Papers
Topics
Authors
Recent
Search
2000 character limit reached

STARE: Step-wise Temporal Alignment and Red-teaming Engine for Multi-modal Toxicity Attack

Published 1 May 2026 in cs.CR | (2605.00699v3)

Abstract: Red-teaming Vision-LLMs is essential for identifying vulnerabilities where adversarial image-text inputs trigger toxic outputs. Existing approaches treat image generation as a black box, returning only terminal toxicity scores and leaving open the question of when and how toxic semantics emerge during multi-step synthesis. We introduce STARE, a hierarchical reinforcement learning framework that treats the denoising trajectory itself as the attack surface, under a direct white-box T2I and query-only black-box VLM setting. By coupling a high-level prompt editor with low-level T2I fine-tuning via Group Relative Policy Optimization (GRPO), STARE attains a 68% improvement in Attack Success Rate over state-of-the-art black-box and white-box baselines. More importantly, this trajectory-level view surfaces the Optimization-Induced Phase Alignment phenomenon: vanilla models exhibit diffuse toxicity, whereas adversarial optimization concentrates conceptual harms into early semantic phases and detail-oriented harms into late refinement. Targeted perturbations of either window selectively suppress different toxicity categories, indicating that this temporal structure is a genuine causal handle rather than a side effect of the hierarchical design. The phenomenon turns toxicity formation from a chaotic process into a small set of predictable vulnerability windows, providing both a potent attack engine and a basis for phase-aware safety mechanisms. Content warning: This paper contains examples of toxic content that may be offensive or disturbing.

Summary

  • The paper presents STARE, a hierarchical RL framework that leverages temporal alignment to identify vulnerability windows in diffusion-based multi-modal toxicity attacks.
  • It combines high-level semantic prompt editing with low-level reinforcement learning over a rectified-flow T2I model, achieving a 68% improvement in attack success rate.
  • The study reveals Optimization-Induced Phase Alignment, where toxicity types concentrate in distinct temporal phases, suggesting actionable insights for targeted defense mechanisms.

Step-wise Temporal Alignment and Red-teaming Engine (STARE): A Hierarchical Framework for Multi-modal Toxicity Attack

Introduction

The paper presents STARE (Step-wise Temporal Alignment and Red-teaming Engine), a hierarchical reinforcement learning framework devised to systematically red-team Vision-LLMs (VLMs) against multi-modal toxicity attacks. Unlike previous approaches that treat the generative image process as a black box and only assess toxicity at the output, STARE introduces a temporally fine-grained methodology that aligns both prompt-editing and trajectory-level image synthesis to maximize toxic continuations from VLMs. The core motivation is to expose when and how semantic toxicity emerges within multi-step diffusion-based Text-to-Image (T2I) processes, thus identifying vulnerable “windows” during generation that adversaries can exploit.

Methodology

STARE is constructed as a hierarchical policy. The high-level module performs semantic prompt editing, generating candidate adversarial prompts through stochastic perturbations and transformer-based editing, bounded by semantic proximity metrics. The low-level module consists of reinforcement learning fine-tuning over the velocity field of a rectified-flow T2I model (Stable Diffusion 3.5), employing Group Relative Policy Optimization (GRPO) for variance reduction and efficiency under sparse toxicity rewards. The T2I generator is treated as white-box (for model updates), while the target VLM remains a strict black-box, only accessible via toxicity score queries.

To rigorously attribute toxic outputs to specific points in the denoising trajectory, the authors introduce a temporal alignment analysis combining coarse-to-fine search, multilevel Monte Carlo estimation, and sensitivity-based interventions, ultimately yielding a temporal map of toxicity influence per denoising step and toxicity dimension.

Empirical Investigation and Strong Claims

STARE achieves a 68% relative improvement in Attack Success Rate (ASR) over state-of-the-art baselines on several benchmarks (e.g., RealToxicityPrompts [RTP], PolyglotToxicityPrompts [PTP]) and generalizes across VLMs (LLaVA, Qwen2.5-VL, Gemini-2.5-Pro, GPT-5.4) and T2I models (SD 3.5, FLUX.1-dev). This hierarchical trajectory-level approach consistently outperforms both prompt-centric (ART, DiffZOO, PGJ) and image-trajectory-agnostic (RedDiffuser, DDPO) baseline methods, including in fully controlled (identical T2I white-box budget) scenarios.

The most significant discovery is the Optimization-Induced Phase Alignment (OIPA) phenomenon: vanilla diffusion models exhibit temporally diffuse toxicity attribution, but adversarial optimization sharply aligns different toxicity types with non-overlapping temporal windows. Conceptual harms (e.g., identity- or threat-based toxicity) are injected predominately during early semantic “inpainting” phases, while detail-oriented harms (e.g., obscene, insult, or gore content) concentrate in later stages focused on visual refinement. Causal interventions—such as zeroing updates in specific denoising intervals—produce sharply category-specific drops in ASR, supporting the claim that these temporal structures are not side effects but constitute granular, actionable control handles over toxicity type.

Notably, STARE-enabled attacks transfer strongly across architectures and proprietary safety filters, maintaining elevated ASR even against state-of-the-art commercial models and after transfer to unseen T2I generators.

Implications and Theoretical Insights

The temporal decomposition of toxicity formation fundamentally reframes the attack surface in diffusion-driven VLM pipelines. It demonstrates that diffusion models’ intrinsic semantic-to-detail progression can be converted into a set of “vulnerability windows,” each causally associated with specific harm taxonomies under adversarial optimization. As a result, security paradigms can evolve from continuous monitoring to phase-aware interventions: defenses can be localized temporally, limiting computational overhead and enhancing robustness.

Additionally, the evidence that optimization can concentrate diffuse semantic risk into narrow generative intervals suggests that phase alignment may be a general property of adversarially trained iterative-generation systems. Thus, if unaddressed, sophisticated adversaries can exploit this predictability for systematic evasion of both prompt-level and output-level safety filters. As a practical matter, safety mechanisms should either be dynamically randomized, span the entire generative trajectory, or specifically target the identified high-risk generative phases.

Finally, the demonstrated synergy between high-level semantic editing and low-level denoising field tuning implies that adversarial procedures must be analyzed as temporally entangled systems, not as modular or “batch” attacks. For defense to be effective, it must incorporate end-to-end, temporally granular diagnostics rather than relying solely on output filtering or static adversarial training.

Limitations and Future Directions

STARE’s reliance on white-box T2I access for reinforcement learning fine-tuning may limit applicability where only the generator output is accessible. The current temporal alignment findings are established primarily for English toxicity and a rectified-flow diffusion backbone; generalization to other architectures and languages remains an area for further work. The paper focuses on toxicity continuation as the harm class; extension to other categories—including multi-modal misinformation or evasion—should be examined in future studies.

Conclusion

STARE introduces a trajectory-level, hierarchical attack framework that both augments the red-teaming success rate against VLMs and uncovers the phase-specific temporal alignment of toxic semantics within diffusion generators. The realization that adversarial pressure transforms a diffuse risk diffusion process into highly structured, intervention-ready vulnerability windows invites a rethinking of safety paradigms in large-scale multi-modal models. This phase-sensitive perspective, substantiated by strong empirical and causal evidence, opens the path to more robust, targeted defense mechanisms and poses foundational questions for adversarial analysis in iterative-generation models.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.