Seeing No Evil: Blinding Large Vision-Language Models to Safety Instructions via Adversarial Attention Hijacking (2026.acl-long)
Copied to clipboard
| Challenge: | Existing attacks optimize image perturbations to maximize harmful output likelihood, but suffer from slow convergence due to gradient conflict between adversarial objectives and the model’s safety-retrieval mechanism. |
| Approach: | They propose a push-pull approach which suppresses attention to system-prompt tokens and anchors generation on adversarial image features to avoid collisions. |
| Outcome: | The proposed approach reduces gradient conflict by 45% and achieves 94.4% attack success rate on Qwen-VL (vs. 68.8% baseline) with 40% fewer iterations. |
Similar Papers
Attack as Defense: Safeguarding Large Vision-Language Models from Jailbreaking by Adversarial Attacks (2025.findings-emnlp)
Copied to clipboard
| Challenge: | adversarial vulnerabilities in vision-language systems pose a challenge to reliability of large systems . typographic manipulations and adversarial perturbations can bypass language model defenses . |
| Approach: | They propose a method that embeds perturbations in vision to disrupt attacks . they use cross-modal interactions to enhance adversarial robustness through perturbations . |
| Outcome: | The proposed approach reduces attack success rates for typographic attacks and adversarial perturbations by integrating visual defenses into the model. |
Crafting Adversarial Inputs for Large Vision-Language Models Using Black-Box Optimization (2026.findings-eacl)
Copied to clipboard
| Challenge: | Existing white-box jailbreak methods require full model accessibility and require computational costs. |
| Approach: | They propose a black-box jailbreak attack using Zeroth-Order optimization using ZO-SPSA. |
| Outcome: | The proposed method achieves highest jailbreak success rate on three LVLMs, including InstructBLIP, LLaVA and MiniGPT-4. |
FLASH: Focused Layer Attention Sink Hijacking (2026.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) remain vulnerable to jailbreaking attacks despite advances in safety alignment . |
| Approach: | They propose a new diagnostic auditing framework that dismantles the model's internal safety anchor by precisely scaling attention scores in these vulnerable layers. |
| Outcome: | The proposed framework achieves a state-of-the-art Attack Success Rate of over 77% with an unprecedented efficiency of 1.53 queries on average. |
Jailbreaking Safeguarded Text-to-Image Models via Large Language Models (2026.findings-eacl)
Copied to clipboard
| Challenge: | Text-to-image models generate harmful content when unsafe prompts are submitted . authors propose a method to jailbreak text-to image models with safety guardrails . |
| Approach: | They propose a method to jailbreak text-to-image models with safety guardrails . they use a fine-tuned large language model to generate adversarial prompts based on unsafe prompts. |
| Outcome: | The proposed method bypasses safety guardrails and outperforms existing no-box attacks . the proposed method generates adversarial prompts efficiently after fine-tuning the model . |
ImgTrojan: Jailbreaking Vision-Language Models with ONE Image (2025.naacl-long)
Copied to clipboard
| Challenge: | Existing studies on the safety of large language models (LLMs) with human values have focused on the integration of multi-modal user input into these models. |
| Approach: | They propose a method to bypass safety constraints of large language models by using poisoned images instead of original textual captions. |
| Outcome: | The proposed attack bypasses safety constraints of large language models (VLMs) by replacing the original textual captions with malicious jailbreak prompts. |
HiddenDetect: Detecting Jailbreak Attacks against Multimodal Large Language Models via Monitoring Hidden States (2025.acl-long)
Copied to clipboard
| Challenge: | Existing studies focus on posthoc alignment techniques, but the underlying safety mechanisms within LVLMs remain unexplored. |
| Approach: | They propose a tuning-free framework that leverages internal activations to enhance safety. |
| Outcome: | The proposed framework outperforms state-of-the-art methods in detecting jailbreak attacks against large vision-language models. |
Attention Eclipse: Manipulating Attention to Bypass LLM Safety-Alignment (2025.emnlp-main)
Copied to clipboard
Pedram Zaree, Md Abdullah Al Mamun, Quazi Mishkatul Alam, Yue Dong, Ihsen Alouani, Nael Abu-Ghazaleh
| Challenge: | Recent research has shown that carefully crafted jailbreak inputs can induce large language models to produce harmful outputs, despite safety measures such as alignment. |
| Approach: | They propose a method for generating highly effective Jailbreak attacks that selectively strengthen or weaken attention among different parts of the prompt. |
| Outcome: | The proposed attacks amplify the success rate of existing Jailbreak algorithms while lowering generation cost. |
Making Every Step Effective: Jailbreaking Large Vision-Language Models Through Hierarchical KV Equalization (2025.findings-emnlp)
Copied to clipboard
| Challenge: | HKVE selectively accepts gradient optimization results based on the distribution of attention scores across different layers, ensuring that every optimization step positively contributes to the attack. |
| Approach: | They propose a framework that selectively accepts gradient optimization results based on the distribution of attention scores across different layers and selectively takes them into account when calculating the attack success rate. |
| Outcome: | The proposed framework outperforms existing methods by achieving success rates of 75.08% on MiniGPT4, 85.84% on LLaVA and 81.00% on Qwen-VL. |
Improving Adversarial Robustness in Vision-Language Models with Architecture and Prompt Design (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Vision-Language Models (VLMs) have seen a significant increase in research interest and real-world applications, including healthcare, autonomous systems, and security. |
| Approach: | They propose novel approaches to enhance model robustness through prompt engineering by suggesting adversarial perturbations or rephrasing questions. |
| Outcome: | The proposed approaches improve model robustness against strong image-based attacks such as Auto-PGD. |
\mathsf{Con Instruction}: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities (2025.acl-long)
Copied to clipboard
| Challenge: | Existing attacks communicate instruction through text, accompanied by a toxic image or audio . a novel gray-box attack method generates adversarial images or audio to convey harmful instructions to MLLMs . |
| Approach: | They propose a gray-box attack method that generates adversarial images or audio to convey specific harmful instructions to MLLMs by following non-textual instruction. |
| Outcome: | The proposed method achieves highest success rates on visual and audio-language models . larger models are more susceptible toCon Instruction, compared to their underlying models - the results will be released . |