Zero-Shot Embedding Drift Detection: A Lightweight Defense Against Prompt Injections in LLMs

Researchers introduce Zero-Shot Embedding Drift Detection (ZEDD), a lightweight defense mechanism that detects prompt injection attacks on large language models by measuring semantic shifts in embedding space. The method achieves over 93% accuracy with less than 3% false positives across multiple LLM architectures without requiring model access or task-specific training.

Prompt injection attacks represent a critical vulnerability in production LLM systems, where adversaries manipulate indirect input channels to bypass safety guardrails and trigger harmful outputs. This research addresses a persistent gap in LLM security by proposing a model-agnostic detection layer that operates at the embedding level rather than requiring deep model modifications or inference-time constraints. The ZEDD framework represents an important practical advancement because it functions without access to model internals, eliminating dependency on proprietary systems while remaining generalizable across different LLM architectures including Llama 3, Qwen 2, and Mistral. The approach leverages embedding drift—measurable divergence in semantic space between clean and adversarial prompts—as a robust signal for attack detection, avoiding the resource-intensive retraining cycles that plague traditional security patches. Beyond academia, this development carries significant implications for organizations deploying LLMs in high-stakes applications like customer support, financial services, and healthcare. The sub-3% false positive rate suggests the method can integrate into existing pipelines without excessive operational friction, reducing the security-performance tradeoff that typically plagues defensive systems. As LLM applications proliferate across enterprise environments, the scalability and efficiency of ZEDD positions it as a practical defensive layer addressing adaptive adversarial threats. The comprehensive LLMail-Inject dataset spanning five injection categories provides valuable benchmarking infrastructure for the security research community. Moving forward, adoption metrics and real-world deployment outcomes will determine whether embedding-drift detection becomes a standard defensive component in LLM infrastructure stacks.

• →ZEDD achieves 93%+ accuracy detecting prompt injections across multiple LLM architectures with <3% false positives
• →The method requires no model access, attack-type knowledge, or task-specific retraining, enabling zero-shot deployment
• →Embedding drift in semantic space provides a transferable and robust signal for identifying both direct and indirect injection attempts
• →The approach integrates as a lightweight layer into existing LLM pipelines without significant engineering overhead
• →Comprehensive re-annotated LLMail-Inject dataset spanning five injection categories provides improved benchmarking infrastructure