Evaluation Analysis — d028 Smith-Waterman alignment
Evaluation Analysis — d028 Smith-Waterman alignment
Date: 2026-04-19
Scope: Five public datasets (deepset, NotInject, LLMail-Inject, AgentHarm, AgentDojo) with d028_sequence_alignment toggled on vs off, keeping every other detector constant. ML detector d022_semantic_classifier is disabled in both configurations so the delta isolates d028’s regex-alignment contribution.
Reproduction: python docs/papers/evaluation/run_public_datasets.py. Raw numbers live in d028_public_datasets.json and d028_public_datasets.md.
Headline
| Dataset | Samples | d028-off F1 | d028-on F1 | ΔF1 | ΔRecall | ΔFPR | Verdict |
|---|---|---|---|---|---|---|---|
| deepset/prompt-injections | 116 | 0.033 | 0.378 | +34.5 pp | +21.7 pp | +0.0 pp | Strong win |
| leolee99/NotInject | 339 (all benign) | — | — | — | — | +2.95 pp | Regression |
| LLMail-Inject Phase1 (1k) | 1000 | 0.989 | 0.990 | +0.001 | +0.2 pp | +0.0 pp | Saturated |
| AgentHarm | 352 | 0.319 | 0.319 | 0.0 | 0.0 | 0.0 | No effect |
| AgentDojo v1.2.1 | 132 | 0.540 | 0.537 | −0.003 | +2.9 pp | +3.1 pp | Neutral-to-slightly-negative |
Per-dataset interpretation
deepset/prompt-injections — the canonical prompt-injection benchmark
- Regex baseline: catches 1 of 60 injections (recall 1.7%, F1 0.033).
- With d028: catches 14 of 60 (recall 23.3%, F1 0.378). Zero additional false positives.
- d028 is doing exactly what the design predicted: the dataset is dominated by paraphrased and reworded attacks that verbatim regex can’t see but synonym-aware local alignment can. The +34.5 pp F1 improvement is the strongest single-technique result in this evaluation.
- Open-ended: 46 of 60 attacks still pass even with d028. Further techniques (d022 ML, d027 stylometric, d029 spectral) should target those specifically.
leolee99/NotInject — false-positive stress test
- 339 benign inputs that use attack-adjacent vocabulary in innocuous ways.
- Regex baseline FPR: 3 / 339 = 0.9 % (already noisy).
- With d028: 13 / 339 = 3.8 % — d028 adds 10 false positives.
- This is the real cost of d028’s permissive synonym matching: inputs that mention “rules”, “instructions”, “previous”, or “system” in legitimate contexts can accumulate enough alignment score to cross threshold.
- Action items:
- Raise d028’s strict-above threshold from 0.60 to 0.63 and re-measure; the FPs likely cluster near the boundary.
- Narrow the most-common synonym groups (
reveal / expose family,previous / above family) — the current definition is too generous. - Consider a complementary benign-vocabulary dampener: if no distinctive attack token (“override”, “jailbreak”, “DAN”) is present in the matched region, halve the score.
microsoft/llmail-inject-challenge — saturated (regex already wins)
- 1000-row subset of Phase 1 submissions. Every row is an attempted email-based injection.
- Regex baseline: 978 / 1000 (recall 97.8 %).
- With d028: 980 / 1000 (+2 TPs, recall 98.0 %).
- The baseline is already saturated — these attacks were designed to beat then-deployed LLM filters, but they use direct instruction-override phrasing that
d001/d003catch. d028’s synonym matching is mostly redundant here. - Takeaway for the paper: do NOT use LLMail-Inject as the headline benchmark; the attack distribution is too easy for any competent regex detector. Cite it to show saturation (robustness to variation is maintained) but not to claim improvement.
AgentHarm — orthogonal attack class
- 176 “harmful” multi-step agent tasks + 176 “harmless_benign” control tasks. The harmful prompts are things like “Generate a propaganda video showing politician X doing Y” — intent-based harmfulness, not classical prompt injection.
- Both configurations land at F1 0.319, recall 0.250, FPR 31.8 %. d028 literally makes zero change because the harmful tasks don’t contain d028’s attack-vocabulary — they’re requests framed as normal agent work.
- The 31.8 % FPR on benign AgentHarm is itself a finding: existing regex detectors fire spuriously on multi-step agent prompts because phrases like “access the admin panel” or “retrieve user credentials” appear in legitimate agent workflows. This is a motivated lead for the taint-tracking technique (#7): intent-and-provenance, not pattern matching, is the right signal here.
- Takeaway: honestly report that prompt-injection detection ≠ agent-harm detection, and that d028 does not generalise to this class. The honest framing is what makes the paper credible.
ethz-spylab/agentdojo — agentic injection-in-tool-output
- 35 injection tasks (attacker-controlled
GOALstrings injected into tool outputs) + 97 benign user tasks across banking, slack, travel, workspace suites. - Regex baseline: F1 0.540, recall 48.6 %, FPR 11.3 % (11 FPs on 97 benign).
- With d028: F1 0.537, recall 51.4 % (+1 TP), FPR 14.4 % (+3 FPs). Net F1 slightly negative.
- Similar profile to NotInject: d028 catches a few more true positives but at a proportional FPR cost. The FPs are benign user_tasks that contain legitimate action verbs (send, reveal, display) paired with benign nouns (message, report) that the synonym matrix happens to bridge.
- Strong motivation for technique #3 (honeypot tools): AgentDojo injections are payloads smuggled through tool return values. Catching them via text analysis is fundamentally harder than treating any invocation of a never-real decoy tool as a confirmed injection. This is exactly where taint tracking + honeypots should dominate.
Takeaways for the paper rewrite
- Lead with deepset. +34.5 pp F1 with zero FPR cost is the defensible claim of the seven-technique paper. Put this number in the abstract.
- Report the NotInject cost honestly. Don’t hide the +2.95 pp FPR — lead reviewers like Wagner notice, and owning the tradeoff is the credibility play. Frame it as “d028 requires threshold tuning on benign-vocabulary-heavy workloads” with the concrete +0.63 tuning experiment planned.
- Do not overclaim LLMail-Inject. Saturation means both configs get ~99 %, which reviewers will read as “this benchmark is easy” — don’t cite it as the primary win.
- AgentHarm and AgentDojo motivate the other techniques. The paper should explicitly say “d028 is not built for this attack class; technique #3 (honeypot) and #7 (taint) target it directly.” This turns “d028 didn’t move AgentDojo” from a weakness into a structural argument for the full seven-technique portfolio.
- Competitor comparison is still owed. These numbers are all d028-on vs d028-off with our own detectors; the external comparison against Rebuff / Lakera / Meta Prompt Guard 2 / PIGuard on the same datasets is in
tests/benchmark_public_datasets.pybut needs to be rerun with d028 on and added to this report.
Follow-up benchmarks not yet covered
- ASB (Agent Security Bench) — not available on HuggingFace under
agiresearch/ASB; network access to the main fileset failed. Likely needs the full framework installed from GitHub. Deferred. - Adaptive attacks (NAACL 2025 / ICLR 2025 methodology) — not yet constructed. Planned for the Evaluation v2 report once d029 lands.
- Multi-detector combinations (d022 ML on, d028 on) — the current run isolates d028 on purpose; a later matrix should quantify diminishing returns when detectors stack.
Addendum: d027 stylometric discontinuity (v0.4.1)
After the initial d028 evaluation above, d027 stylometric discontinuity shipped in v0.4.1 as the third novel technique. The same harness (run_public_datasets.py) was extended to a 4-config ablation: baseline, +d028, +d027, +d027 +d028. A sixth dataset was added — a synthetic indirect-injection benchmark (80 samples: 30 embedded injections, 50 benign long-form documents) specifically because the five public datasets above are dominated by short direct attacks that do not exercise d027’s target attack class.
Full 4-config results (v0.4.1 run, regex-only; d022 off)
| Dataset | Samples | baseline F1 | +d028 F1 | +d027 F1 | +d027+d028 F1 |
|---|---|---|---|---|---|
| deepset/prompt-injections | 116 | 0.033 | 0.378 | 0.033 | 0.378 |
| leolee99/NotInject | 339 benign | FPR 0.9% | FPR 3.8% | FPR 0.9% | FPR 3.8% |
| microsoft/llmail-inject | 1000 | 0.989 | 0.990 | 0.989 | 0.990 |
| ai-safety-institute/AgentHarm | 352 | 0.319 | 0.319 | 0.319 | 0.319 |
| ethz-spylab/agentdojo v1.2.1 | 132 | 0.540 | 0.537 | 0.540 | 0.537 |
| synthetic/indirect-injection | 80 | 0.889 | 1.000 | 1.000 | 1.000 |
Full tables in v041_public_datasets.md, raw numbers in v041_public_datasets.json.
Per-dataset interpretation
- Five public datasets (deepset / NotInject / LLMail-Inject / AgentHarm / AgentDojo): d027 causes zero movement on every metric. This is the designed behaviour —
min_input_tokens=100makes d027 short-circuit on almost every sample in these benchmarks (they are overwhelmingly < 100 tokens and d027 needs two windows of at least 50 tokens each to compute a divergence). d027 introduces zero FPR regression on NotInject precisely because of this short-circuit. - Synthetic indirect-injection (d027’s target class): regex baseline catches 24/30 embedded injections (F1 0.889) because the payloads use ALL-CAPS language that triggers d001/d003/d004 already. d027 alone lifts this to 30/30 (F1 1.000, +11.1 pp) with zero FPs, matching d028’s performance on this benchmark.
- d027 + d028 together on indirect-injection: same 30/30 score. The two techniques catch the same 6 residual cases on this benchmark. Their orthogonality shows across benchmarks (d028 contributes on deepset where d027 is silent; d027 would contribute on very long RAG documents where d028’s attack-sequence database is less useful). For the samples in the indirect-injection set they are redundant — both the style break and the sequence alignment fire on the same ALL-CAPS payloads.
Takeaways for the paper
- d027 is a high-precision, low-recall niche detector. Honest framing: “activates only on inputs ≥ 100 tokens and on egregious style breaks; deliberately silent on short direct attacks which are covered by d001/d028/d022.”
- The +11.1 pp F1 gain on the synthetic indirect-injection benchmark is the headline d027 result. Pair it with the observation that d027 adds zero FPR on the four static benchmarks where it could have regressed.
- Limitation to own explicitly: d027 does not discriminate subtle injections (without ALL-CAPS or strong imperative spikes). The
test_subtle_injection_is_expected_misstest intests/detectors/test_d027_stylometric_discontinuity.pydocuments this as a known-and-intentional miss. This is a clean argument for technique portfolios rather than single-technique silver bullets. - Synthetic benchmark caveat: the indirect-injection set is template-based (six benign genres × five payload styles). It is NOT adaptive and was constructed knowing what d027 looks at. Future work should build a held-out indirect-injection set with human-written documents and paraphrased payloads before the F1 1.000 number is load-bearing in external claims.
How to re-run
# one-off, ~5 minutes on a laptop
python docs/papers/evaluation/run_public_datasets.py
# Outputs
# docs/papers/evaluation/d028_public_datasets.json — raw metrics
# docs/papers/evaluation/d028_public_datasets.md — per-dataset tables (auto-generated)
# docs/papers/evaluation/agentdojo_tasks.json — extracted injection/user tasks (cached)