Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FORCE: Transferable Visual Jailbreaking Attacks via Feature Over-Reliance CorrEction

Runqi Lin, Alasdair Paren, Suqin Yuan, Muyang Li, Philip Torr, Adel Bibi, Tongliang Liu

TL;DR

A Feature Over-Reliance CorrEction (FORCE) method, which guides the attack to explore broader feasible regions across layer features and rescales the influence of frequency features according to their semantic content, thereby improving cross-model transferability.

Abstract

The integration of new modalities enhances the capabilities of multimodal large language models (MLLMs) but also introduces additional vulnerabilities. In particular, simple visual jailbreaking attacks can manipulate open-source MLLMs more readily than sophisticated textual attacks. However, these underdeveloped attacks exhibit extremely limited cross-model transferability, failing to reliably identify vulnerabilities in closed-source MLLMs. In this work, we analyse the loss landscape of these jailbreaking attacks and find that the generated attacks tend to reside in high-sharpness regions, whose effectiveness is highly sensitive to even minor parameter changes during transfer. To further explain the high-sharpness localisations, we analyse their feature representations in both the intermediate layers and the spectral domain, revealing an improper reliance on narrow layer representations and semantically poor frequency components. Building on this, we propose a Feature Over-Reliance CorrEction (FORCE) method, which guides the attack to explore broader feasible regions across layer features and rescales the influence of frequency features according to their semantic content. By eliminating non-generalizable reliance on both layer and spectral features, our method discovers flattened feasible regions for visual jailbreaking attacks, thereby improving cross-model transferability. Extensive experiments demonstrate that our approach effectively facilitates visual red-teaming evaluations against closed-source MLLMs.

FORCE: Transferable Visual Jailbreaking Attacks via Feature Over-Reliance CorrEction

TL;DR

A Feature Over-Reliance CorrEction (FORCE) method, which guides the attack to explore broader feasible regions across layer features and rescales the influence of frequency features according to their semantic content, thereby improving cross-model transferability.

Abstract

The integration of new modalities enhances the capabilities of multimodal large language models (MLLMs) but also introduces additional vulnerabilities. In particular, simple visual jailbreaking attacks can manipulate open-source MLLMs more readily than sophisticated textual attacks. However, these underdeveloped attacks exhibit extremely limited cross-model transferability, failing to reliably identify vulnerabilities in closed-source MLLMs. In this work, we analyse the loss landscape of these jailbreaking attacks and find that the generated attacks tend to reside in high-sharpness regions, whose effectiveness is highly sensitive to even minor parameter changes during transfer. To further explain the high-sharpness localisations, we analyse their feature representations in both the intermediate layers and the spectral domain, revealing an improper reliance on narrow layer representations and semantically poor frequency components. Building on this, we propose a Feature Over-Reliance CorrEction (FORCE) method, which guides the attack to explore broader feasible regions across layer features and rescales the influence of frequency features according to their semantic content. By eliminating non-generalizable reliance on both layer and spectral features, our method discovers flattened feasible regions for visual jailbreaking attacks, thereby improving cross-model transferability. Extensive experiments demonstrate that our approach effectively facilitates visual red-teaming evaluations against closed-source MLLMs.

Paper Structure

This paper contains 23 sections, 7 equations, 12 figures, 9 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Loss Landscape of Visual Jailbreaking Attack
  5. Features Representations on Different Layers
  6. Influence of Different Frequency Features
  7. Feature Over-Reliance CorrEction Method
  8. Experiment
  9. Experimental Setups
  10. Performance Evaluation
  11. Ablation Study
  12. Generation Costs
  13. Conclusion
  14. Feature Interpolation Between Visual Jailbreaking Attacks
  15. Universality of Early-layer Dependency
  16. ...and 8 more sections

Figures (12)

  • Figure 1: Schematic illustration of the generation and transfer of optimisation-based visual jailbreaking attacks, as well as the feasible regions of such attacks in the input space.
  • Figure 2: The input (left) and weight (right) loss landscape of the visual jailbreaking attack. The blue and yellow points correspond to successful and failed examples on the source MLLM, respectively.
  • Figure 3: Feasible regions between jailbreaking and natural examples across different layers’ features. The blue and yellow points correspond to successful and failed examples on the source MLLM.
  • Figure 4: The influence of different frequency bands on the effectiveness of visual jailbreaking attacks throughout the optimisation process. The blue and yellow points correspond to successful and failed examples on the source MLLM, respectively.
  • Figure 5: Feasible regions between FORCE-generated visual jailbreaking example and natural examples across different layers’ features. The blue and yellow points correspond to successful and failed examples on the source MLLM, respectively.
  • ...and 7 more figures