oxideshield_guard/guards/

perplexity.rs

//! Perplexity-based guard for detecting adversarial suffixes
//!
//! This guard uses character-level perplexity and entropy analysis to detect
//! adversarial patterns like those generated by AutoDAN and GCG attacks.
//!
//! ## Research References
//!
//! - [AutoDAN](https://arxiv.org/abs/2310.04451) - arXiv, 2023
//!   Genetic algorithm-based adversarial prompt generation
//! - [GCG Attack](https://arxiv.org/abs/2307.15043) - Zou et al., 2023
//!   Gradient-based universal attacks producing gibberish suffixes
//! - [JailbreakBench](https://jailbreakbench.github.io/) - 2024
//!   Benchmark for evaluating jailbreak attacks
//!
//! ## Detection Mechanism
//!
//! Adversarial suffixes typically exhibit unusual statistical properties:
//! - **High Perplexity**: Random character sequences that don't match natural language
//! - **Low Entropy**: Repetitive patterns used to extend prompts
//! - **Unusual n-gram distributions**: Rare character combinations
//!
//! ## Example
//!
//! ```rust
//! use oxideshield_guard::guards::PerplexityGuard;
//! use oxideshield_guard::{Guard, GuardAction};
//!
//! // Create guard with thresholds appropriate for our n-gram model
//! let guard = PerplexityGuard::new("perplexity")
//!     .with_max_perplexity(50000.0)  // Higher for simplified model
//!     .with_min_entropy(1.0)         // Low entropy catches repetition
//!     .with_action(GuardAction::Block);
//!
//! // Normal text passes
//! let result = guard.check("Hello, how are you today? This is normal text.");
//! assert!(result.passed);
//!
//! // Repetitive text fails (low entropy)
//! let result = guard.check("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
//! assert!(!result.passed);
//! ```

use std::collections::HashMap;

use oxideshield_core::{AnomalySegment, PerplexityAnalyzer, PerplexityConfig, Severity};
use serde::{Deserialize, Serialize};
use tracing::{debug, instrument};

use crate::guard::{Guard, GuardAction, GuardCheckResult};
use oxideshield_core::Match;

/// Default maximum perplexity threshold
/// Note: With the simplified n-gram model, this needs to be higher
/// Production systems with trained models would use ~1000
pub const DEFAULT_MAX_PERPLEXITY: f32 = 50000.0;

/// Default minimum perplexity threshold (too low = repetitive)
pub const DEFAULT_MIN_PERPLEXITY: f32 = 2.0;

/// Default minimum entropy threshold
pub const DEFAULT_MIN_ENTROPY: f32 = 1.5;

/// Default suffix analysis ratio
pub const DEFAULT_SUFFIX_RATIO: f32 = 0.3;

/// Perplexity guard configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PerplexityGuardConfig {
    /// Maximum allowed perplexity (above = gibberish)
    pub max_perplexity: f32,
    /// Minimum allowed perplexity (below = too repetitive)
    pub min_perplexity: f32,
    /// Minimum allowed entropy
    pub min_entropy: f32,
    /// Ratio of text to analyze as suffix (0.0 - 1.0)
    pub suffix_ratio: f32,
    /// Whether to analyze the full text
    pub analyze_full_text: bool,
    /// Whether to focus on suffix analysis
    pub analyze_suffix: bool,
    /// Action to take when triggered
    pub action: GuardAction,
    /// Severity to assign to matches
    pub severity: Severity,
}

impl Default for PerplexityGuardConfig {
    fn default() -> Self {
        Self {
            max_perplexity: DEFAULT_MAX_PERPLEXITY,
            min_perplexity: DEFAULT_MIN_PERPLEXITY,
            min_entropy: DEFAULT_MIN_ENTROPY,
            suffix_ratio: DEFAULT_SUFFIX_RATIO,
            analyze_full_text: true,
            analyze_suffix: true,
            action: GuardAction::Block,
            severity: Severity::High,
        }
    }
}

/// Guard for detecting adversarial patterns using perplexity analysis
///
/// This guard is particularly effective at detecting:
/// - GCG-style adversarial suffixes (random gibberish)
/// - AutoDAN-style generated attacks
/// - Repetitive padding attacks
/// - Unusual character distributions
pub struct PerplexityGuard {
    name: String,
    analyzer: PerplexityAnalyzer,
    config: PerplexityGuardConfig,
}

impl PerplexityGuard {
    /// Create a new perplexity guard with default settings
    pub fn new(name: impl Into<String>) -> Self {
        Self {
            name: name.into(),
            analyzer: PerplexityAnalyzer::new(),
            config: PerplexityGuardConfig::default(),
        }
    }

    /// Create with custom analyzer configuration
    pub fn with_analyzer_config(name: impl Into<String>, config: PerplexityConfig) -> Self {
        Self {
            name: name.into(),
            analyzer: PerplexityAnalyzer::with_config(config),
            config: PerplexityGuardConfig::default(),
        }
    }

    /// Set the maximum perplexity threshold
    pub fn with_max_perplexity(mut self, max: f32) -> Self {
        self.config.max_perplexity = max.max(1.0);
        self
    }

    /// Set the minimum perplexity threshold
    pub fn with_min_perplexity(mut self, min: f32) -> Self {
        self.config.min_perplexity = min.max(0.1);
        self
    }

    /// Set the minimum entropy threshold
    pub fn with_min_entropy(mut self, min: f32) -> Self {
        self.config.min_entropy = min.max(0.0);
        self
    }

    /// Set the suffix analysis ratio
    pub fn with_suffix_ratio(mut self, ratio: f32) -> Self {
        self.config.suffix_ratio = ratio.clamp(0.1, 0.9);
        self
    }

    /// Enable/disable full text analysis
    pub fn analyze_full_text(mut self, enabled: bool) -> Self {
        self.config.analyze_full_text = enabled;
        self
    }

    /// Enable/disable suffix-focused analysis
    pub fn analyze_suffix(mut self, enabled: bool) -> Self {
        self.config.analyze_suffix = enabled;
        self
    }

    /// Set the action to take
    pub fn with_action(mut self, action: GuardAction) -> Self {
        self.config.action = action;
        self
    }

    /// Set the severity for matches
    pub fn with_severity(mut self, severity: Severity) -> Self {
        self.config.severity = severity;
        self
    }

    /// Get the current configuration
    pub fn config(&self) -> &PerplexityGuardConfig {
        &self.config
    }

    /// Create a Match from an anomaly segment
    fn create_match(&self, anomaly: &AnomalySegment) -> Match {
        let mut metadata = HashMap::new();
        metadata.insert(
            "perplexity".to_string(),
            format!("{:.2}", anomaly.perplexity),
        );
        metadata.insert("entropy".to_string(), format!("{:.2}", anomaly.entropy));
        metadata.insert("anomaly_type".to_string(), anomaly.anomaly_type.to_string());

        Match {
            id: uuid::Uuid::new_v4(),
            pattern: format!("[perplexity:{}]", anomaly.anomaly_type),
            matched_text: if anomaly.text.len() > 50 {
                format!("{}...", &anomaly.text[..50])
            } else {
                anomaly.text.clone()
            },
            start: anomaly.start,
            end: anomaly.end,
            severity: self.config.severity,
            category: "adversarial".to_string(),
            metadata,
        }
    }

    /// Analyze text and return all detected anomalies
    fn detect_anomalies(&self, content: &str) -> Vec<AnomalySegment> {
        let mut all_anomalies = Vec::new();

        // Full text sliding window analysis
        if self.config.analyze_full_text {
            let anomalies = self.analyzer.find_anomalous_segments(
                content,
                self.config.max_perplexity,
                self.config.min_perplexity,
                self.config.min_entropy,
            );
            all_anomalies.extend(anomalies);
        }

        // Suffix-focused analysis
        if self.config.analyze_suffix {
            if let Some(suffix_anomaly) = self.analyzer.analyze_suffix(
                content,
                self.config.suffix_ratio,
                self.config.max_perplexity,
                self.config.min_entropy,
            ) {
                // Check if not already covered by full text analysis
                let already_covered = all_anomalies
                    .iter()
                    .any(|a| a.start <= suffix_anomaly.start && a.end >= suffix_anomaly.end);

                if !already_covered {
                    all_anomalies.push(suffix_anomaly);
                }
            }
        }

        all_anomalies
    }
}

impl Guard for PerplexityGuard {
    fn name(&self) -> &str {
        &self.name
    }

    #[instrument(skip(self, content), fields(guard = %self.name, content_len = content.len()))]
    fn check(&self, content: &str) -> GuardCheckResult {
        // Quick check for minimum length
        if content.len() < 10 {
            debug!("Content too short for perplexity analysis");
            return GuardCheckResult::pass(&self.name);
        }

        let anomalies = self.detect_anomalies(content);

        if anomalies.is_empty() {
            debug!("No perplexity anomalies detected");
            return GuardCheckResult::pass(&self.name);
        }

        // Convert anomalies to matches
        let matches: Vec<Match> = anomalies.iter().map(|a| self.create_match(a)).collect();

        // Build reason string
        let anomaly_types: Vec<String> = anomalies
            .iter()
            .map(|a| a.anomaly_type.to_string())
            .collect::<std::collections::HashSet<_>>()
            .into_iter()
            .collect();

        let reason = format!(
            "Detected {} perplexity anomalies: {}",
            anomalies.len(),
            anomaly_types.join(", ")
        );

        debug!(
            anomaly_count = anomalies.len(),
            types = ?anomaly_types,
            "Perplexity guard triggered"
        );

        GuardCheckResult::fail(&self.name, self.config.action, matches, reason)
    }

    fn action(&self) -> GuardAction {
        self.config.action
    }

    fn severity_threshold(&self) -> Severity {
        Severity::Low
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_perplexity_guard_creation() {
        let guard = PerplexityGuard::new("test")
            .with_max_perplexity(50000.0)
            .with_min_entropy(2.0)
            .with_action(GuardAction::Block);

        assert_eq!(guard.name(), "test");
        assert_eq!(guard.config.max_perplexity, 50000.0);
        assert_eq!(guard.config.min_entropy, 2.0);
        assert_eq!(guard.action(), GuardAction::Block);
    }

    #[test]
    fn test_normal_text_passes() {
        let guard = PerplexityGuard::new("test");

        let normal = "The quick brown fox jumps over the lazy dog. This is a normal sentence with common English words and phrases.";
        let result = guard.check(normal);

        assert!(
            result.passed,
            "Normal text should pass: {:?}",
            result.reason
        );
    }

    #[test]
    fn test_repetitive_text_fails() {
        let guard = PerplexityGuard::new("test").with_min_entropy(1.0);

        let repetitive = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
        let result = guard.check(repetitive);

        assert!(!result.passed, "Repetitive text should fail");
        assert_eq!(result.action, GuardAction::Block);
    }

    #[test]
    fn test_short_text_passes() {
        let guard = PerplexityGuard::new("test");

        let short = "Hello";
        let result = guard.check(short);

        assert!(result.passed, "Short text should pass (skip analysis)");
    }

    #[test]
    fn test_config_clamping() {
        let guard = PerplexityGuard::new("test")
            .with_max_perplexity(-100.0) // Should clamp to 1.0
            .with_min_perplexity(-50.0) // Should clamp to 0.1
            .with_min_entropy(-10.0) // Should clamp to 0.0
            .with_suffix_ratio(2.0); // Should clamp to 0.9

        assert!(guard.config.max_perplexity >= 1.0);
        assert!(guard.config.min_perplexity >= 0.1);
        assert!(guard.config.min_entropy >= 0.0);
        assert!(guard.config.suffix_ratio <= 0.9);
    }

    #[test]
    fn test_suffix_analysis() {
        let guard = PerplexityGuard::new("test")
            .analyze_full_text(false)
            .analyze_suffix(true)
            .with_suffix_ratio(0.5);

        // Text with adversarial-like suffix
        let text = "Please answer my question about the weather. zxcvbnmasdfghjkqwertyuiopzxcvbnm";
        let result = guard.check(text);

        // The suffix should be flagged
        // (This depends on the specific perplexity thresholds)
        assert!(result.matches.is_empty() || !result.passed);
    }

    #[test]
    fn test_mixed_text() {
        let guard = PerplexityGuard::new("test").with_max_perplexity(800.0);

        // Mixed normal and potentially adversarial content
        let text = "Normal text at the start. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx More normal text at the end.";
        let result = guard.check(text);

        // Should detect the repetitive section
        if !result.passed {
            assert!(!result.matches.is_empty());
        }
    }

    #[test]
    fn test_severity_assignment() {
        let guard = PerplexityGuard::new("test")
            .with_severity(Severity::Critical)
            .with_min_entropy(2.0);

        let repetitive = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
        let result = guard.check(repetitive);

        if !result.matches.is_empty() {
            assert_eq!(result.matches[0].severity, Severity::Critical);
        }
    }

    #[test]
    fn test_gcg_like_pattern() {
        let guard = PerplexityGuard::new("test");

        // Simulated GCG-style adversarial suffix (random looking characters)
        let gcg_like =
            "What is 2+2? ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !";
        let result = guard.check(gcg_like);

        // Should detect as low entropy due to repetitive pattern
        if !result.passed {
            let has_low_entropy = result.matches.iter().any(|m| {
                m.metadata
                    .get("anomaly_type")
                    .map(|t| t == "low_entropy")
                    .unwrap_or(false)
            });
            // Either passes or detects correctly
            assert!(result.passed || has_low_entropy || !result.matches.is_empty());
        }
    }
}