The VLLM Safety Paradox: Dual Ease in Jailbreak Attack and Defense

TL;DR

This paper investigates the paradox of high performance in both attacking and defending Vision Large Language Models (VLLMs), analyzing underlying causes, limitations of current defenses, and proposing a safety-aware detection method to improve trustworthiness.

Contribution

It offers a new explanation for VLLM jailbreak vulnerability, identifies the problem of over-prudence in defenses, and introduces a simple safety-aware detection pipeline.

Findings

VLLMs are vulnerable due to inclusion of vision inputs.

Current defenses suffer from over-prudence, causing unintended abstention.

Evaluation methods for jailbreak often show chance agreement.

Abstract

The vulnerability of Vision Large Language Models (VLLMs) to jailbreak attacks appears as no surprise. However, recent defense mechanisms against these attacks have reached near-saturation performance on benchmark evaluations, often with minimal effort. This \emph{dual high performance} in both attack and defense raises a fundamental and perplexing paradox. To gain a deep understanding of this issue and thus further help strengthen the trustworthiness of VLLMs, this paper makes three key contributions: i) One tentative explanation for VLLMs being prone to jailbreak attacks--\textbf{inclusion of vision inputs}, as well as its in-depth analysis. ii) The recognition of a largely ignored problem in existing defense mechanisms--\textbf{over-prudence}. The problem causes these defense methods to exhibit unintended abstention, even in the presence of benign inputs, thereby undermining their reliability in faithfully defending against attacks. iii) A simple safety-aware method--\textbf{LLM-Pipeline}. Our method repurposes the more advanced guardrails of LLMs on the shelf, serving as an effective alternative detector prior to VLLM response. Last but not least, we find that the two representative evaluation methods for jailbreak often exhibit chance agreement. This limitation makes it potentially misleading when evaluating attack strategies or defense mechanisms. We believe the findings from this paper offer useful insights to rethink the foundational development of VLLM safety with respect to benchmark datasets, defense strategies, and evaluation methods.