Challenge: Existing attacks optimize image perturbations to maximize harmful output likelihood, but suffer from slow convergence due to gradient conflict between adversarial objectives and the model’s safety-retrieval mechanism.
Approach: They propose a push-pull approach which suppresses attention to system-prompt tokens and anchors generation on adversarial image features to avoid collisions.
Outcome: The proposed approach reduces gradient conflict by 45% and achieves 94.4% attack success rate on Qwen-VL (vs. 68.8% baseline) with 40% fewer iterations.

Similar Papers

Attack as Defense: Safeguarding Large Vision-Language Models from Jailbreaking by Adversarial Attacks (2025.findings-emnlp)

Copied to clipboard

Challenge: adversarial vulnerabilities in vision-language systems pose a challenge to reliability of large systems . typographic manipulations and adversarial perturbations can bypass language model defenses .
Approach: They propose a method that embeds perturbations in vision to disrupt attacks . they use cross-modal interactions to enhance adversarial robustness through perturbations .
Outcome: The proposed approach reduces attack success rates for typographic attacks and adversarial perturbations by integrating visual defenses into the model.
Crafting Adversarial Inputs for Large Vision-Language Models Using Black-Box Optimization (2026.findings-eacl)

Copied to clipboard

Challenge: Existing white-box jailbreak methods require full model accessibility and require computational costs.
Approach: They propose a black-box jailbreak attack using Zeroth-Order optimization using ZO-SPSA.
Outcome: The proposed method achieves highest jailbreak success rate on three LVLMs, including InstructBLIP, LLaVA and MiniGPT-4.
FLASH: Focused Layer Attention Sink Hijacking (2026.findings-acl)

Copied to clipboard

Challenge: Large Language Models (LLMs) remain vulnerable to jailbreaking attacks despite advances in safety alignment .
Approach: They propose a new diagnostic auditing framework that dismantles the model's internal safety anchor by precisely scaling attention scores in these vulnerable layers.
Outcome: The proposed framework achieves a state-of-the-art Attack Success Rate of over 77% with an unprecedented efficiency of 1.53 queries on average.
Jailbreaking Safeguarded Text-to-Image Models via Large Language Models (2026.findings-eacl)

Copied to clipboard

Challenge: Text-to-image models generate harmful content when unsafe prompts are submitted . authors propose a method to jailbreak text-to image models with safety guardrails .
Approach: They propose a method to jailbreak text-to-image models with safety guardrails . they use a fine-tuned large language model to generate adversarial prompts based on unsafe prompts.
Outcome: The proposed method bypasses safety guardrails and outperforms existing no-box attacks . the proposed method generates adversarial prompts efficiently after fine-tuning the model .
ImgTrojan: Jailbreaking Vision-Language Models with ONE Image (2025.naacl-long)

Copied to clipboard

Challenge: Existing studies on the safety of large language models (LLMs) with human values have focused on the integration of multi-modal user input into these models.
Approach: They propose a method to bypass safety constraints of large language models by using poisoned images instead of original textual captions.
Outcome: The proposed attack bypasses safety constraints of large language models (VLMs) by replacing the original textual captions with malicious jailbreak prompts.
HiddenDetect: Detecting Jailbreak Attacks against Multimodal Large Language Models via Monitoring Hidden States (2025.acl-long)

Copied to clipboard

Challenge: Existing studies focus on posthoc alignment techniques, but the underlying safety mechanisms within LVLMs remain unexplored.
Approach: They propose a tuning-free framework that leverages internal activations to enhance safety.
Outcome: The proposed framework outperforms state-of-the-art methods in detecting jailbreak attacks against large vision-language models.
Attention Eclipse: Manipulating Attention to Bypass LLM Safety-Alignment (2025.emnlp-main)

Copied to clipboard

Challenge: Recent research has shown that carefully crafted jailbreak inputs can induce large language models to produce harmful outputs, despite safety measures such as alignment.
Approach: They propose a method for generating highly effective Jailbreak attacks that selectively strengthen or weaken attention among different parts of the prompt.
Outcome: The proposed attacks amplify the success rate of existing Jailbreak algorithms while lowering generation cost.
Making Every Step Effective: Jailbreaking Large Vision-Language Models Through Hierarchical KV Equalization (2025.findings-emnlp)

Copied to clipboard

Challenge: HKVE selectively accepts gradient optimization results based on the distribution of attention scores across different layers, ensuring that every optimization step positively contributes to the attack.
Approach: They propose a framework that selectively accepts gradient optimization results based on the distribution of attention scores across different layers and selectively takes them into account when calculating the attack success rate.
Outcome: The proposed framework outperforms existing methods by achieving success rates of 75.08% on MiniGPT4, 85.84% on LLaVA and 81.00% on Qwen-VL.
Improving Adversarial Robustness in Vision-Language Models with Architecture and Prompt Design (2024.findings-emnlp)

Copied to clipboard

Challenge: Vision-Language Models (VLMs) have seen a significant increase in research interest and real-world applications, including healthcare, autonomous systems, and security.
Approach: They propose novel approaches to enhance model robustness through prompt engineering by suggesting adversarial perturbations or rephrasing questions.
Outcome: The proposed approaches improve model robustness against strong image-based attacks such as Auto-PGD.
\mathsf{Con Instruction}: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities (2025.acl-long)

Copied to clipboard

Challenge: Existing attacks communicate instruction through text, accompanied by a toxic image or audio . a novel gray-box attack method generates adversarial images or audio to convey harmful instructions to MLLMs .
Approach: They propose a gray-box attack method that generates adversarial images or audio to convey specific harmful instructions to MLLMs by following non-textual instruction.
Outcome: The proposed method achieves highest success rates on visual and audio-language models . larger models are more susceptible toCon Instruction, compared to their underlying models - the results will be released .

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations