Arondight: Red Teaming Large Vision Language Models with Auto-generated Multi-modal Jailbreak Prompts
Yi Liu, Chengjun Cai, Xiaoli Zhang, Xingliang Yuan, Cong Wang
TL;DR
The paper tackles safety evaluation for Vision-Language Models (VLMs) by introducing Arondight, a multimodal red-teaming framework designed to uncover vulnerabilities in both image and text inputs. It couples a universal prompt template-driven red-team VLM to generate toxic images with a diversity-driven red-team LLM guided by reinforcement learning, using entropy bonuses, novelty rewards, and correlation metrics to maximize coverage and semantically aligned toxicity. Empirical results across ten VLMs reveal substantial safety gaps, with Arondight achieving high attack success rates on GPT-4 (approximately 84–88%), outperforming prior approaches and exposing alignment weaknesses in current models. The framework offers a structured, automated approach for researchers and developers to audit and strengthen VLM safety, and the authors plan to release a multimodal jailbreak dataset and code following ethical review.
Abstract
Large Vision Language Models (VLMs) extend and enhance the perceptual abilities of Large Language Models (LLMs). Despite offering new possibilities for LLM applications, these advancements raise significant security and ethical concerns, particularly regarding the generation of harmful content. While LLMs have undergone extensive security evaluations with the aid of red teaming frameworks, VLMs currently lack a well-developed one. To fill this gap, we introduce Arondight, a standardized red team framework tailored specifically for VLMs. Arondight is dedicated to resolving issues related to the absence of visual modality and inadequate diversity encountered when transitioning existing red teaming methodologies from LLMs to VLMs. Our framework features an automated multi-modal jailbreak attack, wherein visual jailbreak prompts are produced by a red team VLM, and textual prompts are generated by a red team LLM guided by a reinforcement learning agent. To enhance the comprehensiveness of VLM security evaluation, we integrate entropy bonuses and novelty reward metrics. These elements incentivize the RL agent to guide the red team LLM in creating a wider array of diverse and previously unseen test cases. Our evaluation of ten cutting-edge VLMs exposes significant security vulnerabilities, particularly in generating toxic images and aligning multi-modal prompts. In particular, our Arondight achieves an average attack success rate of 84.5\% on GPT-4 in all fourteen prohibited scenarios defined by OpenAI in terms of generating toxic text. For a clearer comparison, we also categorize existing VLMs based on their safety levels and provide corresponding reinforcement recommendations. Our multimodal prompt dataset and red team code will be released after ethics committee approval. CONTENT WARNING: THIS PAPER CONTAINS HARMFUL MODEL RESPONSES.