Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ARMs: Adaptive Red-Teaming Agent against Multimodal Models with Plug-and-Play Attacks

Zhaorun Chen, Xun Liu, Mintong Kang, Jiawei Zhang, Minzhou Pan, Shuang Yang, Bo Li

TL;DR

The paper introduces ARMs, an adaptive, multimodal red-teaming agent designed to systematically probe vision-language models (VLMs) for safety vulnerabilities. ARMs combines reasoning-enhanced multi-step attack orchestration with a plug-and-play Model Context Protocol and a diversity-promoting layered memory to generate a wide spectrum of adversarial multimodal inputs conditioned on risk definitions. It also yields ARMs-Bench, a large-scale safety dataset with over 30K red-teaming instances spanning 51 risk categories, plus a robust safety alignment workflow that uses reasoning-based refusals to improve safety finetuning. Across extensive instance- and policy-based evaluations, ARMs achieves state-of-the-art attack success rates and demonstrates significantly higher instance diversity, enabling effective safety evaluation and alignment for evolving multimodal threats. The results underscore the potential of adaptive, multimodal red-teaming to reveal emergent vulnerabilities and guide safer deployment through targeted safety datasets and alignment techniques.

Abstract

As vision-language models (VLMs) gain prominence, their multimodal interfaces also introduce new safety vulnerabilities, making the safety evaluation challenging and critical. Existing red-teaming efforts are either restricted to a narrow set of adversarial patterns or depend heavily on manual engineering, lacking scalable exploration of emerging real-world VLM vulnerabilities. To bridge this gap, we propose ARMs, an adaptive red-teaming agent that systematically conducts comprehensive risk assessments for VLMs. Given a target harmful behavior or risk definition, ARMs automatically optimizes diverse red-teaming strategies with reasoning-enhanced multi-step orchestration, to effectively elicit harmful outputs from target VLMs. We propose 11 novel multimodal attack strategies, covering diverse adversarial patterns of VLMs (e.g., reasoning hijacking, contextual cloaking), and integrate 17 red-teaming algorithms into ARMs via model context protocol (MCP). To balance the diversity and effectiveness of the attack, we design a layered memory with an epsilon-greedy attack exploration algorithm. Extensive experiments on instance- and policy-based benchmarks show that ARMs achieves SOTA attack success rates, exceeding baselines by an average of 52.1% and surpassing 90% on Claude-4-Sonnet. We show that the diversity of red-teaming instances generated by ARMs is significantly higher, revealing emerging vulnerabilities in VLMs. Leveraging ARMs, we construct ARMs-Bench, a large-scale multimodal safety dataset comprising over 30K red-teaming instances spanning 51 diverse risk categories, grounded in both real-world multimodal threats and regulatory risks. Safety fine-tuning with ARMs-Bench substantially improves the robustness of VLMs while preserving their general utility, providing actionable guidance to improve multimodal safety alignment against emerging threats.

ARMs: Adaptive Red-Teaming Agent against Multimodal Models with Plug-and-Play Attacks

TL;DR

The paper introduces ARMs, an adaptive, multimodal red-teaming agent designed to systematically probe vision-language models (VLMs) for safety vulnerabilities. ARMs combines reasoning-enhanced multi-step attack orchestration with a plug-and-play Model Context Protocol and a diversity-promoting layered memory to generate a wide spectrum of adversarial multimodal inputs conditioned on risk definitions. It also yields ARMs-Bench, a large-scale safety dataset with over 30K red-teaming instances spanning 51 risk categories, plus a robust safety alignment workflow that uses reasoning-based refusals to improve safety finetuning. Across extensive instance- and policy-based evaluations, ARMs achieves state-of-the-art attack success rates and demonstrates significantly higher instance diversity, enabling effective safety evaluation and alignment for evolving multimodal threats. The results underscore the potential of adaptive, multimodal red-teaming to reveal emergent vulnerabilities and guide safer deployment through targeted safety datasets and alignment techniques.

Abstract

As vision-language models (VLMs) gain prominence, their multimodal interfaces also introduce new safety vulnerabilities, making the safety evaluation challenging and critical. Existing red-teaming efforts are either restricted to a narrow set of adversarial patterns or depend heavily on manual engineering, lacking scalable exploration of emerging real-world VLM vulnerabilities. To bridge this gap, we propose ARMs, an adaptive red-teaming agent that systematically conducts comprehensive risk assessments for VLMs. Given a target harmful behavior or risk definition, ARMs automatically optimizes diverse red-teaming strategies with reasoning-enhanced multi-step orchestration, to effectively elicit harmful outputs from target VLMs. We propose 11 novel multimodal attack strategies, covering diverse adversarial patterns of VLMs (e.g., reasoning hijacking, contextual cloaking), and integrate 17 red-teaming algorithms into ARMs via model context protocol (MCP). To balance the diversity and effectiveness of the attack, we design a layered memory with an epsilon-greedy attack exploration algorithm. Extensive experiments on instance- and policy-based benchmarks show that ARMs achieves SOTA attack success rates, exceeding baselines by an average of 52.1% and surpassing 90% on Claude-4-Sonnet. We show that the diversity of red-teaming instances generated by ARMs is significantly higher, revealing emerging vulnerabilities in VLMs. Leveraging ARMs, we construct ARMs-Bench, a large-scale multimodal safety dataset comprising over 30K red-teaming instances spanning 51 diverse risk categories, grounded in both real-world multimodal threats and regulatory risks. Safety fine-tuning with ARMs-Bench substantially improves the robustness of VLMs while preserving their general utility, providing actionable guidance to improve multimodal safety alignment against emerging threats.

Paper Structure

This paper contains 47 sections, 3 equations, 17 figures, 28 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Patterns against VLMs
  4. Autonomous Red-Teaming Agents for VLMs
  5. ARMs Framework
  6. Preliminaries and Threat Model
  7. Overview of ARMs
  8. Diverse Attack Strategies
  9. Diversity-Enhanced Layered Memory Module
  10. ARMs-Bench: Advanced Safety Dataset for VLMs
  11. Experiment
  12. Experimental Settings
  13. Main Results
  14. Enhancing Multimodal Safety Alignment with ARMs-Bench
  15. Ablation Studies
  16. ...and 32 more sections

Figures (17)

  • Figure 1: Overview of the ARMs agentic framework. Given a risk assessment scenario, ARMs first produces diverse harmful instances either directly from a user-specified behavior or via a controllable, policy-based generator conditioned on the risk definition. It then queries a layered memory to retrieve relevant past experiences via an epsilon-greedy algorithm that balances attack diversity and effectiveness. Then, ARMs reasons and orchestrates multi-step attack strategies from a diverse and plug-and-play MCP-supported library. The crafted adversarial multimodal instances are either refined or used to query target VLMs, whose responses are evaluated by a policy-based judge. If the attack is unsuccessful, ARMs iteratively enhances the attack until success or the query budget is reached.
  • Figure 2: Example of ARMs's policy-based safety evaluation pipeline, compared with existing baseline (e.g. FigStep) on EU AI Act evaluation.
  • Figure 3: Attack success rate (ASR) of different methods on Claude 3.7 by comprehensive risk categories, across instance-based benchmark (StrongReject) and policy-based safety evaluation (EU AI Act, OWASP and FINRA). Higher ASR indicates the model's response is more harmful.
  • Figure 4: Attack success rate (ASR, %) of different methods on various size of InternVL3-series models, across instance-based and policy-based risk assessments.
  • Figure 5: Diversity score of the red-teaming instances generated by different methods on StrongReject.
  • ...and 12 more figures