Inferensys

Glossary

Token Manipulation

Token manipulation is an adversarial technique that involves altering individual input tokens or their embeddings to cause misinterpretation by an AI model, often using homoglyphs, invisible characters, or encoding tricks.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
ADVERSARIAL PROMPTING

What is Token Manipulation?

Token manipulation is an adversarial technique that involves altering individual input tokens or their embeddings to cause misinterpretation by a language model, often to bypass safety filters.

Token manipulation is a class of inference-time adversarial attacks targeting the discrete or continuous representation of input text. Attackers alter tokens using homoglyphs (visually similar characters from different Unicode blocks), zero-width spaces, or encoding tricks to create inputs that appear benign to human reviewers and simple text filters but are interpreted differently by the model's tokenizer. This exploits the gap between human perception and the model's internal representation, allowing malicious intent to be obfuscated.

The technique directly attacks the model's embedding lookup process. By substituting characters that map to different token IDs or vector representations, the attacker can shift the input's semantic meaning in the model's latent space, potentially triggering unintended behaviors or safety filter bypasses. It is a foundational method for crafting adversarial examples in the text domain and is closely related to input manipulation and Unicode exploits within the broader field of adversarial prompting.

ADVERSARIAL PROMPTING

Key Token Manipulation Techniques

Token manipulation exploits how language models process discrete input units. These techniques alter tokens or their representations to cause misinterpretation, bypassing safety filters and altering model behavior.

01

Homoglyph & Unicode Attacks

This technique replaces standard characters with visually similar ones from different Unicode blocks to create adversarial examples that appear normal to humans but are interpreted differently by the model's tokenizer.

  • Homoglyphs: Using 'Cyrillic а' (U+0430) instead of Latin 'a' (U+0061).
  • Zero-Width Characters: Inserting non-printing characters like U+200B (Zero-Width Space) or U+200C (Zero-Width Non-Joiner) to break tokenization.
  • Impact: Can bypass keyword-based safety filters, cause tokenizer errors, and create inputs that are misaligned with the model's training distribution.
02

Tokenization Mismatch Exploits

This method exploits differences in how various tokenizers (e.g., between a safety filter and the core model) segment text, creating inputs that are parsed inconsistently across system components.

  • Multi-Token Splits: Crafting a word like 'kill' as 'k' + 'ill' to avoid a filter that looks for the whole token.
  • Subword Ambiguity: Using punctuation or spacing to force a harmful word to be tokenized as benign sub-units.
  • Defense Evasion: The safety layer may see a harmless token sequence, while the language model's decoder reconstructs the intended harmful meaning from the subwords.
03

Embedding Space Perturbation

An advanced, often white-box, attack that directly manipulates the continuous vector representations of tokens to find small perturbations that maximally alter the model's output logits.

  • Gradient-Based Search: Using the model's gradients to find token substitutions that increase the probability of a target (e.g., harmful) output.
  • Adversarial Suffixes: Automated discovery of token sequences, like the "Artemis" or "AutoDAN" suffixes, that act as universal triggers for compliance.
  • Precise Control: Allows for highly optimized attacks that can be human-uninterpretable but are highly effective at steering model behavior.
04

Encoding & Serialization Tricks

This involves manipulating the raw byte-level encoding or data serialization format of a prompt before it is processed by the model's tokenizer.

  • Base64/URL Encoding: Embedding instructions within encoded strings that a pre-processing step might decode.
  • Markdown/HTML Injection: Using formatting syntax like [click here](javascript:alert()) in a context where it might be rendered and re-tokenized.
  • Buffer Overflows in Tokenization: Crafting extremely long or malformed strings to cause errors in the tokenization pipeline, potentially leading to undefined behavior.
05

Multi-Modal Token Injection

This technique targets models that process multiple data types by embedding adversarial instructions within non-text modalities, such as images or audio, which are then converted into token sequences.

  • Image Steganography: Encoding text prompts within the pixel data of an image using tools like Stable Diffusion with custom embeddings.
  • OCR Bypass: Creating images of text that, when read by an Optical Character Recognition (OCR) component, produce a malicious prompt.
  • Audio Adversarial Examples: Using inaudible perturbations or specific phonemes in speech-to-text inputs to generate harmful text tokens.
06

Defensive Countermeasures

A range of techniques designed to detect and mitigate token manipulation attacks, essential for securing production systems.

  • Input Normalization & Canonicalization: Converting all text to a standard form (NFKC Unicode normalization), stripping zero-width characters, and verifying encoding.
  • Perplexity Filtering: Flagging inputs with abnormally high perplexity scores, as adversarial examples often lie off the natural language manifold.
  • Robust Tokenization: Using consistent, hardened tokenizers across all pipeline stages and employing allowlists/denylists for suspicious Unicode blocks.
  • Adversarial Training: Fine-tuning the model on examples of token manipulation to improve its robustness against such attacks.
ADVERSARIAL PROMPTING

How Token Manipulation Works

Token manipulation is an adversarial technique that alters input tokens or their embeddings to cause model misinterpretation, exploiting vulnerabilities in text processing.

Token manipulation is an inference-time attack that strategically modifies the discrete tokens or their continuous embedding vectors before model processing. Attackers exploit the gap between human and machine perception by using homoglyphs (visually similar characters), zero-width spaces, or alternative Unicode encodings to create prompts that appear benign to safety filters but are interpreted differently by the model's tokenizer. This can bypass keyword-based defenses and directly corrupt the model's semantic understanding of the input.

The technique often targets the embedding space, searching for small perturbations in token vectors that maximally alter the model's output logits toward a desired, often harmful, response. This makes it a potent black-box attack method, as effective manipulations can be found through iterative API queries without model access. Defenses include Unicode normalization, robust tokenization schemes, and adversarial training on manipulated inputs to improve model resilience.

MITIGATION STRATEGIES

Defensive Mitigations Against Token Manipulation

A comparison of defensive techniques to detect and prevent adversarial token manipulation attacks, such as homoglyph substitution and encoding tricks.

Defensive TechniqueDetection-BasedPrevention-BasedRuntime CostEffectiveness Against Obfuscation

Input Normalization & Canonicalization

Low

High

Unicode Security Profiles (e.g., TR39)

Low

High

Per-Token Embedding Anomaly Detection

Medium

Medium

Adversarial Input Sanitization Libraries

Low

High

Context-Aware Token Validation

High

Medium

Model Fine-Tuning on Adversarial Examples

Very High (one-time)

High

Ensemble Voting with Robust Tokenizers

High

High

ADVERSARIAL PROMPTING

Frequently Asked Questions

Token manipulation involves altering the fundamental units of text input to exploit model vulnerabilities. These questions address its mechanisms, detection, and defense.

Token manipulation is an adversarial prompting technique that involves strategically altering individual input tokens or their embeddings to cause a language model to misinterpret the prompt, often bypassing safety filters or producing unintended outputs. Unlike high-level prompt injection, it operates at the granular, sub-word level of the model's input processing pipeline. Attackers exploit the disconnect between how text is rendered for humans (using characters) and how it is processed by the model (converted into tokens). Common methods include using homoglyphs (visually similar characters from different Unicode blocks), zero-width spaces, or other encoding tricks to create prompts that appear benign to human reviewers and simple text filters but are interpreted differently by the model's tokenizer, potentially triggering harmful behaviors.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.