Developing & Deploying AI Fingerprints for Advanced Threat Detection (BinaryShield)
A practitioner talk by Natalie Isak and Waris Gill (Microsoft) at the Unprompted Conference (March 2026) on BinaryShield. The system is documented in an arXiv paper co-authored with Matthew Dressman; that paper is the primary source here, and slides and video are not yet captured.
The Argument
When one LLM service detects a prompt-injection attack, peer services usually cannot benefit. Raw prompts carry user PII and are legally unshareable across compliance boundaries; even dense embeddings are reconstructable and can leak the original text. So the same attack persists undetected across services for months. BinaryShield is built to make the fingerprint of an attack shareable without making the attack’s content recoverable.1
The pipeline has four steps: PII redaction (via Microsoft Presidio), semantic embedding, sign-based binary quantization that discards magnitude so the original cannot be reconstructed, and a randomized-response differential-privacy step that flips bits according to a privacy budget. The result is a compact binary fingerprint searchable by Hamming distance, which a service can broadcast to peers to scan their own logs, flag live traffic, and train local defenses. On the paper’s evaluation, the fingerprint holds detection quality where a naive hash collapses (F1 0.94 against paraphrased attacks versus 0.77 for SimHash) while cutting storage and search cost by large factors against dense embeddings.2
Where It Fits
This extends detection from a single service to a sharing layer — the contribution the Agentic SOC: State of the Field thesis tracks under cross-organization threat intelligence. The threat class is prompt injection, and the privacy mechanism is a concrete application of differential privacy to security telemetry, complementing prompt-injection containment at the single-service level.
Notes
Footnotes
-
Gill, Isak, Dressman, “BinaryShield: Cross-Service Threat Intelligence in LLM Services using Privacy-Preserving Fingerprints,” arXiv:2509.05608. Abstract and landing page: arxiv.org/abs/2509.05608; full HTML: arxiv.org/html/2509.05608v1. ↩
-
F1 0.94 vs SimHash 0.77 on paraphrase attacks (abstract and §3.2); storage and similarity-search reductions against dense embeddings, and retention of ~93% of the non-private dense-baseline Accuracy@1 at a 100K corpus (§3.3). arxiv.org/html/2509.05608v1. ↩