Inferensys

Glossary

Prompt Normalization

A preprocessing step that converts Unicode characters to a canonical form and strips invisible control characters to neutralize obfuscation attempts before they reach a language model.
ML engineer managing model versions on laptop, version history visible, technical Git-like workflow.
INPUT SANITIZATION

What is Prompt Normalization?

Prompt normalization is a defensive preprocessing step that converts user-supplied text into a canonical, safe representation by resolving Unicode ambiguities and stripping invisible control characters to neutralize obfuscation attempts before they reach a language model.

Prompt normalization is the process of transforming input text into a standardized canonical form to eliminate encoding-based attack vectors. It resolves homoglyph attacks by converting visually identical Unicode characters (e.g., Cyrillic 'а' vs. Latin 'a') to a consistent representation, and applies Unicode equivalence (NFKC normalization) to collapse compatibility characters that could otherwise bypass text-based content filters.

The process also strips invisible control characters and zero-width spaces that adversaries use for payload splitting and token smuggling. By enforcing a deterministic character set before any semantic analysis or perplexity filtering occurs, normalization ensures that downstream prompt firewalls and guard models evaluate the true semantic intent of the input rather than being deceived by encoding tricks.

DEFENSE MECHANISM

Key Characteristics of Prompt Normalization

Prompt normalization is a preprocessing security control that transforms input strings into a canonical, safe representation before they reach the language model. It neutralizes obfuscation techniques that rely on Unicode trickery and invisible control characters.

01

Unicode Canonicalization

Converts all text to a single, standard Unicode normalization form—typically NFKC (Normalization Form KC) —to collapse visually identical but technically distinct characters.

  • Maps full-width Latin characters (e.g., U+FF21) to standard ASCII (A U+0041)
  • Decomposes and recomposes ligatures and combined glyphs
  • Eliminates ambiguity between compatibility equivalents

This directly defeats homoglyph attacks where pаy (with Cyrillic а) masquerades as pay.

NFKC
Standard Form
4
Normalization Forms
02

Control Character Stripping

Removes or escapes invisible Unicode control characters that attackers embed to manipulate tokenization boundaries or inject hidden instructions.

  • Strips zero-width characters: U+200B (Zero-Width Space), U+200C (ZWNJ), U+200D (ZWJ)
  • Removes bidirectional text override characters: U+202E (RLO), U+202A (LRE)
  • Filters deprecated control codes like U+0085 (Next Line)

These characters can break delimiter injection defenses by altering how the model parses prompt boundaries.

20+
Stripped Characters
Zero-width
Primary Vector
03

Token Boundary Integrity

Ensures that normalization does not inadvertently create or destroy token boundaries that alter the semantic meaning of the input.

  • Preserves whitespace semantics critical for code and structured data
  • Validates that canonicalization does not merge adjacent tokens into new, unintended words
  • Applies normalization before tokenization to maintain a consistent pipeline

This prevents token smuggling attacks where normalization itself could be exploited to reassemble split payloads.

Pre-tokenization
Pipeline Position
04

Encoding Overlong Detection

Identifies and rejects overlong UTF-8 encodings —byte sequences that represent a valid character using more bytes than necessary.

  • Detects 2-byte encodings of ASCII characters (e.g., C0 AF for /)
  • Detects 3-byte and 4-byte overlong sequences for code points that fit in fewer bytes
  • Blocks these before they reach the model's tokenizer

Overlong encodings are a classic bypass technique against input sanitization filters that only check canonical byte representations.

UTF-8
Target Encoding
05

Whitespace Collapse and Normalization

Standardizes all whitespace characters to a single canonical form to prevent attackers from using alternative space characters to evade pattern-matching defenses.

  • Converts non-breaking spaces (U+00A0), en spaces, and em spaces to standard spaces
  • Collapses repeated whitespace to a single space where semantically safe
  • Normalizes line endings (CRLF, CR, LF) to a single newline character

This closes gaps in perplexity filtering where unusual whitespace could lower the statistical anomaly score of an obfuscated payload.

10+
Space Variants
06

Integration with Prompt Firewalls

Serves as the first stage in a defense-in-depth pipeline, operating before semantic analysis or guard model evaluation.

  • Normalized output feeds into semantic filtering and guard model checks
  • Reduces the attack surface for downstream defenses by eliminating encoding-based obfuscation
  • Logs pre-normalization and post-normalization inputs for forensic analysis of blocked attacks

Without normalization, a prompt firewall may inspect a benign canonical form while the model processes a malicious obfuscated original.

Stage 1
Defense Pipeline
PROMPT NORMALIZATION

Frequently Asked Questions

Clear, concise answers to the most common questions about sanitizing and standardizing model inputs to defeat obfuscation-based injection attacks.

Prompt normalization is a preprocessing security step that converts user input into a canonical form by resolving Unicode characters and stripping invisible control sequences. It works by applying algorithms like NFKC (Normalization Form KC) to decompose visually identical homoglyphs into their standard ASCII equivalents, removing zero-width characters, and collapsing redundant whitespace. This process neutralizes obfuscation attempts—such as replacing the letter 'a' with the Cyrillic 'а' (U+0430)—before the text reaches the language model's tokenizer, ensuring the model interprets the true semantic intent rather than a visually spoofed malicious command.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.