al-ice.ai

arXiv — Poisoning the Watchtower: Log-Substrate Prompt Injection in SOC Tools (2605.24421)

Research by al-ice.ai Editorial

AI relevance: LLM-powered SOC analyst assistants ingest raw log data that attackers fully control — HTTP URIs, user agents, DNS queries, and attempted usernames — making prompt injection via log content a structural failure mode for security operations tooling.

  • Researchers from Georgia Tech identify log-substrate prompt injection: a class of attacks where adversarial log fields carry instructions to the LLM alongside evidence of the intrusion itself.
  • Four-class taxonomy: direct override (S1), persona hijack (S2), context manipulation (S3), and obfuscated payloads (S4).
  • Evaluated 48 strategy-defense-task combinations using gpt-4o-mini as the SOC analyst model.
  • Key finding: direct overrides achieve 0% success, but persona hijacks suppress 68% of malicious logs under a naive classifier and remain effective under stronger defenses.
  • Summarization is the highest-risk task: context manipulation reaches 96% injection success without defenses and still 38% under constrained output.
  • Strongest defense reduces average success from 26.6% to 11.8% — attacks are mitigated but not eliminated.
  • Simulation with a deterministic mock analyst substantially mispredicts current model behavior, especially for direct overrides, suggesting empirical testing is essential.

Why it matters

As organizations deploy LLM-based analyst assistants for triage, summarization, and remediation advice, raw log content is treated as ordinary context rather than adversarial input. This paper demonstrates that the attack surface is real and non-trivial — especially for summarization tasks where injection success approaches certainty without defenses.

What to do

  • Treat raw log fields (user agents, URIs, DNS queries, payloads) as untrusted input in any LLM-powered SOC tooling.
  • Avoid using LLM summarization as the sole decision path for high-severity alert triage without additional guardrails.
  • Consider field-level sanitization or structured extraction before feeding log content to analyst assistants.
  • Test your SOC LLM pipeline against persona hijack and context manipulation payloads, not just direct overrides.

Sources: