Adversarial Prompt Injection Attack on Multimodal Large Language Models

TL;DR

This paper introduces a novel method for imperceptible visual prompt injection attacks on multimodal large language models, embedding malicious prompts into images through optimized visual perturbations.

Contribution

The work presents an adaptive technique to embed imperceptible visual prompts into images, fooling closed-source MLLMs and surpassing existing prompt injection methods.

Findings

Effective embedding of malicious prompts via optimized visual perturbations.

Superior attack performance compared to existing methods.

Successful attacks demonstrated across multiple tasks and models.

Abstract

Although multimodal large language models (MLLMs) are increasingly deployed in real-world applications, their instruction-following behavior leaves them vulnerable to prompt injection attacks. Existing prompt injection methods predominantly rely on textual prompts or perceptible visual prompts that are observable by human users. In this work, we study imperceptible visual prompt injection against powerful closed-source MLLMs, where adversarial instructions are embedded in the visual modality. Our method adaptively embeds the malicious prompt into the input image via a bounded text overlay to provide semantic guidance. Meanwhile, the imperceptible visual perturbation is iteratively optimized to align the feature representation of the attacked image with those of the malicious visual and textual targets at both coarse- and fine-grained levels. Specifically, the visual target is instantiated as a text-rendered image and progressively refined during optimization to more faithfully represent the desired semantics and improve transferability. Extensive experiments on two multimodal understanding tasks across multiple closed-source MLLMs demonstrate the superior performance of our approach compared to existing methods.