SpeechGuard: Exploring the Adversarial Robustness of Multimodal Large Language Models
Raghuveer Peri, Sai Muralidhar Jayanthi, Srikanth Ronanki, Anshu Bhatia, Karel Mundnich, Saket Dingliwal, Nilaksh Das, Zejiang Hou, Goeric Huybrechts, Srikanth Vishnubhotla, Daniel Garcia-Romero, Sundararajan Srinivasan, Kyu J Han, Katrin Kirchhoff
TL;DR
SpeechGuard investigates adversarial robustness and jailbreaking risks in integrated speech-language systems used for Spoken QA. It introduces SpeechVerse, a two-stage SpeechGuard framework combining a Conformer audio encoder with backbones like Flan-T5-XL and Mistral-7B-Instruct, trained via ASR pre-adaptation and cross-modal instruction fine-tuning. The study shows that white-box perturbations can jailbreak safety guardrails with high success, transfer-based perturbations can cross architectures, and a simple time-domain noise flooding defense substantially reduces jailbreak effectiveness, with the SPR metric formalized as $SPR(x, x_o) = 10 \log_{10} ( \frac{\sum_{i=1}^{M} (x_o^i)^2}{\sum_{i=1}^{M} (x^i - x_o^i)^2} )$. These findings establish a practical evaluation framework and guidance for enhancing safety alignment in multimodal, speech-enabled large language systems, highlighting the need for robust defenses and further research into universal attack vectors.
Abstract
Integrated Speech and Large Language Models (SLMs) that can follow speech instructions and generate relevant text responses have gained popularity lately. However, the safety and robustness of these models remains largely unclear. In this work, we investigate the potential vulnerabilities of such instruction-following speech-language models to adversarial attacks and jailbreaking. Specifically, we design algorithms that can generate adversarial examples to jailbreak SLMs in both white-box and black-box attack settings without human involvement. Additionally, we propose countermeasures to thwart such jailbreaking attacks. Our models, trained on dialog data with speech instructions, achieve state-of-the-art performance on spoken question-answering task, scoring over 80% on both safety and helpfulness metrics. Despite safety guardrails, experiments on jailbreaking demonstrate the vulnerability of SLMs to adversarial perturbations and transfer attacks, with average attack success rates of 90% and 10% respectively when evaluated on a dataset of carefully designed harmful questions spanning 12 different toxic categories. However, we demonstrate that our proposed countermeasures reduce the attack success significantly.