![[2602.20708] ICON: Indirect Prompt Injection Defense for Agents based on Inference-Time Correction](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.20708] ICON: Indirect Prompt Injection Defense for Agents based on Inference-Time Correction
Summary
The paper introduces ICON, a novel framework designed to defend Large Language Model (LLM) agents against Indirect Prompt Injection (IPI) attacks, enhancing task continuity while maintaining security.
Why It Matters
As LLMs become increasingly integrated into various applications, ensuring their security against sophisticated attacks like IPI is crucial. ICON addresses the limitations of existing defenses, providing a more effective solution that balances security with operational efficiency, which is vital for developers and organizations relying on AI agents.
Key Takeaways
- ICON framework neutralizes IPI attacks while preserving task continuity.
- Introduces a Latent Space Trace Prober for attack detection.
- Achieves a competitive 0.4% attack success rate with over 50% task utility gain.
- Demonstrates robust generalization for out-of-distribution scenarios.
- Extends effectively to multi-modal agents, enhancing security and efficiency.
Computer Science > Artificial Intelligence arXiv:2602.20708 (cs) [Submitted on 24 Feb 2026] Title:ICON: Indirect Prompt Injection Defense for Agents based on Inference-Time Correction Authors:Che Wang, Fuyao Zhang, Jiaming Zhang, Ziqi Zhang, Yinghui Wang, Longtao Huang, Jianbo Gao, Zhong Chen, Wei Yang Bryan Lim View a PDF of the paper titled ICON: Indirect Prompt Injection Defense for Agents based on Inference-Time Correction, by Che Wang and 8 other authors View PDF HTML (experimental) Abstract:Large Language Model (LLM) agents are susceptible to Indirect Prompt Injection (IPI) attacks, where malicious instructions in retrieved content hijack the agent's execution. Existing defenses typically rely on strict filtering or refusal mechanisms, which suffer from a critical limitation: over-refusal, prematurely terminating valid agentic workflows. We propose ICON, a probing-to-mitigation framework that neutralizes attacks while preserving task continuity. Our key insight is that IPI attacks leave distinct over-focusing signatures in the latent space. We introduce a Latent Space Trace Prober to detect attacks based on high intensity scores. Subsequently, a Mitigating Rectifier performs surgical attention steering that selectively manipulate adversarial query key dependencies while amplifying task relevant elements to restore the LLM's functional trajectory. Extensive evaluations on multiple backbones show that ICON achieves a competitive 0.4% ASR, matching commercial grade dete...