Perception-guided Jailbreak against Text-to-Image Models

TL;DR

The paper addresses safety vulnerabilities in Text-to-Image models by introducing Perception-guided Jailbreak (PGJ), a model-free, black-box method that uses LLMs to automate safe substitutions under the PSTSI principle. By replacing unsafe words with perceptually similar but semantically different phrases, PGJ bypasses pre-checkers while preserving image semantics, achieving high attack success and diverse NSFW outputs with natural prompts. Extensive experiments across six T2I models and a 1,000-prompt NSFW dataset show PGJ outperforming baselines in ASR and image diversity, while remaining efficient and robust to detection. The work highlights significant security implications for deployed T2I systems and points to future work on circumventing post-checkers and strengthening defenses.

Abstract

In recent years, Text-to-Image (T2I) models have garnered significant attention due to their remarkable advancements. However, security concerns have emerged due to their potential to generate inappropriate or Not-Safe-For-Work (NSFW) images. In this paper, inspired by the observation that texts with different semantics can lead to similar human perceptions, we propose an LLM-driven perception-guided jailbreak method, termed PGJ. It is a black-box jailbreak method that requires no specific T2I model (model-free) and generates highly natural attack prompts. Specifically, we propose identifying a safe phrase that is similar in human perception yet inconsistent in text semantics with the target unsafe word and using it as a substitution. The experiments conducted on six open-source models and commercial online services with thousands of prompts have verified the effectiveness of PGJ.

Figures (6)

• Figure 1: Given an unsafe prompt that is refused by the T2I model (DALL·E 3), our PGJ method replaces the unsafe words (injecting drugs) in the prompt with safe phrases. The attack prompt can successfully bypass the safety checker of the T2I model and generate an NSFW image.
• Figure 2: On the left is an image generated from DALL·E 3. On the right alongside three potential prompts that could have been used to generate the image with the T2I model.
• Figure 3: The phrase "blood", "gore" and "watermelon juice" are similar in perception space. However, the phrases "blood", and "gore" have similar semantics while the phrases "blood" and "watermelon juice" are not. We call "watermelon juice" satisfies PSTSI principle with "blood".
• Figure 4: Pipeline of our proposed PGJ method has two parts: unsafe word selection and word substitution. The unsafe prompt is related to prejudice against homosexuals while the word "harassed" is the unsafe word. By replacing it with a safe word ("questioned") found by LLM based on the PSTSI principle, the attack prompt can successfully generate an NSFW image.
• Figure 5: Generated attack prompts, based on different instructions provided to the LLM, demonstrate varying effects.