Bioinformatics meets prompt injection defense: the Smith-Waterman trick
An open-source technique adapts the 1981 Smith-Waterman DNA alignment algorithm to catch paraphrased prompt injections that regex and classifiers miss, boosting F1 by 34 points.
Most prompt-injection defenses rely on regex blocklists for known attack strings plus a classifier to catch the rest — a combination that breaks down as soon as an attacker paraphrases ("ignore previous instructions" becomes "disregard prior directives"). This piece borrows a fix from a field that solved an analogous problem decades ago: bioinformatics, where DNA and protein sequences must be compared despite substitutions and gaps.
The approach ports Smith-Waterman, the 1981 dynamic-programming algorithm for local sequence alignment, to word-level text. Attack templates and incoming prompts are tokenized into keywords, then aligned using a hand-curated semantic substitution matrix that scores word pairs like "ignore"/"disregard" as near-matches. Because local alignment finds the best-scoring subregion rather than requiring a full-string match, it naturally ignores the innocuous padding attackers wrap around malicious instructions.
Implemented as detector d028 in the open-source prompt-shield library, the technique was benchmarked on the deepset/prompt-injections dataset. F1 rose from 0.033 (regex only) to 0.161 (regex plus a DeBERTa classifier) to 0.378 once d028 was added — a 34.5-point gain over the classifier baseline, with no increase in false positives and scan times under 5 milliseconds. The author is upfront about limits: novel attacker vocabulary and structural attacks like many-shot jailbreaks slip past this specific detector, which is why it's deployed as one of 33 complementary detectors rather than a standalone defense.
The work stands as a concrete example of porting a mature algorithm across domains into LLM security, and the author invites further exploration of bioinformatics techniques such as BLAST or UPGMA for related problems. The implementation is Apache 2.0 licensed on GitHub and PyPI (prompt-shield-ai), with full methodology detailed in a companion arXiv paper (CC BY 4.0).