## Bar Chart: Attack Success Rate (ASR) Comparison ### Overview The image is a bar chart comparing the attack success rate (ASR) of five different AI protection systems against various types of adversarial attacks. The chart is organized into a 2x6 grid, with each subplot representing a different attack type. The y-axis represents the attack success rate (ASR), ranging from 0.0 to 1.0. The x-axis is categorical, representing the five AI protection systems. ### Components/Axes * **Title:** Attack Success Rate (ASR) * **Y-axis:** Attack Success Rate (ASR), ranging from 0.0 to 1.0 in increments of 0.2. * **X-axis:** Categorical, with each subplot representing a different attack type: * Deletion Characters * Diacritics * Emoji Smuggling * Full Width Text * Homoglyphs * Numbers * Bidirectional Text * Spaces * Underline Accent Marks * Unicode Tags Smuggling * Upside Down Text * Zero Width * **Legend:** Located at the bottom of the chart, the legend identifies the five AI protection systems: * Azure Prompt Shield (Teal) * Protect AI v1 (Light Blue) * Meta Prompt Guard (Light Green) * Vijil Prompt Injection (Yellow) * Protect AI v2 (Pink) ### Detailed Analysis **1. Deletion Characters** * Azure Prompt Shield (Teal): ASR ~0.5 * Protect AI v1 (Light Blue): ASR ~0.75 * Meta Prompt Guard (Light Green): ASR ~0.0 * Vijil Prompt Injection (Yellow): ASR ~0.0 * Protect AI v2 (Pink): ASR ~0.1 **2. Diacritics** * Azure Prompt Shield (Teal): ASR ~0.4 * Protect AI v1 (Light Blue): ASR ~0.85 * Meta Prompt Guard (Light Green): ASR ~0.95 * Vijil Prompt Injection (Yellow): ASR ~0.95 * Protect AI v2 (Pink): ASR ~0.0 **3. Emoji Smuggling** * Azure Prompt Shield (Teal): ASR ~0.95 * Protect AI v1 (Light Blue): ASR ~0.95 * Meta Prompt Guard (Light Green): ASR ~0.95 * Vijil Prompt Injection (Yellow): ASR ~0.95 * Protect AI v2 (Pink): ASR ~0.95 **4. Full Width Text** * Azure Prompt Shield (Teal): ASR ~0.55 * Protect AI v1 (Light Blue): ASR ~0.75 * Meta Prompt Guard (Light Green): ASR ~0.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.1 **5. Homoglyphs** * Azure Prompt Shield (Teal): ASR ~0.95 * Protect AI v1 (Light Blue): ASR ~0.9 * Meta Prompt Guard (Light Green): ASR ~0.55 * Vijil Prompt Injection (Yellow): ASR ~0.6 * Protect AI v2 (Pink): ASR ~0.0 **6. Numbers** * Azure Prompt Shield (Teal): ASR ~0.95 * Protect AI v1 (Light Blue): ASR ~0.95 * Meta Prompt Guard (Light Green): ASR ~0.95 * Vijil Prompt Injection (Yellow): ASR ~0.95 * Protect AI v2 (Pink): ASR ~0.1 **7. Bidirectional Text** * Azure Prompt Shield (Teal): ASR ~1.0 * Protect AI v1 (Light Blue): ASR ~0.95 * Meta Prompt Guard (Light Green): ASR ~1.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.0 **8. Spaces** * Azure Prompt Shield (Teal): ASR ~0.85 * Protect AI v1 (Light Blue): ASR ~0.1 * Meta Prompt Guard (Light Green): ASR ~1.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.0 **9. Underline Accent Marks** * Azure Prompt Shield (Teal): ASR ~0.95 * Protect AI v1 (Light Blue): ASR ~0.95 * Meta Prompt Guard (Light Green): ASR ~0.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.0 **10. Unicode Tags Smuggling** * Azure Prompt Shield (Teal): ASR ~0.5 * Protect AI v1 (Light Blue): ASR ~0.75 * Meta Prompt Guard (Light Green): ASR ~0.95 * Vijil Prompt Injection (Yellow): ASR ~0.95 * Protect AI v2 (Pink): ASR ~0.95 **11. Upside Down Text** * Azure Prompt Shield (Teal): ASR ~0.2 * Protect AI v1 (Light Blue): ASR ~0.95 * Meta Prompt Guard (Light Green): ASR ~1.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.0 **12. Zero Width** * Azure Prompt Shield (Teal): ASR ~0.85 * Protect AI v1 (Light Blue): ASR ~0.1 * Meta Prompt Guard (Light Green): ASR ~1.0 * Vijil Prompt Injection (Yellow): ASR ~1.0 * Protect AI v2 (Pink): ASR ~0.0 ### Key Observations * Meta Prompt Guard and Vijil Prompt Injection consistently show high attack success rates (ASR close to 1.0) across many attack types. * Protect AI v2 generally has a low attack success rate (ASR close to 0.0) across most attack types, except for Emoji Smuggling and Unicode Tags Smuggling. * Azure Prompt Shield and Protect AI v1 show varying levels of success depending on the attack type. ### Interpretation The bar chart provides a comparative analysis of the effectiveness of five AI protection systems against different adversarial attack methods. The data suggests that Meta Prompt Guard and Vijil Prompt Injection are more vulnerable to these attacks, as they consistently exhibit high attack success rates. Protect AI v2 appears to be more robust against most attacks, except for Emoji Smuggling and Unicode Tags Smuggling. Azure Prompt Shield and Protect AI v1 demonstrate varying degrees of vulnerability depending on the specific attack type. The chart highlights the importance of considering a diverse range of attack vectors when evaluating the security of AI systems. It also suggests that different protection mechanisms may be more effective against certain types of attacks than others. The low performance of Protect AI v2 against Emoji Smuggling and Unicode Tags Smuggling indicates a potential weakness in handling these specific types of input manipulation.

\n ## Bar Chart: Attack Success Rate (ASR) by Prompt Injection Technique and Security System ### Overview This bar chart compares the Attack Success Rate (ASR) of various prompt injection techniques against five different security systems: Azure Prompt Shield, Protect AI v1, Meta Prompt Guard, Vijil Prompt Injection, and Protect AI v2. The chart is divided into two rows, displaying six prompt injection techniques in the top row and six in the bottom row. The Y-axis represents the ASR, ranging from 0.0 to 1.0. ### Components/Axes * **X-axis:** Prompt Injection Technique (Deletion Characters, Diacritics, Emoji Smuggling, Full Width Text, Homoglyphs, Numbers, Bidirectional Text, Spaces, Underline Accent Marks, Unicode Tags Smuggling, Upside Down Text, Zero Width) * **Y-axis:** Attack Success Rate (ASR) - Scale from 0.0 to 1.0 * **Legend:** * Azure Prompt Shield (Light Blue) * Protect AI v1 (Medium Blue) * Meta Prompt Guard (Green) * Vijil Prompt Injection (Yellow) * Protect AI v2 (Pink) ### Detailed Analysis **Top Row:** * **Deletion Characters:** Azure Prompt Shield shows an ASR of approximately 0.72. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.92. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Diacritics:** Azure Prompt Shield shows an ASR of approximately 0.92. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.96. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Emoji Smuggling:** Azure Prompt Shield shows an ASR of approximately 0.84. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.96. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Full Width Text:** Azure Prompt Shield shows an ASR of approximately 0.76. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.84. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Homoglyphs:** Azure Prompt Shield shows an ASR of approximately 0.88. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.96. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Numbers:** Azure Prompt Shield shows an ASR of approximately 0.96. Protect AI v1 is around 0.52. Meta Prompt Guard is approximately 0.96. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. **Bottom Row:** * **Bidirectional Text:** Azure Prompt Shield shows an ASR of approximately 0.76. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.48. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Spaces:** Azure Prompt Shield shows an ASR of approximately 0.88. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.48. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Underline Accent Marks:** Azure Prompt Shield shows an ASR of approximately 0.84. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.92. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Unicode Tags Smuggling:** Azure Prompt Shield shows an ASR of approximately 0.72. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.48. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Upside Down Text:** Azure Prompt Shield shows an ASR of approximately 0.84. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.84. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. * **Zero Width:** Azure Prompt Shield shows an ASR of approximately 0.76. Protect AI v1 is around 0.84. Meta Prompt Guard is approximately 0.88. Vijil Prompt Injection is around 0.62. Protect AI v2 is approximately 0.12. ### Key Observations * Protect AI v2 consistently demonstrates the lowest ASR across all prompt injection techniques, often near 0.12. * Meta Prompt Guard generally has high ASRs, frequently exceeding 0.9, except for Bidirectional Text, Spaces, Unicode Tags Smuggling, and Upside Down Text where it is around 0.48-0.92. * Azure Prompt Shield and Protect AI v1 show moderate ASRs, generally between 0.52 and 0.96. * Vijil Prompt Injection consistently shows an ASR around 0.62 across all techniques. * The ASR varies significantly depending on the prompt injection technique used. ### Interpretation The data suggests that Protect AI v2 is the most effective security system at mitigating prompt injection attacks across a wide range of techniques. Meta Prompt Guard is effective against most techniques, but shows vulnerabilities to Bidirectional Text, Spaces, Unicode Tags Smuggling, and Upside Down Text. Azure Prompt Shield and Protect AI v1 offer moderate protection, while Vijil Prompt Injection provides a relatively consistent, but moderate, level of defense. The variation in ASR based on the injection technique indicates that different techniques exploit different vulnerabilities in the security systems. For example, the high ASR for Diacritics and Homoglyphs against Azure Prompt Shield and Protect AI v1 suggests these systems struggle with character-level manipulations. The lower ASR for Bidirectional Text against Meta Prompt Guard suggests it has specific defenses against this type of attack. This data is valuable for security professionals to understand the strengths and weaknesses of different prompt injection defenses and to prioritize mitigation efforts based on the most likely attack vectors. The consistent performance of Protect AI v2 suggests it may be a strong candidate for deployment in environments where prompt injection is a significant concern.

## Grouped Bar Chart: Attack Success Rate (ASR) by Prompt Injection Attack Type and Defense Mechanism ### Overview The image displays a 2x6 grid of grouped bar charts. Each subplot represents a specific text-based prompt injection attack technique. Within each subplot, the performance of five different AI security defense mechanisms is compared based on their Attack Success Rate (ASR). The ASR is a metric where a higher value indicates the attack was more successful against the defense, implying the defense was less effective. ### Components/Axes * **Y-Axis (Common to all subplots):** Labeled "Attack Success Rate (ASR)". The scale runs from 0.0 to 1.0, with major gridlines at intervals of 0.2. * **X-Axis (Per subplot):** The categorical variable is the defense mechanism, represented by colored bars. The specific defense names are not labeled on the x-axis but are defined in the legend. * **Legend:** Located at the bottom center of the entire figure. It maps colors to defense mechanisms: * **Teal/Green:** Azure Prompt Shield * **Blue-Grey:** Protect AI v1 * **Light Green:** Meta Prompt Guard * **Yellow:** Vijil Prompt Injection * **Pink:** Protect AI v2 * **Subplot Titles (Attack Types):** Each of the 12 subplots has a title at the top: 1. Deletion Characters 2. Diacritics 3. Emoji Smuggling 4. Full Width Text 5. Homoglyphs 6. Numbers 7. Bidirectional Text 8. Spaces 9. Underline Accent Marks 10. Unicode Tags Smuggling 11. Upside Down Text 12. Zero Width ### Detailed Analysis Below is the approximate ASR for each defense mechanism (color) within each attack type subplot. Values are estimated from bar height relative to the y-axis gridlines. **Top Row (Left to Right):** 1. **Deletion Characters:** * Azure Prompt Shield: ~0.5 * Protect AI v1: ~0.72 * Meta Prompt Guard: ~0.0 (bar not visible) * Vijil Prompt Injection: ~0.0 (bar not visible) * Protect AI v2: ~0.12 2. **Diacritics:** * Azure Prompt Shield: ~0.38 * Protect AI v1: ~0.86 * Meta Prompt Guard: ~0.93 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.0 (bar not visible) 3. **Emoji Smuggling:** * Azure Prompt Shield: ~1.0 * Protect AI v1: ~1.0 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~1.0 4. **Full Width Text:** * Azure Prompt Shield: ~0.5 * Protect AI v1: ~0.73 * Meta Prompt Guard: ~0.0 (bar not visible) * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.17 5. **Homoglyphs:** * Azure Prompt Shield: ~1.0 * Protect AI v1: ~0.92 * Meta Prompt Guard: ~0.49 * Vijil Prompt Injection: ~0.59 * Protect AI v2: ~0.0 (bar not visible) 6. **Numbers:** * Azure Prompt Shield: ~0.99 * Protect AI v1: ~0.94 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.13 **Bottom Row (Left to Right):** 7. **Bidirectional Text:** * Azure Prompt Shield: ~1.0 * Protect AI v1: ~0.93 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.0 (bar not visible) 8. **Spaces:** * Azure Prompt Shield: ~0.83 * Protect AI v1: ~0.09 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.0 (bar not visible) 9. **Underline Accent Marks:** * Azure Prompt Shield: ~0.93 * Protect AI v1: ~0.98 * Meta Prompt Guard: ~0.03 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.0 (bar not visible) 10. **Unicode Tags Smuggling:** * Azure Prompt Shield: ~0.5 * Protect AI v1: ~1.0 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~1.0 11. **Upside Down Text:** * Azure Prompt Shield: ~0.17 * Protect AI v1: ~1.0 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~1.0 * Protect AI v2: ~0.0 (bar not visible) 12. **Zero Width:** * Azure Prompt Shield: ~0.83 * Protect AI v1: ~0.09 * Meta Prompt Guard: ~1.0 * Vijil Prompt Injection: ~0.97 * Protect AI v2: ~0.0 (bar not visible) ### Key Observations * **Universal Vulnerability:** The "Emoji Smuggling" attack achieves a perfect or near-perfect ASR of ~1.0 against all five tested defenses. * **Defense-Specific Strengths:** * **Protect AI v2 (Pink)** shows very low ASR (often ~0.0 or <0.2) against most attacks, with the notable exceptions of "Emoji Smuggling" and "Unicode Tags Smuggling" where it fails completely (ASR ~1.0). * **Meta Prompt Guard (Light Green)** is highly effective (ASR ~0.0) against "Deletion Characters", "Full Width Text", "Underline Accent Marks", and "Spaces", but is completely bypassed (ASR ~1.0) by "Bidirectional Text", "Numbers", "Spaces" (contradictory), "Unicode Tags Smuggling", "Upside Down Text", and "Zero Width". * **Azure Prompt Shield (Teal)** has mixed results, performing best against "Upside Down Text" (~0.17) but failing against "Bidirectional Text", "Emoji Smuggling", "Homoglyphs", and "Numbers" (all ~1.0). * **Attack Effectiveness:** "Bidirectional Text", "Emoji Smuggling", "Numbers", and "Unicode Tags Smuggling" are highly effective, achieving ASR ~1.0 against 4 out of 5 defenses in most cases. * **Notable Anomaly:** The "Spaces" attack shows a drastic difference in effectiveness: it is highly successful against Azure, Meta, and Vijil defenses (ASR >0.8) but almost completely ineffective against Protect AI v1 (ASR ~0.09). ### Interpretation This chart provides a comparative security analysis of different AI prompt injection attack vectors and defense mechanisms. The data suggests that: 1. **No Universal Defense:** No single defense mechanism is robust against all tested attack types. Each has specific vulnerabilities. Protect AI v2 appears the most resilient overall but has critical failures against specific, sophisticated encoding-based attacks (Emoji, Unicode Tags). 2. **Attack Sophistication Matters:** Attacks that exploit Unicode encoding, bidirectional text, or invisible characters (Zero Width) are generally more successful than simpler character manipulations. The perfect score for "Emoji Smuggling" across the board indicates it is a particularly potent and difficult-to-defend-against technique. 3. **Defense Specialization:** The stark contrasts in performance (e.g., Meta Prompt Guard's perfect defense vs. perfect failure on different attacks) imply that these defenses likely use different underlying methodologies—some may focus on pattern matching for specific character sets, while others might analyze semantic meaning, leading to blind spots. 4. **Practical Implication:** For a system designer, this chart argues for a **layered defense strategy**. Relying on a single vendor's solution (e.g., only using Azure Prompt Shield) would leave the system vulnerable to numerous attack vectors. Combining defenses that have complementary strengths (e.g., one strong against encoding attacks, another against structural text attacks) would provide more comprehensive protection. The investigation reveals an ongoing "arms race" in AI security, where new attack methods constantly probe for weaknesses in defense systems, and no solution is yet foolproof.

## Bar Chart: Attack Success Rate (ASR) Across Text Manipulation Techniques ### Overview The chart compares the effectiveness of five text manipulation detection methods (Azure Prompt Shield, Protect AI v1, Meta Prompt Guard, Vijil Prompt Injection, Protect AI v2) across 10 categories of adversarial text modifications. Attack Success Rate (ASR) is measured on a 0-1 scale, with higher values indicating greater vulnerability to attacks. ### Components/Axes - **X-axis**: Categories of text manipulation techniques (Bidirectional Text, Spaces, Emoji Smuggling, Full Width Text, Homoglyphs, Numbers, Underline Accent Marks, Unicode Tags Smuggling, Upside Down Text, Zero Width) - **Y-axis**: Attack Success Rate (ASR) from 0.0 to 1.0 - **Legend**: Located at the bottom, color-coded for five methods: - Azure Prompt Shield (teal) - Protect AI v1 (blue) - Meta Prompt Guard (green) - Vijil Prompt Injection (yellow) - Protect AI v2 (pink) ### Detailed Analysis 1. **Bidirectional Text** - Azure Prompt Shield: ~0.5 - Protect AI v1: ~0.7 - Meta Prompt Guard: ~0.9 - Vijil Prompt Injection: ~0.95 - Protect AI v2: ~0.1 2. **Spaces** - Azure Prompt Shield: ~0.8 - Protect AI v1: ~0.1 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~1.0 3. **Emoji Smuggling** - Azure Prompt Shield: ~1.0 - Protect AI v1: ~1.0 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~1.0 4. **Full Width Text** - Azure Prompt Shield: ~0.5 - Protect AI v1: ~0.7 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~0.2 5. **Homoglyphs** - Azure Prompt Shield: ~1.0 - Protect AI v1: ~0.9 - Meta Prompt Guard: ~0.5 - Vijil Prompt Injection: ~0.6 - Protect AI v2: ~1.0 6. **Numbers** - Azure Prompt Shield: ~0.9 - Protect AI v1: ~0.9 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~0.1 7. **Underline Accent Marks** - Azure Prompt Shield: ~0.9 - Protect AI v1: ~1.0 - Meta Prompt Guard: ~0.1 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~1.0 8. **Unicode Tags Smuggling** - Azure Prompt Shield: ~0.5 - Protect AI v1: ~0.9 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~1.0 9. **Upside Down Text** - Azure Prompt Shield: ~0.2 - Protect AI v1: ~0.9 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~1.0 - Protect AI v2: ~1.0 10. **Zero Width** - Azure Prompt Shield: ~0.8 - Protect AI v1: ~0.1 - Meta Prompt Guard: ~1.0 - Vijil Prompt Injection: ~0.95 - Protect AI v2: ~0.1 ### Key Observations - **Vijil Prompt Injection** consistently shows the highest ASR across most categories (~0.9-1.0), indicating it is the most vulnerable to attacks. - **Protect AI v2** (pink) has the lowest ASR in most categories (~0.1-0.2), suggesting superior robustness. - **Meta Prompt Guard** (green) performs well in Spaces, Emoji Smuggling, and Numbers but struggles with Homoglyphs (~0.5) and Underline Accent Marks (~0.1). - **Azure Prompt Shield** (teal) shows moderate performance (~0.5-0.9) but fails in Full Width Text (~0.5) and Upside Down Text (~0.2). - **Protect AI v1** (blue) has mixed results, excelling in Bidirectional Text (~0.7) but underperforming in Spaces (~0.1) and Zero Width (~0.1). ### Interpretation The data suggests that **Protect AI v2** is the most effective method for detecting adversarial text manipulations, likely due to its consistent low ASR across categories. **Vijil Prompt Injection** appears to be the least robust, with near-perfect ASR in most scenarios. The chart highlights trade-offs between methods: while some excel in specific attack types (e.g., Meta Prompt Guard in Spaces), others offer broader protection. The stark contrast between Protect AI v2 and other methods implies potential architectural or algorithmic advantages in its design. Notably, **Emoji Smuggling** and **Zero Width** manipulations universally bypass all methods except Protect AI v2, indicating these techniques may represent novel or particularly challenging attack vectors.