Canary tokens for prompt injection detection use a unique, high-entropy string planted in an LLM’s context and checked on output to confirm when sensitive prompt data has been extracted. They provide near-zero false positives and low-cost detection, but they do not block attacks or prevent leaks by themselves. #OWASP #LLM #PromptInjection
Keypoints
- Canary tokens detect prompt extraction by spotting a unique planted string in model output.
- The method is cheap, simple, and has near-zero false positives by design.
- Different canaries can be placed in system prompts, tool descriptions, and RAG chunks.
- Stealth canary positions help catch attackers who try to remove obvious markers.
- Canary tokens are detection only and do not stop prompt injection or data exfiltration.
Read More: https://www.toxsec.com/p/canary-tokens-for-prompt-injection