Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cross-modality Information Check for Detecting Jailbreaking in Multimodal Large Language Models

Yue Xu, Xiuyuan Qi, Zhan Qin, Wenjie Wang

TL;DR

CIDER is a plug‑and‑play detector that protects Multimodal LLMs from optimization-based jailbreaking by exploiting cross‑modal semantic shifts between text queries and perturbed images. It denoises the image modality and uses the relative change in text–image cosine similarity before and after denoising to decide whether an input is adversarial, enabling model-agnostic deployment with minimal inference overhead. The approach achieves strong detection and robustness gains across multiple MLLMs and attacks, with transferability to white-box and black-box settings, while incurring a manageable utility cost on normal tasks. Overall, CIDER advances practical safety for MLLMs by leveraging cross‑modal information and diffusion-based denoising to identify crafted perturbations at the input stage.

Abstract

Multimodal Large Language Models (MLLMs) extend the capacity of LLMs to understand multimodal information comprehensively, achieving remarkable performance in many vision-centric tasks. Despite that, recent studies have shown that these models are susceptible to jailbreak attacks, which refer to an exploitative technique where malicious users can break the safety alignment of the target model and generate misleading and harmful answers. This potential threat is caused by both the inherent vulnerabilities of LLM and the larger attack scope introduced by vision input. To enhance the security of MLLMs against jailbreak attacks, researchers have developed various defense techniques. However, these methods either require modifications to the model's internal structure or demand significant computational resources during the inference phase. Multimodal information is a double-edged sword. While it increases the risk of attacks, it also provides additional data that can enhance safeguards. Inspired by this, we propose Cross-modality Information DEtectoR (CIDER), a plug-and-play jailbreaking detector designed to identify maliciously perturbed image inputs, utilizing the cross-modal similarity between harmful queries and adversarial images. CIDER is independent of the target MLLMs and requires less computation cost. Extensive experimental results demonstrate the effectiveness and efficiency of CIDER, as well as its transferability to both white-box and black-box MLLMs.

Cross-modality Information Check for Detecting Jailbreaking in Multimodal Large Language Models

TL;DR

CIDER is a plug‑and‑play detector that protects Multimodal LLMs from optimization-based jailbreaking by exploiting cross‑modal semantic shifts between text queries and perturbed images. It denoises the image modality and uses the relative change in text–image cosine similarity before and after denoising to decide whether an input is adversarial, enabling model-agnostic deployment with minimal inference overhead. The approach achieves strong detection and robustness gains across multiple MLLMs and attacks, with transferability to white-box and black-box settings, while incurring a manageable utility cost on normal tasks. Overall, CIDER advances practical safety for MLLMs by leveraging cross‑modal information and diffusion-based denoising to identify crafted perturbations at the input stage.

Abstract

Multimodal Large Language Models (MLLMs) extend the capacity of LLMs to understand multimodal information comprehensively, achieving remarkable performance in many vision-centric tasks. Despite that, recent studies have shown that these models are susceptible to jailbreak attacks, which refer to an exploitative technique where malicious users can break the safety alignment of the target model and generate misleading and harmful answers. This potential threat is caused by both the inherent vulnerabilities of LLM and the larger attack scope introduced by vision input. To enhance the security of MLLMs against jailbreak attacks, researchers have developed various defense techniques. However, these methods either require modifications to the model's internal structure or demand significant computational resources during the inference phase. Multimodal information is a double-edged sword. While it increases the risk of attacks, it also provides additional data that can enhance safeguards. Inspired by this, we propose Cross-modality Information DEtectoR (CIDER), a plug-and-play jailbreaking detector designed to identify maliciously perturbed image inputs, utilizing the cross-modal similarity between harmful queries and adversarial images. CIDER is independent of the target MLLMs and requires less computation cost. Extensive experimental results demonstrate the effectiveness and efficiency of CIDER, as well as its transferability to both white-box and black-box MLLMs.
Paper Structure (19 sections, 5 equations, 9 figures, 5 tables, 1 algorithm)

This paper contains 19 sections, 5 equations, 9 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Intuition: Cross-modality information is a double-edged sword
  3. Preliminaries: Optimization-based Jailbreak Attacks on MLLMs
  4. Experimental Setup
  5. Findings
  6. Method
  7. Overview
  8. Threshold selection
  9. Experiment
  10. Configurations
  11. Effectiveness
  12. Efficiency
  13. Robustness-utility trade-off
  14. Ablation study on denoising method
  15. Generalization
  16. ...and 4 more sections

Figures (9)

  • Figure 1: The architecture of a typical MLLM.
  • Figure 2: The workflow of safeguarding MLLM against jailbreak attacks via CIDER.
  • Figure 3: Experimental result. (a) The distribution of the difference between clean and adversarial images regarding their cos-sim with harmful queries. (b) The distribution of cos-sim between harmful queries and clean/adversarial images. (c) The change of the cos-sim during denoising. (d) The distribution of $\Delta$cos-sim before and after denoising of clean/adversarial images.
  • Figure 4: TPR-FPR trade-off on validation set.
  • Figure 5: ASR of base MLLM, defending with CIDER and defending with Jailguard
  • ...and 4 more figures