The attack described is a classic Direct Prompt Injection, where malicious instructions are embedded within user input to hijack the model's behavior. The most effective and direct mitigation is to treat all user input as untrusted data. Implementing robust input sanitization helps to filter out or neutralize control sequences and instruction-like language. Furthermore, using delimiter-based prompt structuring, where system instructions and user input are clearly separated by special markers (e.g., ...), helps the model differentiate between trusted commands and untrusted content, significantly reducing the risk of injection while preserving the application's core functionality.

A. Adversarial retraining is a reactive defense that may not generalize to novel attack strings and is more resource-intensive than proactive input handling.

B. Lowering the temperature setting reduces the model's creativity but does not prevent it from following explicit, high-probability instructions provided in a prompt injection attack.

D. A stateless firewall operates at the network layer and lacks the application-layer context to inspect and understand the semantic content of a prompt, making it ineffective against this attack.

1. OWASP Foundation. (2023). OWASP Top 10 for Large Language Model Applications. LLM01: Prompt Injection. Recommends segregating user input from the system prompt and implementing input filtering as primary mitigations.

2. Perez, F., & Ribeiro, I. (2022). Ignore Previous Prompt: Attack Techniques For Language Models. Section 4.1. Discusses instruction-based attacks and suggests that models can be fine-tuned to respect delimiters separating instructions from data. (DOI: https://doi.org/10.48550/arXiv.2211.09527).

3. Wei, A., et al. (2023). Jailbroken: How Does LLM Safety Training Fail?. Section 5. Discusses defenses, highlighting the challenge and importance of separating instructions from user data, which is the principle behind delimiter-based structuring. (Preprint available on arXiv:2307.02483).