New to ShortSpan? We distil the AI-security research that matters into practitioner takeaways — edited by Ben Williams (NCC Group). Get the weekly email
// Analysis

Poisoned logs steer LLMs in SOCs, study finds

Society
Poisoned logs steer LLMs in SOCs, study finds

New research shows Large Language Models (LLMs) used in Security Operations Centres can be steered by attacker-written text buried in logs. Using a 12,847-entry benchmark, attacks succeed up to 88.2% under baseline conditions. Fragmented payloads evade filters, and layered defences cut risk by 90.4% but leave 8.4% residual exposure.

Security teams are feeding logs straight into Large Language Models (LLMs) to speed triage and investigations. That pipeline quietly blends untrusted data with trusted instructions. A new study names the resulting failure mode passive prompt injection, or Context Contamination: attacker-written text in logs later acts as instructions when an analyst queries the model.

How the attack lands

The threat model is minimal. If an attacker can cause text to appear in log-generating fields and those entries are pulled into the same LLM context, the model will often obey the injected instructions. Using LogInject, a 12,847-entry benchmark with 2,569 adversarial samples, the authors test three production LLMs across four goals: hide activity, fabricate false positives, exfiltrate information, and hijack outputs. Under baseline conditions, attacks succeed up to 88.2%, averaging 83.4% across models. Concealment is easiest; exfiltration is harder but still often works.

What makes this more than a toy demo is scale and subtlety. Context Stitching splits a payload across multiple benign-looking log entries, then relies on long-context reasoning to reassemble it. Stateless ingestion pipelines do the attacker a favour by batching fragments together; success lands at 76.4%. Obfuscated encodings also work, exploiting how models normalise and decode text. Larger batches deepen a lost-in-the-middle effect that further erodes robustness.

Why defences struggle

The team trial a layered stack: input filtering, prompt hardening with spotlighting and explicit delimiters, and output validation using canaries and dual-LLM checks. Combined, these cut successful attacks by about 90.4%, but 8.4% still get through. Prompt hardening helps most, yet weakens as context windows and batch sizes grow. Defences also lift false positives and analyst overhead, and none fix the underlying absence of token-level provenance in transformer attention.

The consequences are not academic. With patient traffic, an attacker can hide intrusions, manufacture urgent incidents to burn responder time, leak internal prompts or tokens, and even seed hostile links into official reports. The paper frames this as a classic confused deputy: untrusted log text and trusted instructions compete for the same attention budget, and the model cannot tell which is which.

That design choice has policy weight. If SOC tooling treats logs as instructions, where is provenance, isolation, and audit? What standards constrain batch colocation and context mixing in security workflows? Who owns liability when automated analysis is steered by untrusted inputs? Benchmarks like LogInject make these questions concrete. The engineering is hard; the governance needs to catch up.

Additional analysis of the original ArXiv paper

📋 Original Paper Title and Abstract

Context Contamination in LLM Analysis of Network Security Logs: Poison with Passive Prompt Injection and Mitigation Evaluation

Authors: Rabimba Karanjai, Yang Lu, Hemanth Hegadehalli Madhavarao, Lei Xu, and Weidong Shi
Large Language Models are increasingly deployed in Security Operations Centers for log analysis tasks including summarization, alert triage, and threat investigation. These systems ingest logs from external-facing services and process network logs as natural language contexts to generate security insights. We demonstrate that this architectural pattern introduces a critical vulnerability: adversaries can embed prompt injection payloads in log-generating fields that persist in storage and are executed when analysts query the LLM, achieving what we term passive prompt injection. We present LogInject, a systematic framework for evaluating these threats. Using LogInject-1.0, a benchmark of 12,847 log entries including 2,569 adversarial samples, we evaluate three production LLMs across four attack objectives: activity concealment, false positive generation, information exfiltration, and output hijacking. Our findings reveal an up to 88.2% attack success rate (83.4% average across models) under the baseline conditions. We introduce Context Stitching, a novel technique that fragments payloads across multiple log entries to evade stateless filters while exploiting LLM long-context reasoning, achieving a 76.4% success rate. As mitigation, we evaluate layered defenses by combining input filtering, prompt hardening, and output validation, demonstrating a 90.4% attack reduction, although 8.4% residual vulnerability persists. Our results establish that LLM-based log analysis creates an inherent confused deputy vulnerability where untrusted data and trusted instructions compete indistinguishably for model attention, requiring defense in-depth architectures and continued human oversight for security-critical decisions.

🔍 ShortSpan Analysis of the Paper

Problem

This paper examines a critical vulnerability introduced when Security Operations Centers use Large Language Models to analyse network and application logs. Adversaries who can write text into log-generating fields may embed natural-language instructions that persist in storage and are later interpreted by an LLM during analyst queries. The authors call this passive prompt injection or Context Contamination. The threat can cause concealment of malicious activity, spurious high-priority alerts, leakage of sensitive prompts or tokens, and outright hijacking of LLM outputs, undermining automated triage and investigator trust.

Approach

The authors created LogInject, a reproducible evaluation framework and the LogInject-1.0 benchmark of 12,847 log entries, of which 2,569 are adversarial. They define a threat model requiring only that an attacker can cause text to appear in logs and that those logs are later retrieved into an LLM context window. They evaluate three production-grade LLMs (GPT-4o, Llama-3-70B-Instruct, Claude 3.5 Sonnet) across four attacker objectives: conceal, fabricate false positives, exfiltrate information, and instruct the model to produce attacker-chosen outputs. Attacks are organised into three sophistication levels: atomic single-entry payloads, fragmented payloads that are reassembled by the LLM (Context Stitching), and obfuscated encodings that exploit the model's normalisation and decoding behaviour. Defences tested include input filtering, prompt hardening using spotlighting and delimiters, and output validation including injected canaries and dual-LLM checks.

Key Findings

  • High baseline vulnerability: up to 88.2% attack success rate and an average 83.4% across models under baseline conditions with no defences.
  • Context Stitching is effective: fragmenting instructions across multiple benign-looking entries achieves a 76.4% success rate by exploiting long-context reasoning and stateless ingestion pipelines.
  • Attack success varies by objective: concealment is the easiest objective to achieve, while exfiltration is somewhat harder but still often successful.
  • Layered defences substantially reduce risk: combining input filtering, prompt hardening (spotlighting and explicit delimiters) and output validation reduces attacks by about 90.4%, lowering residual attack success to 8.4%, though some complex obfuscated attacks remain.
  • Defence trade-offs: prompt hardening is the single most effective technique but degrades as context windows grow; large batch sizes cause a "lost-in-the-middle" effect that raises susceptibility.

Limitations

The threat requires the attacker to inject log text and for those entries to be retrieved into the same inference batch, so fragment co-location and LLM context-window capacity are key assumptions. The benchmark uses synthetic and public-source logs and controlled test environments, not live production systems. Defences increase false positives and analyst overhead and do not eliminate the fundamental absence of per-token provenance in transformer attention.

Implications

Offensively, an attacker with the ability to generate benign-looking traffic can persistently poison a SOC's LLM-driven analysis pipeline to hide intrusions, trigger false incidents to exhaust responders, leak internal prompts or tokens, or inject phishing links into official reports. Context Stitching enables evasion of stateless filters by distributing payloads across many entries, making scalable automated attacks practical against systems that expose user-controlled fields in logs. These results underscore the need for defence-in-depth and continued human oversight for security-critical decisions.

// Similar research

Related Research

Get the weekly digest

The few AI-security papers that matter, with the practitioner takeaway. No spam.