didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

docs: research on DLP alternatives to pipelock #192

Merged
didericis merged 4 commits from research/dlp-alternatives into main 2026-06-04 14:27:32 -04:00
Conversation 2 Commits 4 Files Changed 1
+505

4 Commits

Author SHA1 Message Date
didericis c94a2542bd docs: evaluate CaMeL prompt injection framework for integration
test / unit (pull_request) Successful in 34s
Details
test / integration (pull_request) Successful in 43s
Details
test / unit (push) Successful in 36s
Details
test / integration (push) Successful in 54s
Details 
Add analysis of Google DeepMind's CaMeL (arXiv:2503.18813), which
prevents prompt injections architecturally rather than detecting them.

Key findings:
- CaMeL operates at the agent execution layer (P-LLM/Q-LLM split +
  capability-based data flow tracking), not the network layer
- Not a replacement for pipelock/DLP — different threat surface
- Not viable today: research artifact, requires agent rearchitecture,
  doubles LLM costs, 7% utility loss on AgentDojo
- Worth watching: its capability model could complement bot-bottle's
  network controls if it matures into production software

Also clarifies pipelock's actual detection capabilities (no prompt
injection detection) and adds naive detector sketch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-06-04 14:13:32 -04:00
didericis e6b3cd1824 docs: remove time estimates and add LLM-based detection analysis
test / unit (pull_request) Successful in 35s
Details
test / integration (pull_request) Successful in 45s
Details 
- Remove all time estimates (2-3 weeks, 1-2 weeks, etc.)
- Add detailed analysis of using LLM for prompt injection detection
- Survey existing models (none purpose-built for this)
- Sketch DistilBERT fine-tuning approach (~67MB quantized)
- Analyze latency/footprint tradeoffs (50-150ms vs. <5ms for patterns)
- Recommend pattern-based Phase 2, with LLM as optional Phase 2b
- Include code sketch of LLM detector with timeout fallback
- List open questions for LLM deployment

Conclusion: Patterns are faster/simpler for now; LLM only if patterns
miss sophisticated attacks in production.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-06-04 14:02:59 -04:00
didericis 49f77f2d1e docs: accommodate PR feedback on detector architecture
test / unit (pull_request) Successful in 42s
Details
test / integration (pull_request) Successful in 50s
Details 
Per feedback from PR 192:

- Restructure around outbound_detectors (requests to upstream) and
  inbound_detectors (responses from upstream)
- Rename to 'secret exfiltration' detection for Phase 1
- Add 'known_secrets' detector for provisioned credentials
- Make scanning enabled by default per detector type
- Clarify that multiple encodings of secrets should be checked

Phase 1 now focuses on preventing outbound credential leaks.
Phase 2 handles inbound prompt injection attacks.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-06-04 13:54:46 -04:00
didericis d3c2d9e8f6 docs: research document on DLP alternatives to pipelock
test / unit (pull_request) Successful in 36s
Details
test / integration (pull_request) Successful in 47s
Details 
Investigates replacing pipelock with a custom mitmproxy-based DLP addon
that supports per-route configuration, response-specific rules, and
AI-specific threat detection (tokens, prompt injection).

Recommends building the addon in-repo to align with bot-bottle's
per-route design model and keep security logic auditable.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-06-04 13:21:42 -04:00