AdaShield: Safeguarding Multimodal Large Language Models from Structure-based Attack via Adaptive Shield Prompting

TL;DR

The paper tackles safety for multimodal large language models against structure-based jailbreaks that embed malicious content in images. It introduces AdaShield, a prompt-based defense that prepends inputs with defense prompts, avoiding fine-tuning or extra detectors, and extends it with AdaShield-A, an adaptive auto-refinement framework that builds a diversified pool of prompts via interaction between a target MLLM and a Defender LLM. Across standard structure-based attacks and benign benchmarks, AdaShield-S and especially AdaShield-A demonstrate improved robustness while preserving performance on safe tasks, with AdaShield-A also showing good generalization and transferability. The work offers a practical, low-overhead defense suitable for MLM-as-a-Service deployments, though it focuses on structure-based threats and future work could broaden to universal defenses.

Abstract

With the advent and widespread deployment of Multimodal Large Language Models (MLLMs), the imperative to ensure their safety has become increasingly pronounced. However, with the integration of additional modalities, MLLMs are exposed to new vulnerabilities, rendering them prone to structured-based jailbreak attacks, where semantic content (e.g., "harmful text") has been injected into the images to mislead MLLMs. In this work, we aim to defend against such threats. Specifically, we propose \textbf{Ada}ptive \textbf{Shield} Prompting (\textbf{AdaShield}), which prepends inputs with defense prompts to defend MLLMs against structure-based jailbreak attacks without fine-tuning MLLMs or training additional modules (e.g., post-stage content detector). Initially, we present a manually designed static defense prompt, which thoroughly examines the image and instruction content step by step and specifies response methods to malicious queries. Furthermore, we introduce an adaptive auto-refinement framework, consisting of a target MLLM and a LLM-based defense prompt generator (Defender). These components collaboratively and iteratively communicate to generate a defense prompt. Extensive experiments on the popular structure-based jailbreak attacks and benign datasets show that our methods can consistently improve MLLMs' robustness against structure-based jailbreak attacks without compromising the model's general capabilities evaluated on standard benign tasks. Our code is available at https://github.com/rain305f/AdaShield.

Figures (6)

• Figure 1: Illustration of structure-based jailbreak attacks and the intuition of our defense method. (a) Examples of structure-based jailbreak attacks, where each query pairs a benign text with a harmful image. The harmful images explicitly feature malicious texts or items to bypass the alignment of MLLMs. (b) Our AdaShield leverages a defender $D$ and a target MLLM $M$ to optimize defense prompts in a conversational format during training. This process yields a varied pool of defense prompts that comply with specific safety rules. Subsequently, AdaShield adaptively appends these prompts to inputs, enhancing the security of $M$.
• Figure 2: The overview of AdaShield-A. AdaShield-A consists of a defender $D$ and a target MLLM $M$, where $D$ aims to generate the defense prompt $P$ that safeguards $M$ from malicious queries. Then, $P$ is put into $M$ to generate response $R$ for the current malicious query. $D$ uses the previously failed defense prompts and the jailbreak response from $M$ as feedback, and iteratively refines the defense prompt in a chat format.
• Figure 3: A conversation example from AdaShield-A between the target MLLM $M$ and defender $D$. The objective of defender $D$ is to safeguard $M$ from harmful queries for the Sex scenario. $D$ generates the failed prompt to defend against the malicious query for the first time. Then, with the jailbreak response from $M$ and previous defense prompt as feedback, $D$ successfully optimizes defense prompts by injecting the safe rules about the sex scenario, and outputs a reason to elicit interpretability.
• Figure 4: The examples of AdaShield-A on FigStep figstep and QR queryrelevant. Each example comprises a text query (image-text pairs), the input-aware defense prompt provided by AdaShield-A for the current text query, and the output of the target MLLM for the current text query. We observe that our AdaShield-A can provide effective defense prompts for each text query, which include detailed safety rules, thereby enhancing the defense robustness of the target MLLM. Here, we use LLaVA 1.5-13B as the target MLLM. The detailed safety rules are highlighted.
• Figure 5: Visualization of system prompt in AdaShield-A. The important parts are color-coded and underlined. The system prompt $P_{sys}$ initially outlines the task setting to facilitate the automatic refinement of defense prompts. Additionally, $P_{sys}$ delineates detailed safety rules about $\#scenario$ and introduces techniques for optimizing defense prompts. Finally, $P_{sys}$ specifies the format for responses from the defender $D$.