Dive into NSFOCUS LLM Security Solution

Dive into NSFOCUS LLM Security Solution

setembro 12, 2025 | NSFOCUS

Overview

NSFOCUS LLM security solution consists of two products and services: the LLM security assessment system (AI-SCAN) and the AI unified threat management (AI-UTM), forming a security assessment and protection system covering the entire life cycle of LLM.

In the model training and fine-tuning stage, the large language model security assessment system (AI-SCAN) plays a key role. It can simulate 21 types of attack methods such as prompt word injection and data poisoning through a built-in 100,000+ test case library to detect the weak points of the model in content compliance, adversarial defense capabilities, etc. Especially in terms of supply chain security, AI-SCAN can deeply scan 15 model file formats such as .pb and h5, identify backdoor implantation risks, and perform vulnerability detection on 450+ model components such as Ollama and Ray to ensure model security from the source.

AI-Unified Threat Management (AI-UTM) provides critical operational security during the model deployment and application phases. The product establishes a three-level filtering mechanism in terms of content security: lexical detection based on 300,000+ sensitive words achieves millisecond response; semantic understanding is performed through NSFGPT (NSFOCUS self-developed LLM) to identify variant illegal content; the context memory window of 128K tokens is used to ensure accurate judgment in multiple rounds of conversations. In terms of computing power security, it can divide computing power resources into guaranteed level, ordinary level and restricted level, prevent token exhaustion attacks through predictive algorithms, and ensure the security and stability of model services.

In the application and agent operation stages, AI-UTM has built a multi-dimensional and intelligent protection system for the unique vulnerability attack scenarios of LLMs. Through deep semantic analysis and dynamic detection engines, it accurately intercepts traditional Web attacks such as SQL injections, XSS, SSRF, etc., preventing attackers from using vulnerabilities to invade LLM backend services or steal data. Through multi-dimensional detection mechanisms (such as keyword filtering, contextual semantic analysis, and abnormal input pattern recognition), maliciously constructed prompt inputs are blocked to prevent the model from being induced to output illegal content or leak training data privacy, thereby ensuring model application security.

AI-SCAN

AI-SCAN is a professional LLM security assessment tool that can efficiently and accurately detect the potential risks of LLMs in terms of content generation security, adversarial defense capabilities, and supply chain security. It can also be customized to import enterprise internal risk libraries for targeted intelligent assessments of LLM security risks. Finally, it provides users with deep insights through detailed visual risk assessment reports.

Core Functions

  • Content compliance assessment: AI-scan strictly follows regulatory standards and uses a multi-dimensional evaluation engine to achieve comprehensive security compliance verification of model output content.
  • Adversarial defense assessment: AI-scan covers 7 categories and 22 subcategories of adversarial security risks such as model jailbreaking, prompt leakage, role escape, and inversion attack.
  • Model backdoor detection: AI-scan provides advanced malicious model backdoor detection and analysis technology, covering backdoor risk detection in 15+ mainstream AI model file formats.
  • Model component vulnerability scanning: AI-scan covers the vulnerability detection of components and Web application services involved in the entire life cycle of 13 LLMs such as data processing access, training deployment, ML Ops, etc., with more than 3,000 vulnerabilities.
  • Customized question base intelligent evaluation: The industry-specific or scenario-specific question bases are quickly imported, and multiple evaluators such as built-in matching, intelligent evaluation, and refusal are flexibly adapted to different question bases.

Technical advantages

  • Comprehensiveness: Covers multiple dimensions such as ethical alignment, anti-attack protection, and supply chain detection.
  • Innovation: Adopts various evaluation methods such as “model governance”, “efficient matching” and “refusal judgment”.
  • Efficiency: Supports parallel processing, single-task evaluation time less than 30 minutes.
  • Compatibility: The new LLM can be adapted and connected in minutes simply.
  • Simplicity: Tracks and explains the entire process of risk detection, and displays each risk detail in an easy-to-read way.
  • Flexibility: In addition to the built-in multiple question banks, other specific scenario question base assessments can be flexibly added.

Typical deployment scenarios

The AI-SCAN is deployed in a bypass manner to generate diverse adversarial attack samples and content compliance risk samples for assessing the output content security of various versions of LLMs in different application scenarios.

AIUTM

AI-UTM deeply integrates rule engines and AI algorithms, and provides four core capabilities: content security protection, computing resource management, data leakage prevention, and LLM security assessment. It provides hierarchical and progressive protection capabilities for the security of basic model components, LLMs themselves, LLM applications, and LLM data.

Core Functions

  • Content security protection: Three-level content filtering system (lexical, semantic, context), 128K tokens memory window.
  • Prompt word reinforcement: For instructions passed to LLMs, policies can be configured to limit the context environment of prompt words, effectively reducing the security risks of LLMs.
  • Computing resource management: Three-level priority dynamic allocation strategy with intelligent prediction algorithm to prevent system overload.
  • Data leakage prevention: The accuracy rate of sensitive information identification exceeds 99%, supporting multimodal content identification such as text and pictures.
  • Full-Link Audit: Supports full-link security audit of intelligent agent applications and LLM API input and output.

Technical advantages

  • Flexible and comprehensive scenario access: Simultaneous protection of LLM traffic + traditional web traffic, quickly compatible with various LLM applications and traditional web applications coupling customer scenarios.
  • High performance: Millisecond-level real-time response, supports streaming detection with no impact on model business.
  • Reliability: Cluster deployment with service availability ≥ 99.9%.
  • Easy to manage: Visual console with centralized management of multi-dimensional policy configuration.

Deployment mode

[Typical Scenario 1] AI-UTM is deployed in front of the API interface of the LLM service, hiding the real API of the LLM service, realizing functions such as AI gateway, key and token control, content security compliance, prompt word attack protection, computing power attack protection, intelligent agent-level dialogue auditing, etc., providing one-stop security protection.

[Typical Scenario 2] AI-UTM is deployed in front of business applications/Web applications that call LLM capabilities. It implements functions such as content security compliance, prompt word attack prevention, computing power attack prevention, data leakage prevention, and user-level dialogue auditing, providing one-stop large model services and intelligent agent application security protection.

Solution Core Value

Full Life Cycle Security Protection

  • Training and fine-tuning stage: Security assessment is carried out through AI-SCAN to identify risks such as training data poisoning and backdoor implantation.
  • Deployment and application stage: AI-UTM is used to provide content security protection, computing resource control and data leakage prevention.
  • Model and agent application stage: AI-UTM is used to implement software vulnerability and application layer attack protection for business applications/API exposure surfaces.

Multi-dimensional security capability integration

  • Security operation: Integrated operation between components, the risks assessed by AI-SCAN can be input to AI-UTM, thereby generating security protection strategies and forming a closed loop of AI security operations.
  • Compliance guarantee: Meet the compliance requirements of technical standards, legal registration, etc. Comprehensive risk identification: Covering 21 types of adversarial risks such as prompt injection, jailbreaking attack, and sensitive information leakage.