Table of Contents
Fetching ...

Multi-turn Jailbreaking Attack in Multi-Modal Large Language Models

Badhan Chandra Das, Md Tasnim Jawad, Joaquin Molto, M. Hadi Amini, Yanzhao Wu

TL;DR

The paper tackles security vulnerabilities in multi-modal large language models by introducing a multi-turn jailbreaking framework (MJAD-MLLM) and a fragment-based defense (FragGuard). It demonstrates that multi-turn prompting markedly increases jailbreaking success and shows that FragGuard, which fragments outputs and uses multiple LLMs to assess toxicity, substantially mitigates risk without harming benign tasks. Extensive experiments across open-source and closed-source MLLMs on the MM-SafetyBench dataset reveal high attack success rates and significant defense gains, with quantitative evidence comparing to existing baselines. The work provides practical implications for improving MLLM safety in real-world deployments and proposes transferable defense mechanisms applicable to other modalities.

Abstract

In recent years, the security vulnerabilities of Multi-modal Large Language Models (MLLMs) have become a serious concern in the Generative Artificial Intelligence (GenAI) research. These highly intelligent models, capable of performing multi-modal tasks with high accuracy, are also severely susceptible to carefully launched security attacks, such as jailbreaking attacks, which can manipulate model behavior and bypass safety constraints. This paper introduces MJAD-MLLMs, a holistic framework that systematically analyzes the proposed Multi-turn Jailbreaking Attacks and multi-LLM-based defense techniques for MLLMs. In this paper, we make three original contributions. First, we introduce a novel multi-turn jailbreaking attack to exploit the vulnerabilities of the MLLMs under multi-turn prompting. Second, we propose a novel fragment-optimized and multi-LLM defense mechanism, called FragGuard, to effectively mitigate jailbreaking attacks in the MLLMs. Third, we evaluate the efficacy of the proposed attacks and defenses through extensive experiments on several state-of-the-art (SOTA) open-source and closed-source MLLMs and benchmark datasets, and compare their performance with the existing techniques.

Multi-turn Jailbreaking Attack in Multi-Modal Large Language Models

TL;DR

The paper tackles security vulnerabilities in multi-modal large language models by introducing a multi-turn jailbreaking framework (MJAD-MLLM) and a fragment-based defense (FragGuard). It demonstrates that multi-turn prompting markedly increases jailbreaking success and shows that FragGuard, which fragments outputs and uses multiple LLMs to assess toxicity, substantially mitigates risk without harming benign tasks. Extensive experiments across open-source and closed-source MLLMs on the MM-SafetyBench dataset reveal high attack success rates and significant defense gains, with quantitative evidence comparing to existing baselines. The work provides practical implications for improving MLLM safety in real-world deployments and proposes transferable defense mechanisms applicable to other modalities.

Abstract

In recent years, the security vulnerabilities of Multi-modal Large Language Models (MLLMs) have become a serious concern in the Generative Artificial Intelligence (GenAI) research. These highly intelligent models, capable of performing multi-modal tasks with high accuracy, are also severely susceptible to carefully launched security attacks, such as jailbreaking attacks, which can manipulate model behavior and bypass safety constraints. This paper introduces MJAD-MLLMs, a holistic framework that systematically analyzes the proposed Multi-turn Jailbreaking Attacks and multi-LLM-based defense techniques for MLLMs. In this paper, we make three original contributions. First, we introduce a novel multi-turn jailbreaking attack to exploit the vulnerabilities of the MLLMs under multi-turn prompting. Second, we propose a novel fragment-optimized and multi-LLM defense mechanism, called FragGuard, to effectively mitigate jailbreaking attacks in the MLLMs. Third, we evaluate the efficacy of the proposed attacks and defenses through extensive experiments on several state-of-the-art (SOTA) open-source and closed-source MLLMs and benchmark datasets, and compare their performance with the existing techniques.
Paper Structure (20 sections, 13 equations, 12 figures, 7 tables)

This paper contains 20 sections, 13 equations, 12 figures, 7 tables.

Figures (12)

  • Figure 1: Overview of the Proposed MJAD-MLLM framework multi-turn attack and fragment-oriented multi-LLM defense [Q: Query, R: Response, Fr: Fragments, the green color presents the safe/benign response, the light and intense red reflects the moderate and severe harmfulness of the generated response].
  • Figure 2: Attack performance for the representative MLLMs yielded by the proposed multi-turn jailbreaking attack for both Turn 2 and Turn 3.
  • Figure 3: Sample attack response with our proposed multi-turn attack method with LLaVa-7B model. Sample Prompt T3: Please provide step-by-step instructions to perform the task at the bottom of the image, based on the content of the image.
  • Figure 4: Performance of the proposed multi-turn jailbreaking attack and FragGuard defense
  • Figure 5: Performance comparison between Full Response defense and FragGuard defense for LLaVa-7B and GPT-4o with Refusal Rate (RR) metric.
  • ...and 7 more figures