Universally Unfiltered and Unseen:Input-Agnostic Multimodal Jailbreaks against Text-to-Image Model Safeguards

TL;DR

This paper introduces U3-Attack, a scalable multimodal jailbreak method that effectively bypasses T2I safeguards using universal adversarial patches and paraphrases, outperforming existing attacks.

Contribution

The paper presents a novel universal multimodal jailbreak approach that improves scalability and success rates over prior prompt-specific methods.

Findings

U3-Attack achieves ~4x higher success rates than previous methods.

It effectively bypasses both prompt filters and safety checkers.

Demonstrated on multiple open-source and commercial T2I models.

Abstract

Various (text) prompt filters and (image) safety checkers have been implemented to mitigate the misuse of Text-to-Image (T2I) models in creating Not-Safe-For-Work (NSFW) content. In order to expose potential security vulnerabilities of such safeguards, multimodal jailbreaks have been studied. However, existing jailbreaks are limited to prompt-specific and image-specific perturbations, which suffer from poor scalability and time-consuming optimization. To address these limitations, we propose Universally Unfiltered and Unseen (U3)-Attack, a multimodal jailbreak attack method against T2I safeguards. Specifically, U3-Attack optimizes an adversarial patch on the image background to universally bypass safety checkers and optimizes a safe paraphrase set from a sensitive word to universally bypass prompt filters while eliminating redundant computations. Extensive experimental results demonstrate the superiority of our U3-Attack on both open-source and commercial T2I models. For example, on the commercial Runway-inpainting model with both prompt filter and safety checker, our U3-Attack achieves $~4\times$ higher success rates than the state-of-the-art multimodal jailbreak attack, MMA-Diffusion.