Proof of Concept: Multi-Layer Prompt Injection Detection for .NET
⚠️ Disclaimer: This is a Proof of Concept (POC) project demonstrating multi-layer prompt injection detection architecture for .NET applications. It is intended for educational and research purposes and is not production-ready.
PromptShield demonstrates how to build a defense-in-depth prompt injection detection system for LLM-integrated .NET applications. This POC showcases:
- 🏗️ Multi-layer detection architecture — Pattern Matching → Heuristics → ML Classification → Semantic Analysis
- 🔌 Semantic Kernel integration — Seamless
IPromptRenderFilterimplementation - 🌐 ASP.NET Core middleware — Request-level prompt protection
- 📊 OpenTelemetry observability — Metrics, traces, and structured logging
- 🧩 Extensibility model — Custom patterns, heuristics, and event handlers
All threat categories are aligned with OWASP LLM Top 10 (2025).
// Semantic Kernel integration — one line to enable protection
var kernel = Kernel.CreateBuilder()
.AddAzureOpenAIChatCompletion("gpt-4", endpoint, apiKey)
.AddPromptShield()
.Build();
try
{
var result = await kernel.InvokePromptAsync(userPrompt);
}
catch (PromptInjectionDetectedException ex)
{
Console.WriteLine($"Blocked: {ex.Result.ThreatInfo?.ThreatType}");
}PromptShield/
├── src/
│ ├── PromptShield.Abstractions/ # Interfaces, models, contracts
│ ├── PromptShield.Core/ # Detection engine implementation
│ ├── PromptShield.SemanticKernel/ # Semantic Kernel integration
│ └── PromptShield.AspNetCore/ # ASP.NET Core middleware
├── tests/
│ ├── PromptShield.Core.Tests/
│ ├── PromptShield.SemanticKernel.Tests/
│ └── PromptShield.Benchmarks/
├── docs/ # Documentation
└── specs/ # Design specifications
The detection pipeline demonstrates a cascading architecture with early exit optimization:
| Layer | Description | Typical Latency |
|---|---|---|
| Language Filter | Gate: blocks unsupported languages | < 1ms |
| Pattern Matching | Regex-based known attack detection | < 0.5ms |
| Heuristic Analysis | Behavioral signals and anomalies | < 0.5ms |
| ML Classification | ONNX-based neural classifier | < 5ms |
Input → Language Filter → Pattern Layer → Heuristic Layer → [ML Layer] → Result
│ │ │
Unsupported? Early Exit Early Exit
│ (≥0.9 conf) (≥0.85/≤0.15)
▼
BLOCK
⚠️ Important: All detection layers require language-specific patterns and vocabulary. By default, only English is supported.
The Language Filter acts as a gate:
- Supported language → proceed to detection layers
- Unsupported language → block (configurable)
services.AddPromptShield(options =>
{
options.Language.Enabled = true;
options.Language.SupportedLanguages = ["en"]; // Only English by default
options.Language.OnUnsupportedLanguage = UnsupportedLanguageBehavior.Block;
});To add support for other languages:
- Add the language code to
SupportedLanguages - Implement
IPatternProviderwith patterns for that language - Optionally implement
IHeuristicAnalyzerfor language-specific heuristics
// Example: Adding Ukrainian support
options.Language.SupportedLanguages = ["en", "uk"];
services.AddPatternProvider<UkrainianPatternProvider>();| Document | Description |
|---|---|
| 📘 Getting Started | Setup guide and first steps |
| 🏗️ Architecture | System design and layer details |
| ⚙️ Configuration | All configuration options |
| 📚 API Reference | Full API documentation |
Each detection layer has complementary strengths:
| Layer | Strength | Weakness |
|---|---|---|
| Pattern Matching | Fast, precise, explainable | Easily bypassed with variations |
| Heuristics | Catches behavioral anomalies | May miss novel attacks |
| ML Classification | Generalizes to variations | Requires training data |
| Semantic Analysis | Deep understanding | Expensive, recursive risk |
// Default: treat analysis failures as threats
options.OnAnalysisError = FailureBehavior.FailClosed;services.AddPromptShield(options =>
{
options.Language.Enabled = true;
options.Language.SupportedLanguages = ["en"]; // Block non-English
options.Language.OnUnsupportedLanguage = UnsupportedLanguageBehavior.Block;
});All layers support sensitivity tuning and allowlists:
services.AddPromptShield(options =>
{
// Global sensitivity: Low, Medium, High, Paranoid
options.Heuristics.Sensitivity = SensitivityLevel.Medium;
options.MLClassification.Sensitivity = SensitivityLevel.Low;
options.PatternMatching.Sensitivity = SensitivityLevel.Medium;
// Allowlist patterns (regex) - matched prompts bypass detection
options.Heuristics.AllowedPatterns = new() { @"(?i)safe\s+context" };
options.MLClassification.AllowedPatterns = new() { @"(?i)internal\s+test" };
options.PatternMatching.AllowedPatterns = new() { @"(?i)demo\s+mode" };
// Disable specific built-in patterns causing false positives
options.PatternMatching.DisabledPatternIds = new()
{
BuiltInPatternIds.Base64EncodingDetection // Example: disable base64 check
};
// Disable specific ML features
options.MLClassification.DisabledFeatures = new() { "IgnorePattern" };
// Custom feature weights for ML
options.MLClassification.FeatureWeights = new()
{
["InjectionKeywords"] = 0.6, // Reduce weight
["PersonaSwitchPattern"] = 0.8
};
});services.AddPromptShield()
.AddPatternProvider<GermanPatternProvider>() // Add patterns for German
.AddHeuristicAnalyzer<GermanHeuristicAnalyzer>() // Add German heuristics
.AddLanguageDetector<AzureLanguageDetector>() // Use Azure for detection
.AddEventHandler<SecurityAuditHandler>();services.AddPromptShield(options =>
{
options.SemanticAnalysis.Enabled = true;
options.SemanticAnalysis.Endpoint = "https://your-openai.azure.com";
// Custom system prompt for domain-specific detection
options.SemanticAnalysis.CustomSystemPrompt = """
You are a security analyst for a banking application...
""";
// Or just add context to the default prompt
options.SemanticAnalysis.AdditionalContext =
"In this application, 'transfer funds' is a normal operation.";
});builder.Services.AddOpenTelemetry()
.WithMetrics(m => m.AddMeter("PromptShield"))
.WithTracing(t => t.AddSource("PromptShield"));- .NET 8.0 SDK or later
- (Optional) Azure OpenAI for semantic analysis layer
dotnet restore
dotnet builddotnet testcd tests/PromptShield.Benchmarks
dotnet run -c ReleaseAs a POC, this project has the following limitations:
⚠️ English-only rule-based detection — Pattern matching, heuristics, and ML vocabulary are designed for English- ✅ Language Filter mitigation — Non-English prompts can be routed to Semantic Analysis (LLM-based)
- 🔧 Extensibility — Implement
IPatternProviderto add patterns for other languages
This is an educational POC project. Contributions, suggestions, and discussions are welcome!
- Fork the repository
- Create a feature branch
- Submit a Pull Request
See CONTRIBUTING.md for details.
For security-related questions about this POC, see SECURITY.md.
This project is licensed under the MIT License — see LICENSE for details.
- OWASP LLM Top 10 — Threat categorization framework
- Microsoft Semantic Kernel — AI orchestration framework
- Azure AI Content Safety — Production-grade content moderation
Built as a learning exercise for secure LLM integration patterns