RapGuard: Safeguarding Multimodal Large Language Models via Rationale-aware Defensive Prompting

TL;DR

The proposed RapGuard is a novel framework that uses multimodal chain-of-thought reasoning to dynamically generate scenario-specific safety prompts, effectively mitigating harmful outputs while maintaining high performance on benign tasks.

Abstract

While Multimodal Large Language Models (MLLMs) have made remarkable progress in vision-language reasoning, they are also more susceptible to producing harmful content compared to models that focus solely on text. Existing defensive prompting techniques rely on a static, unified safety guideline that fails to account for the specific risks inherent in different multimodal contexts. To address these limitations, we propose RapGuard, a novel framework that uses multimodal chain-of-thought reasoning to dynamically generate scenario-specific safety prompts. RapGuard enhances safety by adapting its prompts to the unique risks of each input, effectively mitigating harmful outputs while maintaining high performance on benign tasks. Our experimental results across multiple MLLM benchmarks demonstrate that RapGuard achieves state-of-the-art safety performance, significantly reducing harmful content without degrading the quality of responses.

Figures (6)

• Figure 1: Comparisons of Different Multimodal LLMs Inference Methods.Top: the vanilla MLLM inference pipeline. Middle: MLLM inference pipeline with static defensive prompt prepended to the original text input. Bottom: MLLM inference pipeline equipped with RapGuard (Ours). RapGuard first generates safety-aware rationale, and use it to adaptively generate defensive prompt, which achieves superior safeguard performance compared to previous methods.
• Figure 2: Illustration of Limitations in Static Defensive Prompts.(a) Scenario-Specific Risks: static prompts ignore context (e.g., medical advice), leading to unsafe responses, while scenario-specific prompts ensure appropriate guidance. (b) Multimodal Safe Relations: static prompts miss unsafe image-text combinations (e.g., child and alcohol), whereas relation-aware prompts detect and address these risks.
• Figure 3: Pipeline of the proposed RapGuard approach. The original multimodal inputs, consisting of textual and visual content, are integrated with predefined safety rules to formulate a defense prompt. This prompt guides the model in generating safe responses.
• Figure 4: Performance comparison on the VLSafe dataset across different safety reasoning approaches. Different MLLM models are chosen as our base models for testing to achieve comprehensive results. Among all reasoning methods, RapGuard (ours) consistently achieves the highest scores
• Figure 5: Harmless rates on MM-SafetyBench (SD+OCR) for the CogVLM-chat-v1.1, MiniGPT-v2, ShareGPT-4V-7B, and Qwen-VL-Chat. Yellow, blue, green, and red shades represent the harmless rates when querying MLLMs using the Vanilla model, ECSO, AdaShield, and RapGuard, respectively.