Retention Score: Quantifying Jailbreak Risks for Vision Language Models
Zaitang Li, Pin-Yu Chen, Tsung-Yi Ho
TL;DR
The paper tackles jailbreak risks in Vision-Language Models by introducing Retention Score, a multi-modal, margin-based robustness certificate that certifies resistance to toxicity-inducing perturbations. It defines two components, Retention-I for image perturbations and Retention-T for text perturbations, computed via diffusion-based data generation and a toxicity judgment framework, and proves their validity as robustness certificates under $\ell_2$ perturbations. Empirically, Retention Score consistently ranks VLM robustness across open-source models (e.g., MiniGPT-4, InstructBLIP, LLaVA) and black-box APIs (GPT-4V, Gemini Pro Vision), while offering substantial run-time improvements (up to $~30\times$) over traditional jailbreak-attacks. The work reveals that incorporating visual modalities can amplify jailbreak risks and provides a practical, scalable metric for safety evaluation and model-card-style reporting. Overall, Retention Score enables efficient, attack-agnostic robustness assessment of VLMs with broad applicability to both research and deployment contexts. $R_I$ and $R_T$ serve as principled bounds that quantify resilience against adversarial toxicity in multimodal models.$
Abstract
The emergence of Vision-Language Models (VLMs) is a significant advancement in integrating computer vision with Large Language Models (LLMs) to enhance multi-modal machine learning capabilities. However, this progress has also made VLMs vulnerable to sophisticated adversarial attacks, raising concerns about their reliability. The objective of this paper is to assess the resilience of VLMs against jailbreak attacks that can compromise model safety compliance and result in harmful outputs. To evaluate a VLM's ability to maintain its robustness against adversarial input perturbations, we propose a novel metric called the \textbf{Retention Score}. Retention Score is a multi-modal evaluation metric that includes Retention-I and Retention-T scores for quantifying jailbreak risks in visual and textual components of VLMs. Our process involves generating synthetic image-text pairs using a conditional diffusion model. These pairs are then predicted for toxicity score by a VLM alongside a toxicity judgment classifier. By calculating the margin in toxicity scores, we can quantify the robustness of the VLM in an attack-agnostic manner. Our work has four main contributions. First, we prove that Retention Score can serve as a certified robustness metric. Second, we demonstrate that most VLMs with visual components are less robust against jailbreak attacks than the corresponding plain VLMs. Additionally, we evaluate black-box VLM APIs and find that the security settings in Google Gemini significantly affect the score and robustness. Moreover, the robustness of GPT4V is similar to the medium settings of Gemini. Finally, our approach offers a time-efficient alternative to existing adversarial attack methods and provides consistent model robustness rankings when evaluated on VLMs including MiniGPT-4, InstructBLIP, and LLaVA.