ALMGuard: Safety Shortcuts and Where to Find Them as Guardrails for Audio-Language Models

TL;DR

ALMGuard is a novel defense framework that identifies universal safety shortcuts in Audio-Language Models, effectively reducing jailbreak attack success rates while preserving model utility.

Contribution

This paper introduces ALMGuard, the first tailored defense for ALMs, utilizing Shortcut Activation Perturbations and Mel-Gradient Sparse Mask to enhance robustness against specific adversarial attacks.

Findings

Reduces jailbreak success rate to 4.6% across four models

Maintains comparable utility on benign benchmarks

Demonstrates robustness against seen and unseen attacks

Abstract

Recent advances in Audio-Language Models (ALMs) have significantly improved multimodal understanding capabilities. However, the introduction of the audio modality also brings new and unique vulnerability vectors. Previous studies have proposed jailbreak attacks that specifically target ALMs, revealing that defenses directly transferred from traditional audio adversarial attacks or text-based Large Language Model (LLM) jailbreaks are largely ineffective against these ALM-specific threats. To address this issue, we propose ALMGuard, the first defense framework tailored to ALMs. Based on the assumption that safety-aligned shortcuts naturally exist in ALMs, we design a method to identify universal Shortcut Activation Perturbations (SAPs) that serve as triggers that activate the safety shortcuts to safeguard ALMs at inference time. To better sift out effective triggers while preserving the model's utility on benign tasks, we further propose Mel-Gradient Sparse Mask (M-GSM), which restricts perturbations to Mel-frequency bins that are sensitive to jailbreaks but insensitive to speech understanding. Both theoretical analyses and empirical results demonstrate the robustness of our method against both seen and unseen attacks. Overall, \MethodName reduces the average success rate of advanced ALM-specific jailbreak attacks to 4.6% across four models, while maintaining comparable utility on benign benchmarks, establishing it as the new state of the art. Our code and data are available at https://github.com/WeifeiJin/ALMGuard.