MLLMGuard: A Multi-dimensional Safety Evaluation Suite for Multimodal Large Language Models

TL;DR

MLLMGuard introduces a multidimensional, bilingual safety evaluation suite for multimodal LLMs, addressing gaps in existing benchmarks by emphasizing adversarial data, open-ended assessment, and cross-language coverage. It pairs a comprehensive dataset with GuardRank, a lightweight automatic evaluator that outperforms GPT-4V in safety scoring, enabling scalable, cost-effective evaluation across five safety dimensions. Across 13 state-of-the-art MLLMs, the study exposes substantial safety gaps and nuances in how alignment, model choice, and scaling affect safety. The work offers practical tools for rigorous safety testing and insights for improving the robustness of vision-language models in real-world use.

Abstract

Powered by remarkable advancements in Large Language Models (LLMs), Multimodal Large Language Models (MLLMs) demonstrate impressive capabilities in manifold tasks. However, the practical application scenarios of MLLMs are intricate, exposing them to potential malicious instructions and thereby posing safety risks. While current benchmarks do incorporate certain safety considerations, they often lack comprehensive coverage and fail to exhibit the necessary rigor and robustness. For instance, the common practice of employing GPT-4V as both the evaluator and a model to be evaluated lacks credibility, as it tends to exhibit a bias toward its own responses. In this paper, we present MLLMGuard, a multidimensional safety evaluation suite for MLLMs, including a bilingual image-text evaluation dataset, inference utilities, and a lightweight evaluator. MLLMGuard's assessment comprehensively covers two languages (English and Chinese) and five important safety dimensions (Privacy, Bias, Toxicity, Truthfulness, and Legality), each with corresponding rich subtasks. Focusing on these dimensions, our evaluation dataset is primarily sourced from platforms such as social media, and it integrates text-based and image-based red teaming techniques with meticulous annotation by human experts. This can prevent inaccurate evaluation caused by data leakage when using open-source datasets and ensures the quality and challenging nature of our benchmark. Additionally, a fully automated lightweight evaluator termed GuardRank is developed, which achieves significantly higher evaluation accuracy than GPT-4. Our evaluation results across 13 advanced models indicate that MLLMs still have a substantial journey ahead before they can be considered safe and responsible.

Figures (18)

• Figure 1: Workflow of MLLMGuard, including creating dataset through manual construction, evaluation on MLLMGuard and scoring with human and GuardRank.
• Figure 2: Results on Truthfulness. (a) presents the ASD of MLLMs under various red teaming techniques on Truthfulness. (b) and (d) further display the ASD results on 2 red teaming techniques, i.e., Non-existent Query and Noise Injection. (c) provides the frequency of MLLMs selecting A/B/No Answer under the Position Swapping. Specifically, we experimented on both open-ended prompts and transferred multiple choice questions on Non-existent Query.
• Figure 3: ASD ($\downarrow$) of MLLMs with different alignment stage.
• Figure 4: ASD ($\downarrow$) of MLLMs with different LLM component.
• Figure 5: PAR ($\uparrow$) of MLLMs on different parameter size.