Image-to-Text Logic Jailbreak: Your Imagination can Help You Do Anything (2407.02534v2)

Abstract: Large Visual LLM\textbfs (VLMs) such as GPT-4V have achieved remarkable success in generating comprehensive and nuanced responses. Researchers have proposed various benchmarks for evaluating the capabilities of VLMs. With the integration of visual and text inputs in VLMs, new security issues emerge, as malicious attackers can exploit multiple modalities to achieve their objectives. This has led to increasing attention on the vulnerabilities of VLMs to jailbreak. Most existing research focuses on generating adversarial images or nonsensical image to jailbreak these models. However, no researchers evaluate whether logic understanding capabilities of VLMs in flowchart can influence jailbreak. Therefore, to fill this gap, this paper first introduces a novel dataset Flow-JD specifically designed to evaluate the logic-based flowchart jailbreak capabilities of VLMs. We conduct an extensive evaluation on GPT-4o, GPT-4V, other 5 SOTA open source VLMs and the jailbreak rate is up to 92.8%. Our research reveals significant vulnerabilities in current VLMs concerning image-to-text jailbreak and these findings underscore the the urgency for the development of robust and effective future defenses.

Image-to-Text Logic Jailbreak: A Vulnerability Study on Large Visual LLMs

In their research paper, Xiaotian Zou and Yongkang Chen investigate a significant security concern associated with Large Visual LLMs (VLMs) such as GPT-4. These VLMs have demonstrated notable advancements in generating comprehensive responses by integrating visual inputs; however, this very capability renders them susceptible to new forms of attacks. The researchers introduce the concept of "logic jailbreak," a method to exploit VLMs by using meaningful images to produce targeted and often harmful textual content.

Introduction & Background

The introduction of VLMs represents a substantial step forward in artificial intelligence, amalgamating the capabilities of computer vision and NLP to generate nuanced, contextually aware outputs. Existing research predominantly addresses vulnerabilities through adversarial images or nonsensical visuals. However, the use of meaningful images for targeted exploitation has not been extensively explored.

Key Contributions

1. Novel Image Dataset: Zou and Chen introduce a unique dataset specifically designed to evaluate logical jailbreak capabilities using flowchart images. This dataset comprises 70 hand-made flowchart images each depicting harmful behaviors.
2. Automated Text-to-Text Jailbreak Framework: They propose an innovative framework that translates harmful textual content into flowcharts, which are then used to jailbreak VLMs by leveraging their logical reasoning capabilities.
3. Extensive Evaluation: The researchers conduct a comprehensive evaluation on two prominent VLMs—GPT-4o and GPT-4-vision-preview—exposing their vulnerabilities with recorded jailbreak rates of 92.8% and 70.0%, respectively, when tested using their hand-made dataset.

Results and Analysis

An extensive set of experiments were carried out to assess the efficacy of the proposed logic jailbreak framework. The evaluation utilized several datasets, including the Simple Jailbreak Image (SJI) dataset containing malicious text embedded in images, the Logic Jailbreak Flowcharts (LJF) dataset with hand-made flowcharts, and an AI-generated flowchart dataset. The results demonstrate that:

• SJI Dataset: Neither GPT-4o nor GPT-4-vision-preview could be successfully jailbroken with images containing only textual content.
• Hand-Made Flowcharts: With the LJF dataset, significant vulnerabilities were noted. GPT-4o exhibited a jailbreak rate of 92.8%, while GPT-4-vision-preview had a rate of 70.0%.
• AI-Generated Flowcharts: The ASR for AI-generated flowcharts were lower at 19.6% for GPT-4o and 31.0% for GPT-4-vision-preview, highlighting the importance of the quality of flowchart images in the success of the jailbreak.

Implications and Future Directions

The research builds on the necessity to rigorously evaluate the security of VLMs by leveraging their logical reasoning capabilities, not just through adversarial inputs but also through meaningful and contextually designed flowcharts. Given the significant vulnerability uncovered, several future work directions are proposed:

1. Creating Comprehensive Datasets: There is an immediate need for extensive and well-designed flowchart datasets to enable thorough security evaluations across different VLMs.
2. Enhancing Flowchart Generation Mechanisms: Improving the quality and relevance of automatically generated flowcharts can increase the effectiveness of the automated text-to-text jailbreak framework.
3. Exploring Few-Shot Learning: Investigating few-shot learning approaches for more complex jailbreak scenarios could reveal current limitations in VLMs' security.
4. Multilingual Evaluations: Assessing VLMs' vulnerabilities across different languages can offer insights into their security under diverse linguistic contexts.
5. Evaluating Visual Logic Comprehension: Detailed evaluation of VLMs' abilities to interpret and reason about logical flowcharts is crucial for understanding their potential weaknesses.
6. Considering Multi-Round Dialogues: Extending the evaluation to multi-round dialogue jailbreak scenarios, where an attacker iteratively interacts with the VLM, could simulate more sophisticated attack vectors.

Conclusion

Zou and Chen's investigation into the logic jailbreak vulnerabilities of VLMs sheds light on a critical area of AI security that demands immediate attention. Their novel dataset and innovative framework serve as foundational tools for future research aimed at fortifying the defenses of advanced multimodal models against sophisticated adversarial attacks.