Making MLLMs Blind: Adversarial Smuggling Attacks in MLLM Content Moderation (2026.findings-acl)
Copied to clipboard
Zhiheng Li, Zongyang Ma, Yuntong Pan, Ziqi Zhang, Xiaolei Lv, Bo Li, Jun Gao, Jianing Zhang, Chunfeng Yuan, Bing Li, Weiming Hu
| Challenge: | Multimodal Large Language Models (MLLMs) are increasingly being deployed as content moderators . however, they exploit the Human-AI capability gap and create adversarial environments . smuggling attacks exploit the human-AI gap and exploit the vulnerability . |
| Approach: | They construct a benchmark to evaluate the vulnerability of MLLMs as content moderators . they identify three root causes: limited capabilities of vision encoders, robustness gap in OCR . |
| Outcome: | The proposed model exploits the Human-AI capability gap and is vulnerable to smuggling attacks. |
Similar Papers
From LLMs to MLLMs: Exploring the Landscape of Multimodal Jailbreaking (2024.emnlp-main)
Copied to clipboard
| Challenge: | Recent advances in Large Language Models (LLMs) have demonstrated remarkable performance across various tasks, effectively following instructions to meet diverse user needs. |
| Approach: | They propose a framework for evaluation benchmarks and attack techniques for LLMs and MLLMs to enhance their security. |
| Outcome: | The proposed frameworks have been exploited to exploit the weaknesses of LLMs and MLLMs. |
MLLM-Protector: Ensuring MLLM’s Safety without Hurting Performance (2024.emnlp-main)
Copied to clipboard
Renjie Pi, Tianyang Han, Jianshu Zhang, Yueqi Xie, Rui Pan, Qing Lian, Hanze Dong, Jipeng Zhang, Tong Zhang
| Challenge: | MLLMs are deployed on limited image-text pairs, which makes them more vulnerable to catastrophic forgetting of their original abilities during safety fine-tuning. |
| Approach: | They propose a plug-and-play strategy that detects harmful visual inputs and transforms harmful ones into harmless ones. |
| Outcome: | The proposed approach mitigates the risks posed by malicious visual inputs without compromising the original performance of MLLMs. |
\mathsf{Con Instruction}: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities (2025.acl-long)
Copied to clipboard
| Challenge: | Existing attacks communicate instruction through text, accompanied by a toxic image or audio . a novel gray-box attack method generates adversarial images or audio to convey harmful instructions to MLLMs . |
| Approach: | They propose a gray-box attack method that generates adversarial images or audio to convey specific harmful instructions to MLLMs by following non-textual instruction. |
| Outcome: | The proposed method achieves highest success rates on visual and audio-language models . larger models are more susceptible toCon Instruction, compared to their underlying models - the results will be released . |
SafeSteer: A Decoding-level Defense Mechanism for Multimodal Large Language Models (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing defense methods rely on fine-tuning or inefficient post-hoc interventions, limiting their ability to address novel attacks. |
| Approach: | They propose a decoding-level defense mechanism that employs a lightweight discriminator to iteratively steer the decoding process toward safety. |
| Outcome: | The proposed method improves safety performance by up to 33.40% without fine-tuning on multiple MLLMs. |
RMLM: A Flexible Defense Framework for Proactively Mitigating Word-level Adversarial Attacks (2023.acl-long)
Copied to clipboard
| Challenge: | Existing defenses focus on improving robustness of the victim model in training, but neglect to mitigate adversarial attacks during inference. |
| Approach: | They propose a framework that confuses attackers and corrects adversarial contexts . their framework helps improve the robustness of the victim model during inference . |
| Outcome: | The proposed framework improves the robustness of the victim model in training . it also corrects abnormal contexts in the representation level and filtering out examples . |
GAMBIT: A Gamified Jailbreak Framework for Multimodal Large Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Existing attacks focus on increasing the complexity of the modified visual task and do not explicitly leverage the model’s own reasoning incentives. |
| Approach: | They propose a framework that decomposes and reassembles harmful visual semantics and constructs a gamified scene that drives the model to explore, reconstruct intent and answer as part of winning the game. |
| Outcome: | Experiments on reasoning and non-reasoning MLLMs show that the proposed framework outperforms baseline models on both vision and text. |
FC-Attack: Jailbreaking Multimodal Large Language Models via Auto-Generated Flowcharts (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Recent research shows that multimodal large language models are vulnerable to jailbreak attacks . |
| Approach: | They propose a jailbreak attack method based on auto-generated flowcharts . the flowchartings are then combined with a benign textual prompt to execute the attack . |
| Outcome: | The proposed method achieves an attack success rate of up to 96% via images and 78% via videos across multiple MLLMs. |
Vulnerabilities of Large Language Models to Adversarial Attacks (2024.acl-tutorials)
Copied to clipboard
| Challenge: | This tutorial focuses on the vulnerabilities of Large Language Models to adversarial attacks . the tutorial lays the foundation by explaining safety-aligned models and concepts in cybersecurity . |
| Approach: | This tutorial lays the foundation by explaining safety-aligned LLMs and concepts in cybersecurity. |
| Outcome: | The tutorial lays the foundation by explaining safety-aligned models and concepts in cybersecurity. |
Humanizing Machine-Generated Content: Evading AI-Text Detection through Adversarial Attack (2024.lrec-main)
Copied to clipboard
| Challenge: | Despite the development of large language models, there are still significant challenges in detecting whether text is generated by a machine. |
| Approach: | They propose a framework for a broader class of adversarial attacks to perform minor perturbations in machine-generated content to evade detection. |
| Outcome: | The proposed framework can be compromised in as little as 10 seconds, and improves over iterative adversarial learning. |
Shadow-Activated Backdoor Attacks on Multimodal Large Language Models (2025.findings-acl)
Copied to clipboard
Ziyi Yin, Muchao Ye, Yuanpu Cao, Jiaqi Wang, Aofei Chang, Han Liu, Jinghui Chen, Ting Wang, Fenglong Ma
| Challenge: | Existing backdoor attacks on Multimodal Large Language Models are less applicable to open-ended conversations with users. |
| Approach: | They propose a shadow-activated backdoor attack scenario where attackers inject malicious content into the responses of MLLMs when the responses explicitly relate to the shadowed object. |
| Outcome: | The proposed framework achieves the desired behaviors by constructing a poisoned dataset and implementing an attention-regularized tuning strategy. |