Adversary-Aware DPO: Enhancing Safety Alignment in Vision Language Models via Adversarial Training

TL;DR

This paper introduces Adversary-aware DPO (ADPO), a novel training framework that enhances the safety and robustness of vision-language models against adversarial attacks by integrating adversarial training into the preference optimization process.

Contribution

It proposes a new adversarial training method for VLMs that explicitly considers worst-case perturbations, improving safety alignment and robustness over existing post-hoc methods.

Findings

ADPO outperforms baseline methods in safety alignment.

Enhances robustness of VLMs against jailbreak attacks.

Improves general utility of vision-language models.

Abstract

Safety alignment is critical in pre-training large language models (LLMs) to generate responses aligned with human values and refuse harmful queries. Unlike LLM, the current safety alignment of VLMs is often achieved with post-hoc safety fine-tuning. However, these methods are less effective to white-box attacks. To address this, we propose $\textit{Adversary-aware DPO (ADPO)}$, a novel training framework that explicitly considers adversarial. $\textit{Adversary-aware DPO (ADPO)}$ integrates adversarial training into DPO to enhance the safety alignment of VLMs under worst-case adversarial perturbations. $\textit{ADPO}$ introduces two key components: (1) an adversarial-trained reference model that generates human-preferred responses under worst-case perturbations, and (2) an adversarial-aware DPO loss that generates winner-loser pairs accounting for adversarial distortions. By combining these innovations, $\textit{ADPO}$ ensures that VLMs remain robust and reliable even in the presence of sophisticated jailbreak attacks. Extensive experiments demonstrate that $\textit{ADPO}$ outperforms baselines in the safety alignment and general utility of VLMs.