Perception-guided Jailbreak against Text-to-Image Models

TL;DR

This paper introduces PGJ, a perception-guided jailbreak method that exploits human perception similarities to bypass safety filters in text-to-image models, demonstrating effectiveness across multiple models and services.

Contribution

It presents a novel, model-free jailbreak approach leveraging perception-based prompt substitution to generate unsafe images, addressing security concerns in T2I models.

Findings

Effective in bypassing safety filters across six models

Generates natural and convincing attack prompts

Proven on commercial online services

Abstract

In recent years, Text-to-Image (T2I) models have garnered significant attention due to their remarkable advancements. However, security concerns have emerged due to their potential to generate inappropriate or Not-Safe-For-Work (NSFW) images. In this paper, inspired by the observation that texts with different semantics can lead to similar human perceptions, we propose an LLM-driven perception-guided jailbreak method, termed PGJ. It is a black-box jailbreak method that requires no specific T2I model (model-free) and generates highly natural attack prompts. Specifically, we propose identifying a safe phrase that is similar in human perception yet inconsistent in text semantics with the target unsafe word and using it as a substitution. The experiments conducted on six open-source models and commercial online services with thousands of prompts have verified the effectiveness of PGJ.