Papers
Topics
Authors
Recent
Search
2000 character limit reached

Leave My Images Alone: Preventing Multi-Modal Large Language Models from Analyzing Images via Visual Prompt Injection

Published 10 Apr 2026 in cs.CV, cs.AI, cs.CR, and cs.LG | (2604.09024v1)

Abstract: Multi-modal LLMs (MLLMs) have emerged as powerful tools for analyzing Internet-scale image data, offering significant benefits but also raising critical safety and societal concerns. In particular, open-weight MLLMs may be misused to extract sensitive information from personal images at scale, such as identities, locations, or other private details. In this work, we propose ImageProtector, a user-side method that proactively protects images before sharing by embedding a carefully crafted, nearly imperceptible perturbation that acts as a visual prompt injection attack on MLLMs. As a result, when an adversary analyzes a protected image with an MLLM, the MLLM is consistently induced to generate a refusal response such as "I'm sorry, I can't help with that request." We empirically demonstrate the effectiveness of ImageProtector across six MLLMs and four datasets. Additionally, we evaluate three potential countermeasures, Gaussian noise, DiffPure, and adversarial training, and show that while they partially mitigate the impact of ImageProtector, they simultaneously degrade model accuracy and/or efficiency. Our study focuses on the practically important setting of open-weight MLLMs and large-scale automated image analysis, and highlights both the promise and the limitations of perturbation-based privacy protection.

Summary

  • The paper introduces ImageProtector, a user-side framework that generates near-invisible image perturbations to reliably trigger multimodal LLM refusal responses across varied queries.
  • It employs a constrained optimization method with shadow questions and ℓ∞-norm bounds to ensure perturbations remain imperceptible while effectively inducing refusals.
  • Empirical evaluations across multiple models demonstrate high refusal rates (>0.88) and robust performance, setting a strong baseline for privacy-preserving image sharing.

Visual Prompt Injection for Proactive Privacy: The ImageProtector Framework

Problem Formulation and Motivation

The proliferation of open-weight multimodal LLMs (MLLMs) has rendered automated analysis of Internet-scale personal imagery trivially accessible, presenting acute privacy and safety risks through the extraction of sensitive information (e.g., identity, location, private attributes). "Leave My Images Alone: Preventing Multi-Modal LLMs from Analyzing Images via Visual Prompt Injection" (2604.09024) addresses this adversarial setting from the defender’s perspective, positing the user as an agent who wishes to proactively disrupt large-scale MLLM analysis of their shared images. The work identifies a gap in existing defenses, which inadequately account for the case where the attacker is unconstrained in query formulation and leverages white-box MLLMs, and accordingly formalizes the problem of universal image-side protection.

Method: ImageProtector

The core contribution is ImageProtector, a user-side constrained optimization framework for generating universal, near-imperceptible image perturbations that act as visual prompt injection attacks. These perturbations are engineered not to induce arbitrary denoisability or misclassification, but to reliably trigger pre-existing MLLM safety mechanisms—specifically, refusal to answer—across arbitrary (even unseen) question formulations and across a broad family of models. Figure 1

Figure 1: Depiction of the user-side deployment scenario—ImageProtector safeguards images such that MLLMs respond with refusals instead of extracting sensitive information.

ImageProtector’s procedure proceeds as follows:

  1. Shadow Question Generation: Given uncertainty regarding adversary queries, the defender constructs a set of shadow questions (exact, similar, general), sampled/promoted via LLMs such as GPT-4 or GPT-3.5. These questions are selected to cover the full semantic distribution likely to be used in adversarial probing.
  2. Sequence-level Universal Refusal Objective: For each image, the goal is to find a perturbation maximizing the likelihood of a refusal sequence, as determined by a curated set of realistic refusal responses, when the image is paired with any shadow question and processed by any target MLLM.
  3. Constrained Optimization: The perturbation is constrained in the ℓ∞\ell_\infty norm for imperceptibility and optimized via a sign-based iterative gradient method (BIM), maximizing the cross-entropy between model outputs and the refusal targets across all question-model pairs. Figure 2

    Figure 2: Structural overview of ImageProtector—inputs, universal perturbation optimization, and adversarial query with enforced refusal.

Empirical Evaluation

Effectiveness and Robustness

Extensive experiments across six prominent open-weight MLLMs (LLaVA-1.5, MiniGPT-4, Qwen-VL-Chat, InstructBLIP, Phi-4-multimodal-instruct, Qwen2.5-VL-7B-Instruct) and four datasets (VQAv2, GQA, TextVQA, CelebA) demonstrate that ImageProtector achieves high refusal rates (typically >0.88>0.88), significantly surpassing competitive approaches such as [Qi et al., AAAI'24] and [Bagdasaryan et al., arXiv'23]. Refusal rates are maximized when the shadow questions closely match the adversary's actual probes (exact/similar), but robust transfer is observed even when only general questions are used for training. Unlike classical adversarial perturbations which degrade model accuracy indiscriminately, ImageProtector reliably elicits semantic refusals rather than hallucinated content or low-confidence denials. Figure 3

Figure 3

Figure 3

Figure 3

Figure 3

Figure 3: Visual comparison of images with no perturbation and with ImageProtector perturbations under varying ℓ∞\ell_\infty constraints; visual quality is preserved across practical budgets.

Transferability and Multi-Model Generalization

The optimization supports simultaneous multi-model universality—ImageProtector can jointly target multiple MLLMs in a single forward-backward pass, and the resulting perturbation generalizes with minimal loss in refusal rate as the number of targeted architectures increases. Figure 4

Figure 4: Refusal rates obtained when optimizing perturbations jointly on multiple MLLMs and evaluating on each model independently; cross-model effectiveness is consistently high.

Limitations and Ablations

  • Temperature Robustness: Empirical results indicate that refusal rates are insensitive to the target MLLM's decoding temperature, underscoring the stability of the phenomenon.
  • Multi-Round VQA Robustness: Effectiveness diminishes only mildly after multiple rounds of adversarial probing, especially when shadow questions are general.
  • Hyperparameter Sensitivity: Optimal effectiveness is observed for ϵ=8/255\epsilon=8/255; both under- and over-constrained budgets harm generalization. The size and diversity of shadow questions are critical—coverage in excess of 40 shadow questions yields diminishing returns.
  • White-box Dependence: In practice, success assumes access to white-box MLLM gradients. This is an inherent but realistic limitation in the open-weight setting targeted by the threat model.

Evaluation Against Countermeasures

Classical test-time and training-time adversarial defenses are evaluated as possible attacker-side counter-strategies. Gaussian noise and diffusion purification (DiffPure) can reduce refusal rates, but only by simultaneously degrading accuracy (↓10−20%\downarrow 10-20\%) and/or inference efficiency (↑8−13%\uparrow 8-13\% latency with DiffPure), rendering them impractical for large-scale automated analysis. Adversarial training (targeted on ImageProtector’s perturbations) is computationally intensive and only partially effective, driving the refusal rate down to ∼60%\sim60\% but causing severe loss in clean accuracy.

Theoretical and Practical Implications

This work makes an explicit case for repurposing visual prompt injection from an offensive tool to a scalable user-centric defense, reframing adversarial image manipulation as a mechanism for opt-in, pre-publication privacy preservation. Critically, it establishes that prompt-level safety controls, when viewed as a universal refusal mechanism, can be programmatically invoked across current open-weight MLLM architectures via photorealistic, undetectable perturbations. This paradigm supersedes dataset-poisoning and watermarking strategies for user-side autonomy, since it does not degrade image quality nor rely on downstream compliance or retraining. The findings further complicate the arms race between adversarial attack and defense, highlighting the trade-off between robustness, safety, and model utility in large-scale image analysis systems.

Future Directions

Primary avenues for extension include applicability to black-box MLLMs (necessitating query-based or surrogate-model optimization), generalization to richer modalities such as video or multi-turn VQA, and robustness to defense-adaptive attackers. It also invites reconsideration of refusal mechanisms at the system level: as users acquire the ability to enforce refusals, the tension between opt-in privacy, model utility, and adversarial robustness will likely drive research into transparent, user-centric safety controls.

Conclusion

ImageProtector offers a novel, empirically validated, and computationally tractable solution for protecting personal image data from automated MLLM analysis, leveraging universal visual prompt injection. By formalizing and solving the universal refusal-induction problem, the method sets a strong baseline for the development of user-side privacy infrastructure in a landscape increasingly shaped by open-weight multimodal generative models. Figure 5

Figure 5: ImageProtector demonstrates insensitivity to MLLM decoding temperature, maintaining high refusal rates.

Figure 6

Figure 6: Refusal effectiveness is sustained across multi-turn settings, with degradation primarily for highly general shadow questions.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.