Robustness of Prompting: Enhancing the Robustness of Large Language Models Against Prompt Attacks

This project aims to enhance the robustness of large language models (LLMs) against prompt attacks. It improves model stability by automatically generating error correction and guidance instructions, and has built a test framework containing five perturbation types. The project is from GitHub, original author is chuguowei, original link: https://github.com/chuguowei/Robustness-of-Prompting, published at 2026-05-27T11:06:44Z.

The deployment of large language models faces challenges from prompt attacks, where attackers use input perturbations (unintentional or malicious) to trick models into producing incorrect outputs or bypassing safety restrictions. This project proposes a systematic solution: unlike traditional adversarial training, it helps models maintain stable performance under perturbed inputs by automatically generating error correction and guidance instructions.

The project defines five typical input perturbation types:

1. Character-level Error (EC): Shuffling the order of characters inside a word (e.g., times→tmies);
2. Visually Similar Character Substitution (SC): Replacing characters with visually similar Unicode characters (e.g., will→wil̈l);
3. Word Order Out-of-order (WOO): Swapping positions of adjacent words (e.g., 6 times older→older 6 times);
4. Homophone Replacement (HW): Replacing words with homophones (same pronunciation but different spelling, e.g., be→bee);
5. Unrelated Interference Injection (UIC): Adding irrelevant information to test filtering ability.

The project adopts a four-stage process:

1. Perturbation Generation: Generate five types of adversarial samples from clean questions;
2. APE Instruction Generation: Use automatic prompt engineering to generate error correction instructions and guidance instructions (core innovation);
3. Robustness Evaluation: Test the degree of model performance degradation on adversarial samples;
4. Iterative Optimization: Improve prompt strategies in a closed loop based on evaluation results.

The core contribution is a lightweight robustness enhancement method, with advantages including:

• Plug-and-play: No need to modify model weights; just optimize input prompts;
• Low cost: Avoids expensive retraining, suitable for rapid deployment;
• High interpretability: Correction instructions are readable, easy to understand and debug;
• Good generality: Does not depend on specific model architectures, can be migrated to different LLMs.

The method is applicable to:

1. Post-processing for speech recognition: Matching homophones and character-level errors in speech-to-text;
2. User input processing: Tolerating spelling errors and non-standard word order from end users;
3. Safety-critical systems: Fields like finance and healthcare need to maintain stable outputs against malicious perturbations.

Current limitations: Only focuses on text perturbations; defense against semantic-level attacks (logical confusion, context manipulation) needs verification; the quality of APE instructions depends on the capabilities of the base model, and small-scale models have limited effects. Future directions: Expand multimodal robustness; combine adversarial training with prompt engineering; establish standardized evaluation benchmarks.

This project provides valuable ideas for improving the practical safety of LLMs. Through systematic perturbation definitions and automated prompt optimization, it demonstrates the possibility of enhancing robustness without modifying the model, contributing new tools and methods to the field of AI safety.