Con Instruction: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities

TL;DR

This paper introduces Con Instruction, a novel method for creating non-textual adversarial examples that can bypass safety mechanisms in multimodal language models by exploiting their understanding of images and audio, revealing vulnerabilities.

Contribution

We propose a new attack method that generates non-textual adversarial inputs without training data, demonstrating significant safety bypasses in multiple multimodal models.

Findings

Achieves up to 86.6% attack success rate on LLaVA-v1.5

Effectively bypasses safety mechanisms in vision- and audio-language models

Uncovers performance gaps among existing defense techniques

Abstract

Existing attacks against multimodal language models (MLLMs) primarily communicate instructions through text accompanied by adversarial images. In contrast, we exploit the capabilities of MLLMs to interpret non-textual instructions, specifically, adversarial images or audio generated by our novel method, Con Instruction. We optimize these adversarial examples to align closely with target instructions in the embedding space, revealing the detrimental implications of MLLMs' sophisticated understanding. Unlike prior work, our method does not require training data or preprocessing of textual instructions. While these non-textual adversarial examples can effectively bypass MLLM safety mechanisms, their combination with various text inputs substantially amplifies attack success. We further introduce a new Attack Response Categorization (ARC) framework, which evaluates both the quality of the model's response and its relevance to the malicious instructions. Experimental results demonstrate that Con Instruction effectively bypasses safety mechanisms in multiple vision- and audio-language models, including LLaVA-v1.5, InternVL, Qwen-VL, and Qwen-Audio, evaluated on two standard benchmarks: AdvBench and SafeBench. Specifically, our method achieves the highest attack success rates, reaching 81.3% and 86.6% on LLaVA-v1.5 (13B). On the defense side, we explore various countermeasures against our attacks and uncover a substantial performance gap among existing techniques. Our implementation is made publicly available.