Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Red Teaming GPT-4V: Are GPT-4V Safe Against Uni/Multi-Modal Jailbreak Attacks?

Shuo Chen, Zhen Han, Bailan He, Zifeng Ding, Wenqian Yu, Philip Torr, Volker Tresp, Jindong Gu

TL;DR

This paper tackles the challenge of evaluating safety of LLMs and multimodal LLMs against jailbreak attacks. It introduces a comprehensive benchmark with 1445 harmful prompts across 11 safety policies and applies 32 jailbreak methods to 11 models, including GPT-4 and GPT-4V. The results show a substantial robustness gap between GPT-4/4V and open-source models, with visual jailbreak transfers to GPT-4V largely ineffective. The study also finds that visual attacks transfer less well than textual ones and identifies Llama2-7B and Qwen-VL-Chat as relatively robust open-source options. The work provides a public dataset and code, enabling reproducible evaluation and future expansion of multimodal jailbreak defenses.

Abstract

Various jailbreak attacks have been proposed to red-team Large Language Models (LLMs) and revealed the vulnerable safeguards of LLMs. Besides, some methods are not limited to the textual modality and extend the jailbreak attack to Multimodal Large Language Models (MLLMs) by perturbing the visual input. However, the absence of a universal evaluation benchmark complicates the performance reproduction and fair comparison. Besides, there is a lack of comprehensive evaluation of closed-source state-of-the-art (SOTA) models, especially MLLMs, such as GPT-4V. To address these issues, this work first builds a comprehensive jailbreak evaluation dataset with 1445 harmful questions covering 11 different safety policies. Based on this dataset, extensive red-teaming experiments are conducted on 11 different LLMs and MLLMs, including both SOTA proprietary models and open-source models. We then conduct a deep analysis of the evaluated results and find that (1) GPT4 and GPT-4V demonstrate better robustness against jailbreak attacks compared to open-source LLMs and MLLMs. (2) Llama2 and Qwen-VL-Chat are more robust compared to other open-source models. (3) The transferability of visual jailbreak methods is relatively limited compared to textual jailbreak methods. The dataset and code can be found https://github.com/chenxshuo/RedTeamingGPT4V

Red Teaming GPT-4V: Are GPT-4V Safe Against Uni/Multi-Modal Jailbreak Attacks?

TL;DR

This paper tackles the challenge of evaluating safety of LLMs and multimodal LLMs against jailbreak attacks. It introduces a comprehensive benchmark with 1445 harmful prompts across 11 safety policies and applies 32 jailbreak methods to 11 models, including GPT-4 and GPT-4V. The results show a substantial robustness gap between GPT-4/4V and open-source models, with visual jailbreak transfers to GPT-4V largely ineffective. The study also finds that visual attacks transfer less well than textual ones and identifies Llama2-7B and Qwen-VL-Chat as relatively robust open-source options. The work provides a public dataset and code, enabling reproducible evaluation and future expansion of multimodal jailbreak defenses.

Abstract

Various jailbreak attacks have been proposed to red-team Large Language Models (LLMs) and revealed the vulnerable safeguards of LLMs. Besides, some methods are not limited to the textual modality and extend the jailbreak attack to Multimodal Large Language Models (MLLMs) by perturbing the visual input. However, the absence of a universal evaluation benchmark complicates the performance reproduction and fair comparison. Besides, there is a lack of comprehensive evaluation of closed-source state-of-the-art (SOTA) models, especially MLLMs, such as GPT-4V. To address these issues, this work first builds a comprehensive jailbreak evaluation dataset with 1445 harmful questions covering 11 different safety policies. Based on this dataset, extensive red-teaming experiments are conducted on 11 different LLMs and MLLMs, including both SOTA proprietary models and open-source models. We then conduct a deep analysis of the evaluated results and find that (1) GPT4 and GPT-4V demonstrate better robustness against jailbreak attacks compared to open-source LLMs and MLLMs. (2) Llama2 and Qwen-VL-Chat are more robust compared to other open-source models. (3) The transferability of visual jailbreak methods is relatively limited compared to textual jailbreak methods. The dataset and code can be found https://github.com/chenxshuo/RedTeamingGPT4V
Paper Structure (12 sections, 1 equation, 12 tables)

This paper contains 12 sections, 1 equation, 12 tables.

Table of Contents

  1. Introduction
  2. Red Teaming GPT4 Against Jailbreak Attacks
  3. Experimental Setup
  4. Red Teaming against Textual Jailbreak
  5. Red Teaming against Visual Jailbreak
  6. Discussion
  7. Conclusion
  8. Related Work
  9. LLMs and MLLMs used in this study
  10. Dataset Construction
  11. Evaluation Metrics
  12. Additional Experimental Results