Table of Contents
Fetching ...

ChartAttack: Testing the Vulnerability of LLMs to Malicious Prompting in Chart Generation

Jesus-German Ortiz-Barajas, Jonathan Tonglet, Vivek Gupta, Iryna Gurevych

TL;DR

This work introduces ChartAttack, a framework that automatically injects misleaders into chart annotations to study how multimodal LLMs and humans interpret charted data. It comprises a Demonstration Selection module and a Misleader Generator, operating on a new AttackViz corpus built from PlotQA and ChartQA to evaluate chart QA in both in-domain and cross-domain settings. Empirical results show substantial degradation in MLLM QA accuracy (avg ~19 pp in-domain, ~15 pp cross-domain) and a ~20 pp drop for human readers, driven by several misleaders such as 3D effects, misrepresentation, and stacked charts. The paper argues for robustness-focused defenses, provides a dataset and code, and discusses ethics, limitations, and potential defensive strategies such as misleader detection and targeted training.

Abstract

Multimodal large language models (MLLMs) are increasingly used to automate chart generation from data tables, enabling efficient data analysis and reporting but also introducing new misuse risks. In this work, we introduce ChartAttack, a novel framework for evaluating how MLLMs can be misused to generate misleading charts at scale. ChartAttack injects misleaders into chart designs, aiming to induce incorrect interpretations of the underlying data. Furthermore, we create AttackViz, a chart question-answering (QA) dataset where each (chart specification, QA) pair is labeled with effective misleaders and their induced incorrect answers. Experiments in in-domain and cross-domain settings show that ChartAttack significantly degrades the QA performance of MLLM readers, reducing accuracy by an average of 19.6 points and 14.9 points, respectively. A human study further shows an average 20.2 point drop in accuracy for participants exposed to misleading charts generated by ChartAttack. Our findings highlight an urgent need for robustness and security considerations in the design, evaluation, and deployment of MLLM-based chart generation systems. We make our code and data publicly available.

ChartAttack: Testing the Vulnerability of LLMs to Malicious Prompting in Chart Generation

TL;DR

This work introduces ChartAttack, a framework that automatically injects misleaders into chart annotations to study how multimodal LLMs and humans interpret charted data. It comprises a Demonstration Selection module and a Misleader Generator, operating on a new AttackViz corpus built from PlotQA and ChartQA to evaluate chart QA in both in-domain and cross-domain settings. Empirical results show substantial degradation in MLLM QA accuracy (avg ~19 pp in-domain, ~15 pp cross-domain) and a ~20 pp drop for human readers, driven by several misleaders such as 3D effects, misrepresentation, and stacked charts. The paper argues for robustness-focused defenses, provides a dataset and code, and discusses ethics, limitations, and potential defensive strategies such as misleader detection and targeted training.

Abstract

Multimodal large language models (MLLMs) are increasingly used to automate chart generation from data tables, enabling efficient data analysis and reporting but also introducing new misuse risks. In this work, we introduce ChartAttack, a novel framework for evaluating how MLLMs can be misused to generate misleading charts at scale. ChartAttack injects misleaders into chart designs, aiming to induce incorrect interpretations of the underlying data. Furthermore, we create AttackViz, a chart question-answering (QA) dataset where each (chart specification, QA) pair is labeled with effective misleaders and their induced incorrect answers. Experiments in in-domain and cross-domain settings show that ChartAttack significantly degrades the QA performance of MLLM readers, reducing accuracy by an average of 19.6 points and 14.9 points, respectively. A human study further shows an average 20.2 point drop in accuracy for participants exposed to misleading charts generated by ChartAttack. Our findings highlight an urgent need for robustness and security considerations in the design, evaluation, and deployment of MLLM-based chart generation systems. We make our code and data publicly available.
Paper Structure (37 sections, 11 figures, 8 tables)

This paper contains 37 sections, 11 figures, 8 tables.

Figures (11)

  • Figure 1: Illustration of the dual use risks of MLLM-based chart generators: creating misleading charts that can deceive readers.
  • Figure 2: Overview of our ChartAttack framework. The top part shows the generation of misleading charts by the attacker. The bottom part shows the QA evaluation on MLLM and human readers.
  • Figure 3: Pipeline to create the AttackViz corpus.
  • Figure 4: Average accuracy on AttackViz. Top: Results by model. Bottom: Results by misleader. Colors indicate setting and dataset: PlotQA: Accuracy on correct charts and Accuracy on misleading charts. ChartQA: Accuracy on correct charts and Accuracy on misleading charts
  • Figure 5: Average deception rate on AttackViz. Top: Results by model. Bottom: Results by misleader. Colors indicate setting and dataset: PlotQA: Deception rate (DR) on correct and Deception rate (DR) on incorrect. ChartQA: Deception rate (DR) on correct and Deception rate (DR) on incorrect.
  • ...and 6 more figures