White-box Multimodal Jailbreaks Against Large Vision-Language Models

TL;DR

This paper introduces a dual-modality attack method that jointly manipulates images and text to exploit vulnerabilities in large vision-language models, successfully bypassing defenses and generating harmful content.

Contribution

It presents a novel universal attack strategy, the Universal Master Key, that effectively jailbreaks VLMs by jointly optimizing adversarial images and texts, revealing critical robustness weaknesses.

Findings

Achieves a 96% success rate in jailbreaking MiniGPT-4.

Demonstrates vulnerability of VLMs to combined image-text adversarial attacks.

Highlights the need for improved alignment and robustness strategies.

Abstract

Recent advancements in Large Vision-Language Models (VLMs) have underscored their superiority in various multimodal tasks. However, the adversarial robustness of VLMs has not been fully explored. Existing methods mainly assess robustness through unimodal adversarial attacks that perturb images, while assuming inherent resilience against text-based attacks. Different from existing attacks, in this work we propose a more comprehensive strategy that jointly attacks both text and image modalities to exploit a broader spectrum of vulnerability within VLMs. Specifically, we propose a dual optimization objective aimed at guiding the model to generate affirmative responses with high toxicity. Our attack method begins by optimizing an adversarial image prefix from random noise to generate diverse harmful responses in the absence of text input, thus imbuing the image with toxic semantics. Subsequently, an adversarial text suffix is integrated and co-optimized with the adversarial image prefix to maximize the probability of eliciting affirmative responses to various harmful instructions. The discovered adversarial image prefix and text suffix are collectively denoted as a Universal Master Key (UMK). When integrated into various malicious queries, UMK can circumvent the alignment defenses of VLMs and lead to the generation of objectionable content, known as jailbreaks. The experimental results demonstrate that our universal attack strategy can effectively jailbreak MiniGPT-4 with a 96% success rate, highlighting the vulnerability of VLMs and the urgent need for new alignment strategies.