This work addresses the vulnerability of retrieval-augmented generation (RAG) and tool-augmented large language models to malicious instructions embedded in external text, which can trigger harmful behaviors. Existing defense mechanisms suffer from poor generalization and susceptibility to optimization-based attacks. To overcome these limitations, the authors propose SONAR, a novel framework that integrates sentence-level relational graphs with natural language inference (NLI). By leveraging entailment and contradiction scores to detect malicious content and applying a connectivity-driven pruning strategy, SONAR achieves effective instruction sanitization without requiring any model retraining. Evaluated across multiple models and datasets, the method reduces attack success rates to near zero and substantially outperforms nine state-of-the-art baseline defenses.

Retrieval-augmented generation and tool-integrated LLM agents increasingly depend on external textual sources. This reliance broadens the available attack surface, allowing adversaries to insert malicious instructions that trigger unintended model behaviors. Current defensive measures often utilize LLM-based detectors to filter such content, but these approaches remain vulnerable to optimization-based attacks. Additionally, training-based methods frequently fail to generalize to novel data distributions. To resolve these issues, we introduce SONAR, a prompt sanitization framework that identifies and removes injected content using metrics from natural language inference. Specifically, SONAR constructs a sentence-level relational graph across the user query and external data. By using entailment and contradiction scores as edge weights, the system identifies sentences that deviate from the core task. It then employs connectivity-driven pruning to eliminate flagged injection seeds and their related neighbors while maintaining benign context. Rigorous evaluations across several models and datasets show that SONAR reduces the attack success rate to nearly zero, significantly outperforming nine established baseline defenses.