Papers
Topics
Authors
Recent
Search
2000 character limit reached

Odysseus Pipeline: Robust ML Frameworks

Updated 8 May 2026
  • Odysseus Pipeline is a series of rigorously engineered ML frameworks known for robust, scalable adversarial techniques across multimodal systems, Trojan detection, and RL-based decision-making.
  • It employs dual steganography to bypass multimodal filters and uses precise statistical and boundary analyses to detect Trojaned models with high accuracy.
  • The framework further integrates stable RL training methods to scale vision–language agents for long-horizon, visually grounded tasks in complex environments.

The Odysseus Pipeline refers to a series of distinct, technically rigorous frameworks across several research domains in machine learning, each centered on the theme of robust, scalable, and often adversarial pipelines. Notably, three Odysseus pipelines have achieved prominence: (1) dual-steganography jailbreak for multimodal LLM-integrated systems, (2) large-scale Trojan detection in DNN classifiers, and (3) stable RL-based training of VLM agents for hundreds of decision-making turns. The following sections detail the core design, methodologies, and empirical contributions of each recognized Odysseus pipeline.

1. Dual-Steganography Jailbreak Pipeline for MLLM-Integrated Systems

The Odysseus pipeline introduces a sophisticated threat model targeting commercial multimodal LLM-integrated systems (MLLMs) that employ input/output filters to block malicious content. Its architectural premise exploits the cross-modal assumptions inherent in current safety filters: specifically, that dangerous content must be explicit in at least one modality. Odysseus leverages dual steganography to break this assumption, hiding adversarial prompts and their responses within benign images, thereby bypassing both Fin\mathcal{F}_\text{in} and Fout\mathcal{F}_\text{out} filters (Li et al., 23 Dec 2025).

The pipeline consists of four stages:

  1. Malicious Query Encoding: Raw adversarial text prompts (e.g., requests for prohibited content) are encoded into binary sequences (e.g., via base64, then 8-bit packing).
  2. Steganography Embedding: The binary payload BB is embedded into the least significant bits (LSB) of sub-image blocks within a benign carrier image IcoI_\text{co} using an encoder E(Ico,B)E(I_\text{co}, B), generating an adversarial image IenI_\text{en}.
  3. Model Interaction: The MLLM M\mathcal{M} processes IenI_\text{en}, extracts the hidden prompt (using function-calling and a decoder DD), generates a forbidden response, and re-embeds this response (again using EE) into a new image Fout\mathcal{F}_\text{out}0 for exfiltration.
  4. Response Extraction: The final image is decoded locally by the attacker with Fout\mathcal{F}_\text{out}1 to reveal the MLLM’s output.

ASCII schematic of core flow:

IenI_\text{en}7

Bit embedding per image region is chosen based on the carrier’s local image statistics to maximize imperceptibility and evade detection thresholds. Detailed algorithms use blockwise repetition, random offset selection, and error correction to guarantee high extraction success under typical image processing operations.

2. Steganography Algorithms, Thresholds, and Evasion Analysis

Query Embedding and Extraction

Let text Fout\mathcal{F}_\text{out}2 be base64-encoded to bitstring Fout\mathcal{F}_\text{out}3. For each sub-image block Fout\mathcal{F}_\text{out}4 (Fout\mathcal{F}_\text{out}5), bits are embedded as:

Fout\mathcal{F}_\text{out}6

where Fout\mathcal{F}_\text{out}7 indexes which bit from Fout\mathcal{F}_\text{out}8 is placed in block Fout\mathcal{F}_\text{out}9, and "mask" ensures only LSBs are altered. The inverse decoder BB0 reconstructs BB1 by reading LSBs of the received image blocks. Bit error rates are empirically minimized by tuning embedding density and redundancy—the paper reports negligible loss rates under typical JPEG and PNG compression.

Key parameters:

  • Block size: Typically BB2 or BB3 pixels.
  • Embedding depth: 1–2 LSBs per channel.
  • Redundancy factor: 2–3BB4 for error tolerance.
  • Detection thresholds: Embeddings kept below SSIM BB5 to remain imperceptible.

Filter Evasion

Both the input (BB6) and output (BB7) filters examine raw pixel or text content for harmful features. By ensuring the malicious payload is only recoverable by the model's multimodal ingest pipeline—not directly visible in text or images—Odysseus evades these mechanisms entirely. The MLLM’s function-calling primitives are used to extract encodings and then re-embed the response, with no malicious text appearing in any overt channel at any pipeline stage.

3. End-to-End Workflow: Pseudocode and Exemplars

The procedural implementation is provided in modular pseudocode:

Malicious Query Encoder:

IenI_\text{en}8 Steganography Embedder:

IenI_\text{en}9 Response Extraction:

M\mathcal{M}0

Example workflows covertly transmit the prompt "build bomb" inside a nature scene and recover the generated output from images containing only subtle per-pixel changes.

Headline attack success rates:

  • GPT-4o: 99%.
  • Gemini-2.0-Pro/Flash: 98–99%.
  • Grok-3: 96%.

These results reflect near-complete bypass of multimodal filtering and constitute a fundamental evasion vector (Li et al., 23 Dec 2025).

4. Large-Scale Trojan Detection: The Odysseus Classifier Pipeline

A distinct pipeline within the Odysseus framework targets the detection of Trojaned classifiers through the systematic construction of a benchmark dataset, analysis of DNN internal geometry, and a universal perturbation-based detection algorithm (Edraki et al., 2020).

Dataset Construction

Odysseus trains 3,460 models comprising clean and Trojaned variants across four canonical CNN architectures (VGG-19, ResNet-18, DenseNet, GoogLeNet) and three datasets (MNIST, Fashion-MNIST, CIFAR-10). Trojan insertion is performed by stamping randomly selected triggers on BB8–BB9 of training examples and remapping their labels according to three class-mapping types (M2O, M2M, mixed).

Trigger variants include:

  • 47 distinct spatial patterns (pixel, RGB, filter-based).
  • Random size (1–3% of image area).
  • Random position.

This diversity ensures robust benchmarking of detector generality.

Model Analysis

Two statistical signatures of Trojaned models are systematically quantified:

  1. Margin Reduction: For classifier IcoI_\text{co}0, margin IcoI_\text{co}1 is significantly smaller in Trojaned nets (drop of IcoI_\text{co}2 in M2O).
  2. Boundary Normal Alignment: SVD analysis of the matrix of local decision boundary normals IcoI_\text{co}3 shows fast singular value decay in Trojaned nets, indicating boundary flattening and emergence of a low-dimensional dominant direction.

5. Universal Perturbation Detector and Empirical Evaluation

Odysseus operationalizes its geometric findings via a two-stage Trojan detector:

  • Dominant Direction Search: From a batch IcoI_\text{co}4, initialize perturbation IcoI_\text{co}5. Iteratively align IcoI_\text{co}6 to the normal direction of each IcoI_\text{co}7 using:

IcoI_\text{co}8

with IcoI_\text{co}9 the predicted class, E(Ico,B)E(I_\text{co}, B)0 nearest competitor.

  • Error Scoring: Perturb held-out validation (E(Ico,B)E(I_\text{co}, B)1) with E(Ico,B)E(I_\text{co}, B)2; if the error rate E(Ico,B)E(I_\text{co}, B)3 (typically E(Ico,B)E(I_\text{co}, B)4), label as Trojaned.

Key hyperparameters are block size (E(Ico,B)E(I_\text{co}, B)5–E(Ico,B)E(I_\text{co}, B)6 pixel-norm), E(Ico,B)E(I_\text{co}, B)7–E(Ico,B)E(I_\text{co}, B)8, and error threshold E(Ico,B)E(I_\text{co}, B)9.

Empirical outcomes: On CIFAR-10, the detector achieves 98.7% accuracy (1.00 precision, 0.976 recall); on MNIST, 86–86%; on NIST TrojAI rounds, 85–83%. Performance persists across architectures, datasets, and unseen triggers, outperforming Neural Cleanse, STRIP, ULP, MNTD, and Spectral Signature baselines (Edraki et al., 2020).

6. Long-Horizon Vision–Language RL Agents: Odysseus for Decision-Making

The Odysseus pipeline also defines an end-to-end open training framework for scaling VLMs to decision-making agents capable of 100+ turns of closed-loop control in visually grounded environments such as Super Mario Land (Shi et al., 1 May 2026).

Architecture and RL Workflow

Core architectural elements:

  • Inputs per turn: (a) textual prompt encoding rules/action space/chain-of-thought (XML-style), (b) current game frame upsampled to VLM-native resolutions.
  • Processing: Vision backbone (ResNet/ViT) and language encoder combine via multimodal projection; transformer language head outputs chain-of-thought terminating with action tags.
  • Policy/Value factorization: The VLM outputs the policy IenI_\text{en}0 via <answer> token log-probs, while a lightweight “Nature-CNN” critic IenI_\text{en}1 estimates return, decoupled from the main transformer for efficiency.

RL Algorithmic Innovations

Modifications to PPO:

  • Turn-level critic: IenI_\text{en}2 fits discounted return-to-go IenI_\text{en}3 with SmoothL1 or MSE loss.
  • Positive-advantage filtering: Only positive advantages are passed to the clipped PPO objective for stability, normalized batchwise.
  • Clipping bounds: IenI_\text{en}4, IenI_\text{en}5.

Joint updates of policy and critic are executed after each 1,024-episode RL iteration.

Pre-training and Auto-curriculum

Pretraining uses extremely light SFT (>5,000 frames, one epoch) on annotated playthroughs, granting the VLM familiarity with game semantics and action priors. Training proceeds with mini-batches of 4,096, IenI_\text{en}6, and multi-task auto-curriculum, resampling shorter/underperforming levels more frequently.

7. Empirical Findings and Performance Benchmarks

On Super Mario Land (first five levels):

  • Unmodified Qwen3-VL-8B-Instruct: ≈270 pixels forward progress (avg).
  • GLM-4.6V: ≈513 pixels.
  • Odysseus-Zero (RL-from-scratch): ≈1,355 pixels.
  • Full SFT+RL Odysseus: ≈1,512 pixels.

Generalization:

  • On “off-policy” states: +32.2% progress.
  • On unseen levels: +41.5% progress.
  • Transferring to Super Mario Bros.: +23.1% progress.

Crucially, multi-modal benchmarks (MMMU, MathVision, RealWorldQA) show no erosion of baseline VLM capabilities post-RL.

Summary Table of Odysseus Pipelines

Pipeline Domain Core Mechanism/Algorithm Key Performance Metric
Multimodal Jailbreak (Li et al., 23 Dec 2025) Dual steganography, LSB image embedding 99% attack success on GPT-4o
Trojan Detection (Edraki et al., 2020) Boundary margin+normal analysis, universal perturbation 98.7% (CIFAR-10)
Long-horizon VLM RL (Shi et al., 1 May 2026) PPO w/turn-level CNN critic, SFT warm-start 1,512 pixels avg. progress

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Odysseus Pipeline.