Safety Alignment for Vision Language Models

TL;DR

This paper tackles the vulnerability of Vision-Language Models to safety breaches through the visual modality. It introduces SafeVLM, a modular safety framework comprising a safety projector, safety tokens, and a safety head, integrated via a two-stage training pipeline to robustly filter risky visual inputs without sacrificing general performance. Empirical results on RTVLM and various risk datasets show SafeVLM achieving strong safety scores, including surpassing GPT-4V on RTVLM, and maintaining competitive performance on standard multimodal benchmarks; LoRA-based LLM unfreezing further amplifies safety gains. The approach emphasizes a native, model-internal safety alignment by leveraging existing vision encoders and enabling flexible risk control during inference, with open-sourcing planned to facilitate adoption. Collectively, SafeVLM advances trustworthy VLM deployment in sensitive domains by reducing safety failures while preserving usability and general capabilities.

Abstract

Benefiting from the powerful capabilities of Large Language Models (LLMs), pre-trained visual encoder models connected to an LLMs can realize Vision Language Models (VLMs). However, existing research shows that the visual modality of VLMs is vulnerable, with attackers easily bypassing LLMs' safety alignment through visual modality features to launch attacks. To address this issue, we enhance the existing VLMs' visual modality safety alignment by adding safety modules, including a safety projector, safety tokens, and a safety head, through a two-stage training process, effectively improving the model's defense against risky images. For example, building upon the LLaVA-v1.5 model, we achieve a safety score of 8.26, surpassing the GPT-4V on the Red Teaming Visual Language Models (RTVLM) benchmark. Our method boasts ease of use, high flexibility, and strong controllability, and it enhances safety while having minimal impact on the model's general performance. Moreover, our alignment strategy also uncovers some possible risky content within commonly used open-source multimodal datasets. Our code will be open sourced after the anonymous review.

Figures (15)

• Figure 1: We conduct SafeVLM through two stages of training: (1) freezing the LLMs while learning safety features and adapting these features to align with LLM input, and (2) unfreezing the LLMs to enhance their understanding of unsafe content. During inference, we conditionally mix safety prompts with original inputs.
• Figure 2: Example of 10 tasks under Politics, Illegal Risk, Insults and Bullying, Fairness, Privacy, and Misleading categories in the RTVLM benchmark and other unsafe datasets.
• Figure 3: Selected examples of using unsafe images to generate. The content inside the red box is the generated unsafe answer, while the content inside the green box is the safe answer generated by our SafeVLM.
• Figure 4: t-SNE visualizations depicting the separation of unsafe image features in two-dimensional space. Each subplot corresponds to a distinct combination of feature sets and labels, illustrating differences between original and safe features. After using the safe projector, the features of unsafe images are significantly divided into different clusters.
• Figure 5: Prediction performance of the safe head.