## Bar Chart: Attack Success Rate (ASR) Comparison Across Defense Mechanisms ### Overview The image displays a grid of eight bar charts, each comparing the performance of five different defense mechanisms against a specific adversarial text attack method. The primary metric is the Attack Success Rate (ASR), where a lower value indicates a more effective defense. The charts are arranged in two rows of four. ### Components/Axes * **Y-Axis (Common to all charts):** Labeled "Attack Success Rate (ASR)". The scale runs from 0.0 to 1.0, with major gridlines at intervals of 0.2. * **X-Axis (Per chart):** Represents the five defense mechanisms, identified by color. The specific defense names are not labeled on the x-axis but are defined in the legend. * **Legend:** Located at the bottom of the entire figure. It maps colors to defense mechanism names: * **Teal/Green:** Azure Prompt Shield * **Blue:** Protect AI v1 * **Light Green:** Meta Prompt Guard * **Yellow:** Vijil Prompt Injection * **Pink:** Protect AI v2 * **Subplot Titles (Attack Methods):** Each of the eight charts is titled with the name of the adversarial attack method it represents: * Top Row (Left to Right): BAE, Bert-Attack, Deep Word Bug, Alzantot * Bottom Row (Left to Right): Pruthi, PWWS, TextBugger, TextFooler ### Detailed Analysis Below is the approximate ASR for each defense mechanism against each attack, derived from visual inspection of the bar heights. Values are approximate. **1. BAE Attack:** * Azure Prompt Shield: ~0.63 * Protect AI v1: ~0.93 * Meta Prompt Guard: ~0.07 * Vijil Prompt Injection: ~0.27 * Protect AI v2: ~0.71 **2. Bert-Attack:** * Azure Prompt Shield: ~0.65 * Protect AI v1: ~1.00 (appears to be at or near the maximum) * Meta Prompt Guard: ~0.02 * Vijil Prompt Injection: ~0.32 * Protect AI v2: ~0.88 **3. Deep Word Bug:** * Azure Prompt Shield: ~0.64 * Protect AI v1: ~0.98 * Meta Prompt Guard: ~0.04 * Vijil Prompt Injection: ~0.05 * Protect AI v2: ~0.66 **4. Alzantot:** * Azure Prompt Shield: ~0.62 * Protect AI v1: ~0.97 * Meta Prompt Guard: ~0.00 (bar is not visible, suggesting ASR ≈ 0) * Vijil Prompt Injection: ~0.04 * Protect AI v2: ~0.53 **5. Pruthi:** * Azure Prompt Shield: ~0.62 * Protect AI v1: ~0.82 * Meta Prompt Guard: ~0.00 (bar is not visible) * Vijil Prompt Injection: ~0.01 * Protect AI v2: ~0.45 **6. PWWS:** * Azure Prompt Shield: ~0.61 * Protect AI v1: ~1.00 (appears to be at or near the maximum) * Meta Prompt Guard: ~0.02 * Vijil Prompt Injection: ~0.16 * Protect AI v2: ~0.73 **7. TextBugger:** * Azure Prompt Shield: ~0.70 * Protect AI v1: ~0.94 * Meta Prompt Guard: ~0.00 (bar is not visible) * Vijil Prompt Injection: ~0.03 * Protect AI v2: ~0.61 **8. TextFooler:** * Azure Prompt Shield: ~0.63 * Protect AI v1: ~0.99 * Meta Prompt Guard: ~0.05 * Vijil Prompt Injection: ~0.29 * Protect AI v2: ~0.85 ### Key Observations 1. **Consistently High ASR:** The "Protect AI v1" defense (blue bar) shows the highest or near-highest ASR across all eight attack methods, frequently reaching or exceeding 0.95. 2. **Consistently Low ASR:** The "Meta Prompt Guard" defense (light green bar) demonstrates the lowest ASR in every chart, often at or near 0.0. It appears completely ineffective against Alzantot, Pruthi, and TextBugger (ASR ≈ 0). 3. **Variable Performance:** "Protect AI v2" (pink bar) shows significant variance, with ASR ranging from a low of ~0.45 (Pruthi) to a high of ~0.88 (Bert-Attack). 4. **Moderate, Stable Performance:** "Azure Prompt Shield" (teal bar) maintains a relatively stable ASR between approximately 0.61 and 0.70 across all attacks. 5. **Low to Moderate Performance:** "Vijil Prompt Injection" (yellow bar) generally has a low ASR, but shows notable spikes against BAE (~0.27), Bert-Attack (~0.32), and TextFooler (~0.29). ### Interpretation This chart provides a comparative evaluation of five AI prompt defense mechanisms against eight common adversarial text attack algorithms. The data suggests a clear hierarchy of effectiveness under the tested conditions: * **Meta Prompt Guard** is the most robust defense, consistently preventing attacks with near-zero success rates. This implies it is highly effective at neutralizing the specific perturbations introduced by these attack methods. * **Protect AI v1** is the least effective defense in this comparison, as it allows attacks to succeed at an extremely high rate (often >90%) across the board. This indicates a significant vulnerability to these adversarial techniques. * The performance of **Protect AI v2** is inconsistent. While it offers a substantial improvement over v1 in some cases (e.g., Pruthi, Alzantot), it remains vulnerable to others (e.g., Bert-Attack, TextFooler). This suggests its effectiveness is highly dependent on the specific attack vector. * **Azure Prompt Shield** provides a middle-ground, predictable level of defense. It does not achieve the near-perfect block rate of Meta Prompt Guard but offers reliable, moderate protection against all tested attacks. * **Vijil Prompt Injection**'s performance is also variable but generally leans towards effectiveness, with a few notable exceptions where its ASR increases. **Overall Implication:** The choice of defense mechanism is critical and should be informed by the expected threat model. For maximum security against a broad range of text attacks, Meta Prompt Guard appears superior. The stark contrast between Protect AI v1 and v2 highlights the importance of version updates and iterative improvement in defensive AI tools. The consistent performance of Azure Prompt Shield may make it a reliable choice for scenarios requiring predictable, baseline protection.