defense-in-depth
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDefense in Depth for AI Systems
AI系统的深度防御
Overview
概述
Defense in depth applies multiple security layers so that if one fails, others still protect the system. For AI applications, this means validating at every boundary: edge, gateway, input, authorization, data, LLM, output, and observability.
Core Principle: No single security control should be the only thing protecting sensitive operations.
深度防御采用多层安全机制,这样即使某一层失效,其他层仍能保护系统。对于AI应用而言,这意味着在每个边界进行验证:边缘、网关、输入、授权、数据、LLM、输出和可观测性。
核心原则: 任何单一安全控制都不应是保护敏感操作的唯一手段。
The 8-Layer Security Architecture
8层安全架构
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 0: EDGE │ WAF, Rate Limiting, DDoS, Bot Detection │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 1: GATEWAY │ JWT Verify, Extract Claims, Build Context │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 2: INPUT │ Schema Validation, PII Detection, Injection│
│ │ + Tavily Prompt Injection Firewall (opt.) │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 3: AUTHORIZATION │ RBAC/ABAC, Tenant Check, Resource Access │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 4: DATA ACCESS │ Parameterized Queries, Tenant Filter │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 5: LLM │ Prompt Building (no IDs), Context Separation│
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 6: OUTPUT │ Schema Validation, Guardrails, Hallucination│
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 7: STORAGE │ Attribution, Audit Trail, Encryption │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 8: OBSERVABILITY │ Logging (sanitized), Tracing, Metrics │
└─────────────────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 0: EDGE │ WAF, Rate Limiting, DDoS, Bot Detection │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 1: GATEWAY │ JWT Verify, Extract Claims, Build Context │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 2: INPUT │ Schema Validation, PII Detection, Injection│
│ │ + Tavily Prompt Injection Firewall (opt.) │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 3: AUTHORIZATION │ RBAC/ABAC, Tenant Check, Resource Access │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 4: DATA ACCESS │ Parameterized Queries, Tenant Filter │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 5: LLM │ Prompt Building (no IDs), Context Separation│
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 6: OUTPUT │ Schema Validation, Guardrails, Hallucination│
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 7: STORAGE │ Attribution, Audit Trail, Encryption │
├─────────────────────────────────────────────────────────────────────────┤
│ Layer 8: OBSERVABILITY │ Logging (sanitized), Tracing, Metrics │
└─────────────────────────────────────────────────────────────────────────┘Layer Details
各层详情
Layer 0: Edge Protection
第0层:边缘防护
Purpose: Stop attacks before they reach your application.
- WAF rules for OWASP Top 10
- Rate limiting per user/IP
- DDoS protection
- Bot detection
- Geo-blocking if required
目标: 在攻击抵达应用之前将其拦截。
- 针对OWASP Top 10的WAF规则
- 按用户/IP进行速率限制
- DDoS防护
- 机器人检测
- 按需启用地域封锁
Layer 1: Gateway / Authentication
第1层:网关 / 身份认证
Purpose: Verify identity and build request context.
python
@dataclass(frozen=True)
class RequestContext:
"""Immutable context that flows through the system"""
# Identity
user_id: UUID
tenant_id: UUID
session_id: str
permissions: frozenset[str]
# Tracing
request_id: str
trace_id: str
# Metadata
timestamp: datetime
client_ip: str目标: 验证身份并构建请求上下文。
python
@dataclass(frozen=True)
class RequestContext:
"""Immutable context that flows through the system"""
# Identity
user_id: UUID
tenant_id: UUID
session_id: str
permissions: frozenset[str]
# Tracing
request_id: str
trace_id: str
# Metadata
timestamp: datetime
client_ip: strLayer 2: Input Validation
第2层:输入验证
Purpose: Reject bad input early.
- Schema validation: Pydantic/Zod for structure
- Content validation: PII detection, malware scan
- Injection defense: SQL, XSS, prompt injection patterns
- External scanning (optional): Tavily prompt injection firewall for web-sourced content — pre-filters RAG inputs before they reach the LLM layer
目标: 尽早拒绝恶意输入。
- Schema验证: 使用Pydantic/Zod进行结构校验
- 内容验证: PII检测、恶意软件扫描
- 注入防护: 识别SQL、XSS、提示注入模式
- 外部扫描(可选): 针对网络来源内容的Tavily提示注入防火墙 —— 在内容到达LLM层之前预过滤RAG输入
Layer 3: Authorization
第3层:授权
Purpose: Verify permission for the specific action and resource.
python
async def authorize(ctx: RequestContext, action: str, resource: Resource) -> bool:
# 1. Check permission exists
if action not in ctx.permissions:
raise Forbidden("Missing permission")
# 2. Check tenant ownership
if resource.tenant_id != ctx.tenant_id:
raise Forbidden("Cross-tenant access denied")
# 3. Check resource-level access
if not await check_resource_access(ctx.user_id, resource):
raise Forbidden("No access to resource")
return True目标: 验证对特定操作和资源的权限。
python
async def authorize(ctx: RequestContext, action: str, resource: Resource) -> bool:
# 1. Check permission exists
if action not in ctx.permissions:
raise Forbidden("Missing permission")
# 2. Check tenant ownership
if resource.tenant_id != ctx.tenant_id:
raise Forbidden("Cross-tenant access denied")
# 3. Check resource-level access
if not await check_resource_access(ctx.user_id, resource):
raise Forbidden("No access to resource")
return TrueLayer 4: Data Access
第4层:数据访问
Purpose: Ensure all queries are tenant-scoped.
python
class TenantScopedRepository:
def __init__(self, ctx: RequestContext):
self.ctx = ctx
self._base_filter = {"tenant_id": ctx.tenant_id}
async def find(self, query: dict) -> list[Model]:
# ALWAYS merge tenant filter
safe_query = {**self._base_filter, **query}
return await self.db.find(safe_query)目标: 确保所有查询都按租户范围限制。
python
class TenantScopedRepository:
def __init__(self, ctx: RequestContext):
self.ctx = ctx
self._base_filter = {"tenant_id": ctx.tenant_id}
async def find(self, query: dict) -> list[Model]:
# ALWAYS merge tenant filter
safe_query = {**self._base_filter, **query}
return await self.db.find(safe_query)Layer 5: LLM Orchestration
第5层:LLM编排
Purpose: Build prompts with content only, no identifiers.
- Identifiers flow AROUND the LLM, not THROUGH it
- Prompts contain only content text
- No user_id, tenant_id, document_id in prompt text
- See skill for details
llm-safety-patterns
目标: 仅基于内容构建提示词,不包含标识符。
- 标识符绕开LLM传递,而非通过LLM
- 提示词仅包含文本内容
- 提示词文本中不包含user_id、tenant_id、document_id
- 详情请参考技能
llm-safety-patterns
Layer 6: Output Validation
第6层:输出验证
Purpose: Validate LLM output before use.
- Schema validation (JSON structure)
- Content guardrails (toxicity, PII generation)
- Hallucination detection (grounding check)
- Code injection prevention
目标: 在使用LLM输出前进行验证。
- Schema验证(JSON结构)
- 内容防护栏(毒性检测、PII生成拦截)
- 幻觉检测(事实依据校验)
- 代码注入防护
Layer 7: Attribution & Storage
第7层:归因与存储
Purpose: Reattach context and store with proper attribution.
- Attribution is deterministic, not LLM-generated
- Context from Layer 1 is attached to results
- Source references from Layer 4 are attached
- Audit trail recorded
目标: 重新关联上下文并以正确的归因方式存储。
- 归因是确定性的,而非LLM生成
- 关联第1层的上下文到结果中
- 关联第4层的来源引用到结果中
- 记录审计轨迹
Layer 8: Observability
第8层:可观测性
Purpose: Monitor without leaking sensitive data.
- Structured logging with sanitization
- Distributed tracing (Langfuse)
- Metrics (latency, errors, costs)
- Alerts for anomalies
目标: 在不泄露敏感数据的前提下进行监控。
- 经过脱敏的结构化日志
- 分布式追踪(Langfuse)
- 指标(延迟、错误、成本)
- 异常告警
Implementation Checklist
实施检查清单
Before deploying any AI feature, verify:
- Layer 0: Rate limiting configured
- Layer 1: JWT validation active, RequestContext created
- Layer 2: Pydantic models validate all input
- Layer 3: Authorization check on every endpoint
- Layer 4: All queries include tenant_id filter
- Layer 5: No IDs in LLM prompts (run audit)
- Layer 6: Output schema validation active
- Layer 7: Attribution uses context, not LLM output
- Layer 8: Logging sanitized, tracing enabled
部署任何AI功能之前,请验证:
- 第0层:已配置速率限制
- 第1层:JWT验证已激活,已创建RequestContext
- 第2层:使用Pydantic模型验证所有输入
- 第3层:每个端点都进行授权检查
- 第4层:所有查询都包含tenant_id过滤条件
- 第5层:LLM提示词中无ID(执行审计)
- 第6层:输出Schema验证已激活
- 第7层:归因使用上下文而非LLM输出
- 第8层:日志已脱敏,追踪已启用
Industry Sources
行业来源
| Pattern | Source | Application |
|---|---|---|
| Defense in Depth | NIST | Multiple validation layers |
| Zero Trust | Google BeyondCorp | Every request verified |
| Least Privilege | AWS IAM | Minimal permissions |
| Complete Mediation | Saltzer & Schroeder | Every access checked |
| 模式 | 来源 | 应用 |
|---|---|---|
| 深度防御 | NIST | 多层验证机制 |
| 零信任 | Google BeyondCorp | 每个请求都经过验证 |
| 最小权限 | AWS IAM | 权限最小化 |
| 完全仲裁 | Saltzer & Schroeder | 每次访问都经过检查 |
Integration with OrchestKit
与OrchestKit的集成
This skill integrates with:
- - Layer 5 details
llm-safety-patterns - - OWASP validations
security-checklist - - Layer 8 details
observability-monitoring
本技能可与以下技能集成:
- - 第5层详情
llm-safety-patterns - - OWASP验证
security-checklist - - 第8层详情
observability-monitoring
Related Skills
相关技能
- - OWASP Top 10 vulnerabilities that Layer 0-2 defend against
owasp-top-10 - - Detailed authentication/authorization for Layers 1 and 3
auth-patterns - - Input validation and sanitization patterns for Layer 2
input-validation - - Automated security scanning for ongoing defense validation
security-scanning
- - 第0-2层防御的OWASP Top 10漏洞
owasp-top-10 - - 第1和3层的详细身份认证/授权机制
auth-patterns - - 第2层的输入验证与脱敏模式
input-validation - - 用于持续防御验证的自动化安全扫描
security-scanning
Key Decisions
关键决策
| Decision | Choice | Rationale |
|---|---|---|
| Context object | Immutable dataclass | Prevents accidental mutation, ensures consistent identity flow |
| Tenant isolation | Query-level filtering | Defense in depth - application layer + database constraints |
| LLM prompt security | No identifiers in prompts | IDs flow around LLM, not through it - prevents prompt injection leaks |
| Audit logging | Sanitized structured logs | Compliance requirements while preventing PII exposure |
Version: 1.0.0 (December 2025)
| 决策 | 选择 | 理由 |
|---|---|---|
| 上下文对象 | 不可变数据类 | 防止意外修改,确保身份流的一致性 |
| 租户隔离 | 查询级过滤 | 深度防御 - 应用层 + 数据库约束 |
| LLM提示词安全 | 提示词中无ID | ID绕开LLM传递,而非通过LLM - 防止提示注入泄露 |
| 审计日志 | 脱敏结构化日志 | 满足合规要求的同时防止PII泄露 |
版本: 1.0.0(2025年12月)
Capability Details
能力详情
8-layer-architecture
8-layer-architecture
Keywords: defense in depth, security layers, validation layers, multi-layer
Solves:
- How do I secure my AI application end-to-end?
- What validation layers do I need?
- How do I implement defense in depth?
关键词: defense in depth, security layers, validation layers, multi-layer
解决问题:
- 如何端到端地保护我的AI应用?
- 我需要哪些验证层?
- 如何实现深度防御?
request-context
request-context
Keywords: request context, immutable context, context object, user context
Solves:
- How do I pass user identity through the system?
- How do I create an immutable request context?
- What should be in the request context?
关键词: request context, immutable context, context object, user context
解决问题:
- 如何在系统中传递用户身份?
- 如何创建不可变的请求上下文?
- 请求上下文应包含哪些内容?
tenant-isolation
tenant-isolation
Keywords: multi-tenant, tenant isolation, tenant filter, cross-tenant
Solves:
- How do I ensure tenant isolation?
- How do I prevent cross-tenant data access?
- How do I filter queries by tenant?
关键词: multi-tenant, tenant isolation, tenant filter, cross-tenant
解决问题:
- 如何确保租户隔离?
- 如何防止跨租户数据访问?
- 如何按租户过滤查询?
audit-logging
audit-logging
Keywords: audit log, audit trail, logging, compliance
Solves:
- What should I log for compliance?
- How do I create audit trails?
- How do I log without leaking PII?
关键词: audit log, audit trail, logging, compliance
解决问题:
- 为了合规我应该记录什么?
- 如何创建审计轨迹?
- 如何在不泄露PII的情况下记录日志?