Table of Contents
Fetching ...

Crafting Adversarial Inputs for Large Vision-Language Models Using Black-Box Optimization

Jiwei Guan, Haibo Jin, Haohan Wang

TL;DR

The paper addresses the vulnerability of LVLMs to jailbreak attacks in black-box settings and introduces ZO-SPSA, a gradient-free, zeroth-order optimization method that estimates gradients from input–output interactions. It formulates the attack under a black-box threat model with an $ extit{l}_ ext{inf}$ perturbation budget and uses PGD to constrain adversarial inputs, achieving strong jailbreak performance on three LVLMs with ASR up to 83% and notable cross-model transferability (e.g., 64.18% toxicity transfer to MiniGPT-4). Experiments on AdvBench, VAJA, and RealToxicityPrompts demonstrate substantial toxicity increases in generated outputs under automated toxicity evaluators, with improvements in transferability when using MiniGPT-4 as a surrogate. While ZO-SPSA reduces memory requirements compared to white-box methods, it incurs longer optimization times, underscoring practical security risks and the need for defensive strategies against black-box adversarial attacks.

Abstract

Recent advancements in Large Vision-Language Models (LVLMs) have shown groundbreaking capabilities across diverse multimodal tasks. However, these models remain vulnerable to adversarial jailbreak attacks, where adversaries craft subtle perturbations to bypass safety mechanisms and trigger harmful outputs. Existing white-box attacks methods require full model accessibility, suffer from computing costs and exhibit insufficient adversarial transferability, making them impractical for real-world, black-box settings. To address these limitations, we propose a black-box jailbreak attack on LVLMs via Zeroth-Order optimization using Simultaneous Perturbation Stochastic Approximation (ZO-SPSA). ZO-SPSA provides three key advantages: (i) gradient-free approximation by input-output interactions without requiring model knowledge, (ii) model-agnostic optimization without the surrogate model and (iii) lower resource requirements with reduced GPU memory consumption. We evaluate ZO-SPSA on three LVLMs, including InstructBLIP, LLaVA and MiniGPT-4, achieving the highest jailbreak success rate of 83.0% on InstructBLIP, while maintaining imperceptible perturbations comparable to white-box methods. Moreover, adversarial examples generated from MiniGPT-4 exhibit strong transferability to other LVLMs, with ASR reaching 64.18%. These findings underscore the real-world feasibility of black-box jailbreaks and expose critical weaknesses in the safety mechanisms of current LVLMs

Crafting Adversarial Inputs for Large Vision-Language Models Using Black-Box Optimization

TL;DR

The paper addresses the vulnerability of LVLMs to jailbreak attacks in black-box settings and introduces ZO-SPSA, a gradient-free, zeroth-order optimization method that estimates gradients from input–output interactions. It formulates the attack under a black-box threat model with an perturbation budget and uses PGD to constrain adversarial inputs, achieving strong jailbreak performance on three LVLMs with ASR up to 83% and notable cross-model transferability (e.g., 64.18% toxicity transfer to MiniGPT-4). Experiments on AdvBench, VAJA, and RealToxicityPrompts demonstrate substantial toxicity increases in generated outputs under automated toxicity evaluators, with improvements in transferability when using MiniGPT-4 as a surrogate. While ZO-SPSA reduces memory requirements compared to white-box methods, it incurs longer optimization times, underscoring practical security risks and the need for defensive strategies against black-box adversarial attacks.

Abstract

Recent advancements in Large Vision-Language Models (LVLMs) have shown groundbreaking capabilities across diverse multimodal tasks. However, these models remain vulnerable to adversarial jailbreak attacks, where adversaries craft subtle perturbations to bypass safety mechanisms and trigger harmful outputs. Existing white-box attacks methods require full model accessibility, suffer from computing costs and exhibit insufficient adversarial transferability, making them impractical for real-world, black-box settings. To address these limitations, we propose a black-box jailbreak attack on LVLMs via Zeroth-Order optimization using Simultaneous Perturbation Stochastic Approximation (ZO-SPSA). ZO-SPSA provides three key advantages: (i) gradient-free approximation by input-output interactions without requiring model knowledge, (ii) model-agnostic optimization without the surrogate model and (iii) lower resource requirements with reduced GPU memory consumption. We evaluate ZO-SPSA on three LVLMs, including InstructBLIP, LLaVA and MiniGPT-4, achieving the highest jailbreak success rate of 83.0% on InstructBLIP, while maintaining imperceptible perturbations comparable to white-box methods. Moreover, adversarial examples generated from MiniGPT-4 exhibit strong transferability to other LVLMs, with ASR reaching 64.18%. These findings underscore the real-world feasibility of black-box jailbreaks and expose critical weaknesses in the safety mechanisms of current LVLMs
Paper Structure (6 sections, 3 equations, 3 figures, 10 tables, 1 algorithm)

This paper contains 6 sections, 3 equations, 3 figures, 10 tables, 1 algorithm.

Figures (3)

  • Figure 1: Comparison between gradient-based attack and our proposed gradient-free attack on LLaVA and MiniGPT-4 under the same input.
  • Figure 2: Box-plot of ZO-SPSA optimization losses across various LVLMs using AdvBench and VAJA datasets.
  • Figure 3: Visualization of ZO-SPSA attack to craft the clean image to adversarial image (Adv denotes adversarial. (a) shows the clean input image. (b) presents the optimized perturbation under an $\ell_\infty$ constraint of $\epsilon = 32$ with 50,000 iterations and (c) displays the adversarial image.