PromptShield defends logs

Large language models are starting to read cloud audit logs for security teams, and University of Arizona researchers say a new filter called PromptShield can keep those systems from obeying malicious instructions hidden in the data. (arxiv.org) The paper, posted to arXiv on April 5, 2026, comes from Dalal Alharthi and Ivan Roberto Kawaminami Garcia and tests PromptShield with Amazon Web Services log data and Microsoft Azure datasets. (arxiv.org) (arizona.edu) Cloud logs are the machine records that show who called which service and when; Amazon Web Services says CloudTrail records account activity for auditing, security monitoring, and troubleshooting. (aws.amazon.com) (docs.aws.amazon.com) Prompt injection is the trick these systems have to survive: the Open Worldwide Application Security Project says attackers can hide instructions in inputs so a model changes its behavior in unintended ways. (genai.owasp.org) (owasp.org) The Arizona team’s answer is to validate prompts against an ontology, a structured map of allowed concepts and relationships, before the model analyzes the logs. The paper says that process standardizes user input and blocks manipulative instructions from steering the model off task. (arxiv.org) In the paper’s experiments, PromptShield kept precision, recall, and F1 above 93 percent under attack conditions. The authors also report that systems without that semantic validation saw classification performance collapse during prompt-injection attacks. (arxiv.org) The same paper pairs PromptShield with a second system called the Cloud Investigation Automation Framework, which uses structured reasoning across six stages of a forensic investigation. The authors say that combination is meant to make automated log analysis both harder to manipulate and easier to use in incident response. (arxiv.org) That focus lands as prompt injection has moved from a chatbot nuisance to a security design problem for enterprise tools. The 2025 Open Worldwide Application Security Project Top 10 for large language model applications lists prompt injection as LLM01 and warns that crafted inputs can lead to unauthorized access, data leaks, and compromised decisions. (owasp.org) The paper is still a preprint, not a peer-reviewed conference publication, and arXiv attaches an admin note saying it has substantial text overlap with arXiv:2510.00452. That means the results are public and citable, but still early. (arxiv.org) For security teams experimenting with language models on audit trails, the Arizona paper argues for a simple rule: treat the logs as evidence, and treat the model as something that also needs guarding. (arxiv.org)