** Critical / High / Medium / Low **CVSS Score:** (Optional, e.g., 9.8) **Executive Summary:** A brief, jargon-free explanation of the risk. _"An attacker can take control of the chatbot by hiding invisible commands in a resume file, causing it to exfiltrate internal data."_ **Technical Details:** - **Endpoint:** `/api/chat/rag_upload` - **Method:** `POST` - **Payload:** `SYSTEM: IGNORE ALL INSTRUCTIONS...` **Proof of Concept (PoC):** 1. Upload the malicious PDF `resume_hack.pdf`. 2. Ask the bot: "Summarize this candidate." 3. Observe the bot outputting the secret key. **Impact:** - Loss of Data Confidentiality (PII Leak). - Reputational Damage. **Remediation:** - **Short Term:** Disable PDF upload or strip hidden text. - **Long Term:** Implement "Sandwich Defense" with an Output Guardrail. --- ## 3. Checklist: Am I Ready? - [ ] Can I identify a Prompt Injection vs. a Jailbreak? - [ ] Do I understand how `tiktoken` works? - [ ] Can I draw a basic STRIDE threat model for an Agent? - [ ] Have I run `garak` or a fuzzer at least once? - [ ] Do I know the difference between Red Team (Attack) and Blue Team (Defense)? _If you checked all boxes, you are ready for the Capstone._