Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Visual-RolePlay: Universal Jailbreak Attack on MultiModal Large Language Models via Role-playing Image Character

Siyuan Ma, Weidi Luo, Yu Wang, Xiaogeng Liu

TL;DR

This work introduces Visual Role-play (VRP), a universal structure-based jailbreak method for Multimodal LLMs that uses LLM-generated high-risk character descriptions and corresponding images to create a jailbreak image paired with a benign role-play prompt. VRP demonstrates superior attack effectiveness over strong baselines on RedTeam-2K and HarmBench, with notable transferability in universal VRP settings. The approach remains robust against existing defenses and can enhance other jailbreak techniques when combined. The findings highlight a critical safety concern for MLLMs and point to directions for more robust defense mechanisms and safer multimodal reasoning.

Abstract

With the advent and widespread deployment of Multimodal Large Language Models (MLLMs), ensuring their safety has become increasingly critical. To achieve this objective, it requires us to proactively discover the vulnerability of MLLMs by exploring the attack methods. Thus, structure-based jailbreak attacks, where harmful semantic content is embedded within images, have been proposed to mislead the models. However, previous structure-based jailbreak methods mainly focus on transforming the format of malicious queries, such as converting harmful content into images through typography, which lacks sufficient jailbreak effectiveness and generalizability. To address these limitations, we first introduce the concept of "Role-play" into MLLM jailbreak attacks and propose a novel and effective method called Visual Role-play (VRP). Specifically, VRP leverages Large Language Models to generate detailed descriptions of high-risk characters and create corresponding images based on the descriptions. When paired with benign role-play instruction texts, these high-risk character images effectively mislead MLLMs into generating malicious responses by enacting characters with negative attributes. We further extend our VRP method into a universal setup to demonstrate its generalizability. Extensive experiments on popular benchmarks show that VRP outperforms the strongest baseline, Query relevant and FigStep, by an average Attack Success Rate (ASR) margin of 14.3% across all models.

Visual-RolePlay: Universal Jailbreak Attack on MultiModal Large Language Models via Role-playing Image Character

TL;DR

This work introduces Visual Role-play (VRP), a universal structure-based jailbreak method for Multimodal LLMs that uses LLM-generated high-risk character descriptions and corresponding images to create a jailbreak image paired with a benign role-play prompt. VRP demonstrates superior attack effectiveness over strong baselines on RedTeam-2K and HarmBench, with notable transferability in universal VRP settings. The approach remains robust against existing defenses and can enhance other jailbreak techniques when combined. The findings highlight a critical safety concern for MLLMs and point to directions for more robust defense mechanisms and safer multimodal reasoning.

Abstract

With the advent and widespread deployment of Multimodal Large Language Models (MLLMs), ensuring their safety has become increasingly critical. To achieve this objective, it requires us to proactively discover the vulnerability of MLLMs by exploring the attack methods. Thus, structure-based jailbreak attacks, where harmful semantic content is embedded within images, have been proposed to mislead the models. However, previous structure-based jailbreak methods mainly focus on transforming the format of malicious queries, such as converting harmful content into images through typography, which lacks sufficient jailbreak effectiveness and generalizability. To address these limitations, we first introduce the concept of "Role-play" into MLLM jailbreak attacks and propose a novel and effective method called Visual Role-play (VRP). Specifically, VRP leverages Large Language Models to generate detailed descriptions of high-risk characters and create corresponding images based on the descriptions. When paired with benign role-play instruction texts, these high-risk character images effectively mislead MLLMs into generating malicious responses by enacting characters with negative attributes. We further extend our VRP method into a universal setup to demonstrate its generalizability. Extensive experiments on popular benchmarks show that VRP outperforms the strongest baseline, Query relevant and FigStep, by an average Attack Success Rate (ASR) margin of 14.3% across all models.
Paper Structure (20 sections, 1 equation, 1 figure, 7 tables, 1 algorithm)

This paper contains 20 sections, 1 equation, 1 figure, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Methodology
  4. Preliminary
  5. Query-specific Visual Role-play
  6. Universal Visual Role-play
  7. Experiments
  8. Experimental setups..
  9. Main Results
  10. Ablation Study
  11. Defense Analysis
  12. Integrating VRP with Baseline Techniques
  13. Conclusion
  14. Limitation
  15. Future work
  16. ...and 5 more sections

Figures (1)

  • Figure 1: The Pipeline of Query-specific VRP. VRP is a structure-based jailbreak attack via role-playing image characters. When presented with a textual malicious query $Q_i$, VRP proceeds through five steps to generate the adversarial text-image pair $Q^*_i$, which can be written as ($T^*_i$, $I^*_i$). In Step 1, we generate a role description with a Chain Of Thought between the Character Description and Diffusion Prompt. Then in Step 2, we use the Character Description to get Description Typography $I^{kt}_i$ and generate Diffusion Image $I^{t2i}_i$. In Step 3, we obtain the Question Typography $I^{Q}_i$ from $Q_i$. In Step 4, we concatenate $I^{Q}_i$, $I^{kt}_i$, and $I^{t2i}_i$ to get the Image Input $I^*_i$. Finally, in Step 5, we attack MLLMs by instructing $I^*_i$ and Text Input $T^*_i$.