Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities. By interacting with external environments through predefined tools, these agents can carry out complex user tasks. Nonetheless, this interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior, potentially resulting in economic loss, privacy leakage, or system compromise. System-level defenses have recently shown promise by enforcing static or predefined policies, but they still face two key challenges: the ability to dynamically update security rules and the need for memory stream isolation. To address these challenges, we propose DRIFT, a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control- and data-level constraints. A Secure Planner first constructs a minimal function trajectory and a JSON-schema-style parameter checklist for each function node based on the user query. A Dynamic Validator then monitors deviations from the original plan, assessing whether changes comply with privilege limitations and the user's intent. Finally, an Injection Isolator detects and masks any instructions that may conflict with the user query from the memory stream to mitigate long-term risks. We empirically validate the effectiveness of DRIFT on the AgentDojo and ASB benchmark, demonstrating its strong security performance while maintaining high utility across diverse models, showcasing both its robustness and adaptability. The code is released at https://github.com/SaFoLab-WISC/DRIFT.

翻译：大型语言模型（LLM）凭借其强大的推理与规划能力，正日益成为智能体系统的核心。这些智能体通过预定义工具与外部环境交互，能够执行复杂的用户任务。然而，这种交互也带来了提示注入攻击的风险：来自外部来源的恶意输入可能误导智能体行为，进而导致经济损失、隐私泄露或系统被攻破。系统级防御方法近期展现出潜力，通过实施静态或预定义策略进行防护，但仍面临两大关键挑战：动态更新安全规则的能力，以及对记忆流隔离的需求。为应对这些挑战，本文提出DRIFT——一种面向可信智能体系统的动态规则隔离框架，该框架同时实施控制层与数据层约束。安全规划器首先根据用户查询为每个功能节点构建最小函数轨迹和JSON模式风格的参数检查表；动态验证器随后监控对原始计划的偏离，评估变更是否符合权限限制与用户意图；最后，注入隔离器检测并屏蔽记忆流中可能与用户查询冲突的指令，以缓解长期风险。我们在AgentDojo和ASB基准测试上实证验证了DRIFT的有效性，结果表明其在保持多种模型高实用性的同时具备优异的安全性能，充分展现了该框架的鲁棒性与适应性。代码已发布于https://github.com/SaFoLab-WISC/DRIFT。