SurrogatePrompt: Bypassing the Safety Filter of Text-to-Image Models via Substitution

TL;DR

This paper introduces SurrogatePrompt, a framework that systematically creates prompts to bypass safety filters in text-to-image models, revealing significant vulnerabilities and safety risks in current AI image generation systems.

Contribution

The paper presents the first prompt attack methodology on Midjourney, demonstrating how to evade safety filters using large language models and image modules, with an 88% success rate.

Findings

88% success rate in bypassing safety filters

Generated images depict political figures in violent scenarios

Revealed fundamental principles of prompt attacks

Abstract

Advanced text-to-image models such as DALL$\cdot$E 2 and Midjourney possess the capacity to generate highly realistic images, raising significant concerns regarding the potential proliferation of unsafe content. This includes adult, violent, or deceptive imagery of political figures. Despite claims of rigorous safety mechanisms implemented in these models to restrict the generation of not-safe-for-work (NSFW) content, we successfully devise and exhibit the first prompt attacks on Midjourney, resulting in the production of abundant photorealistic NSFW images. We reveal the fundamental principles of such prompt attacks and suggest strategically substituting high-risk sections within a suspect prompt to evade closed-source safety measures. Our novel framework, SurrogatePrompt, systematically generates attack prompts, utilizing large language models, image-to-text, and image-to-image modules to automate attack prompt creation at scale. Evaluation results disclose an 88% success rate in bypassing Midjourney's proprietary safety filter with our attack prompts, leading to the generation of counterfeit images depicting political figures in violent scenarios. Both subjective and objective assessments validate that the images generated from our attack prompts present considerable safety hazards.