Breaking Audio Large Language Models by Attacking Only the Encoder: A Universal Targeted Latent-Space Audio Attack
Roee Ziv, Raz Lapid, Moshe Sipper
TL;DR
The paper addresses security risks in audio-language models by demonstrating a universal, targeted attack that operates solely through reusable audio encoders. It introduces U-TLSA, a gray-box method that learns one perturbation in the waveform space to steer encoder latent representations toward a attacker-chosen target, without gradient access to the decoder. Empirical results on Qwen2-Audio-7B-Instruct across diverse datasets show high cross-domain success rates and substantial efficiency benefits over end-to-end attacks, while random noise fails to trigger targets. The work highlights encoder-level vulnerabilities as a practical attack surface and motivates defenses at the encoder boundary to secure ALLMs in real deployments.
Abstract
Audio-language models combine audio encoders with large language models to enable multimodal reasoning, but they also introduce new security vulnerabilities. We propose a universal targeted latent space attack, an encoder-level adversarial attack that manipulates audio latent representations to induce attacker-specified outputs in downstream language generation. Unlike prior waveform-level or input-specific attacks, our approach learns a universal perturbation that generalizes across inputs and speakers and does not require access to the language model. Experiments on Qwen2-Audio-7B-Instruct demonstrate consistently high attack success rates with minimal perceptual distortion, revealing a critical and previously underexplored attack surface at the encoder level of multimodal systems.
