SmoothGuard: Defending Multimodal Large Language Models with Noise Perturbation and Clustering Aggregation

TL;DR

SmoothGuard is a novel defense framework that enhances multimodal large language models' robustness against adversarial attacks by using noise perturbation and clustering aggregation, ensuring stable outputs without sacrificing performance.

Contribution

The paper introduces SmoothGuard, a lightweight, model-agnostic method combining noise injection and clustering to defend multimodal models from adversarial manipulations.

Findings

Improves robustness of MLLMs against adversarial attacks.

Maintains competitive utility while enhancing security.

Identifies optimal noise levels for balancing robustness and performance.

Abstract

Multimodal large language models (MLLMs) have achieved impressive performance across diverse tasks by jointly reasoning over textual and visual inputs. Despite their success, these models remain highly vulnerable to adversarial manipulations, raising concerns about their safety and reliability in deployment. In this work, we first generalize an approach for generating adversarial images within the HuggingFace ecosystem and then introduce SmoothGuard, a lightweight and model-agnostic defense framework that enhances the robustness of MLLMs through randomized noise injection and clustering-based prediction aggregation. Our method perturbs continuous modalities (e.g., images and audio) with Gaussian noise, generates multiple candidate outputs, and applies embedding-based clustering to filter out adversarially influenced predictions. The final answer is selected from the majority cluster, ensuring stable responses even under malicious perturbations. Extensive experiments on POPE, LLaVA-Bench (In-the-Wild), and MM-SafetyBench demonstrate that SmoothGuard improves resilience to adversarial attacks while maintaining competitive utility. Ablation studies further identify an optimal noise range (0.1-0.2) that balances robustness and utility.