🤖 AI Summary
In black-box settings, it is challenging to discern whether a large language model’s refusal to respond stems from external safety guardrails or its intrinsic alignment mechanisms, thereby limiting the effectiveness of adversarial attacks. This work proposes the first black-box guardrail reconnaissance method that requires no internal model knowledge. By integrating HTTP metadata, lexical features, and temporal behavioral signals—combined with statistical significance testing and a classification model—the approach accurately detects the presence of guardrails and identifies their interception categories. Experimental results demonstrate that the method achieves 100% accuracy in detecting guardrail presence, exhibits highly statistically significant discrimination between benign and malicious interactions (q < 0.001), and attains an average F1 score of 98% on unseen prompts for guardrail interception classification.
📝 Abstract
As Large Language Models (LLMs) and agentic systems become integrated into real-world applications, ensuring their safety and security is critical. Guardrail systems that detect and block malicious instructions sent to and from an LLM are an essential component of AI security. However, researchers conducting black-box adversarial emulation against production AI systems often struggle to determine whether a guardrail block or an LLM rejection has occurred. This distinction is important because the techniques used to bypass guardrails can differ substantially from those used to bypass LLM safety alignment, and has a material impact on attack technique selection and optimization. We propose the first black-box guardrail reconnaissance methodology, which detects the presence of a guardrail within a target AI system through behavioral monitoring of HTTP, lexical, and timing signals, assuming only black-box access and zero prior knowledge of the guardrail or AI system. Experiments demonstrate that our approach detects guardrail presence with 100% accuracy, with statistically significant behavioral separation between benign and malicious interactions (q < 0.001). Our approach further identifies the content categories a guardrail is designed to block, and distinguishes guardrail blocks from LLM rejection on unseen prompts with an average F1 score of 98%.