Speech-Audio Compositional Attacks on Multimodal LLMs and Their Mitigation with SALMONN-Guard

TL;DR

This paper introduces SACRED-Bench, a novel evaluation framework for testing the robustness of multimodal LLMs against complex speech-audio composition attacks, and proposes SALMONN-Guard, a guard model that significantly reduces attack success rates.

Contribution

The paper presents SACRED-Bench for black-box audio attack evaluation and introduces SALMONN-Guard, the first safety guard model that jointly inspects speech, audio, and text.

Findings

Gemini 2.5 Pro has a 66% attack success rate without defenses.

SALMONN-Guard reduces attack success to 20%.

Complex audio compositions pose significant safety challenges for LLMs.

Abstract

Recent progress in LLMs has enabled understanding of audio signals, but has also exposed new safety risks arising from complex audio inputs that are inadequately handled by current safeguards. We introduce SACRED-Bench (Speech-Audio Composition for RED-teaming) to evaluate the robustness of LLMs under complex audio-based attacks. Unlike existing perturbation-based methods that rely on noise optimization or white-box access, SACRED-Bench exploits speech-audio composition to enable effective black-box attacks. SACRED-Bench adopts three composition mechanisms: (a) overlap of harmful and benign speech, (b) mixture of benign speech with harmful non-speech audio, and (c) multi-speaker dialogue. These mechanisms focus on evaluating safety in settings where benign and harmful intents co-occur within a single auditory scene. Moreover, questions in SACRED-Bench are designed to implicitly refer to content in the audio, such that no explicit harmful information appears in the text prompt alone. Experiments demonstrate that even Gemini 2.5 Pro, a state-of-the-art proprietary LLM with safety guardrails fully enabled, still exhibits a 66% attack success rate. To bridge this gap, we propose SALMONN-Guard, the first guard model that jointly inspects speech, audio, and text for safety judgments, reducing the attack success rate to 20%. Our results highlight the need for audio-aware defenses to ensure the safety of multimodal LLMs. The dataset and SALMONN-Guard checkpoints can be found at https://huggingface.co/datasets/tsinghua-ee/SACRED-Bench.