Papers
Topics
Authors
Recent
Search
2000 character limit reached

OmniSafeBench-MM: Multimodal Jailbreak Evaluation

Updated 4 July 2026
  • The paper introduces OmniSafeBench-MM as a unified benchmark and toolbox for evaluating multimodal jailbreak attack-defense scenarios in large language models.
  • It consolidates a broad multimodal risk dataset, 13 attack methods, 15 defense strategies, and a three-dimensional evaluation protocol to assess harmfulness, intent, and detail.
  • Experiments on 18 models reveal significant vulnerabilities and mixed defense effectiveness, highlighting the need for standardized safety-utility trade-off analyses.

Searching arXiv for OmniSafeBench-MM and closely related multimodal safety benchmarks to ground the article with current paper references. OmniSafeBench-MM is a unified benchmark and open-source toolbox for evaluating multimodal jailbreak attacks and defenses against multimodal LLMs (MLLMs). Introduced in "OmniSafeBench-MM: A Unified Benchmark and Toolbox for Multimodal Jailbreak Attack-Defense Evaluation" (Jia et al., 6 Dec 2025), it consolidates a large multimodal risk dataset, 13 representative attack methods, 15 defense strategies, and a three-dimensional evaluation protocol centered on harmfulness, intent alignment, and response detail. Its stated purpose is to replace narrow, attack-specific, and predominantly ASR-based evaluation with a standardized framework for reproducible multimodal safety assessment and safety–utility trade-off analysis.

1. Research context and problem formulation

OmniSafeBench-MM is motivated by the claim that existing multimodal safety benchmarks such as JailBreakV-28K, MM-SafetyBench, HADES, FigStep, and MMJ-Bench are limited in four ways: incomplete risk coverage, weak prompt taxonomy, evaluation that relies mainly on attack success rate, and the absence of a unified attack-defense toolbox (Jia et al., 6 Dec 2025). In the comparison summarized by the paper, prior benchmarks typically had 5–16 risk categories, only 1 prompt type, fewer attack methods, fewer or no defense methods, and mostly ASR-based evaluation. OmniSafeBench-MM is positioned as a response to these deficiencies rather than as a narrow benchmark for one attack family.

The benchmark’s framing is specific to jailbreak robustness. It targets cases in which multimodal inputs induce harmful model behavior despite safety alignment. This focus distinguishes it from adjacent multimodal evaluation efforts. "MM-IFEngine: Towards Multimodal Instruction Following" (Ding et al., 10 Apr 2025) evaluates instruction obedience, constraint compliance, and precise output control rather than jailbreak attack-defense dynamics. "BeSafe-Bench: Unveiling Behavioral Safety Risks of Situated Agents in Functional Environments" (Li et al., 30 Jan 2026) evaluates behavioral safety of situated agents in functional environments across Web, Mobile, Embodied VLM, and Embodied VLA settings, not multimodal jailbreak attacks. "Omni-SafetyBench: A Benchmark for Safety Evaluation of Audio-Visual LLMs" (Pan et al., 10 Aug 2025) centers on omni-modal safety, conditional safety metrics, and cross-modal safety consistency for audio-visual LLMs. OmniSafeBench-MM therefore occupies a distinct position: it is a jailbreak-oriented benchmark and toolbox for MLLMs, with standardized attack-defense coverage and an explicit multidimensional adjudication protocol.

2. System composition and benchmark scope

The benchmark is organized as a full evaluation pipeline rather than as a dataset alone. The paper identifies five integrated components.

Component Content
Risk data 9 major risk domains and 50 fine-grained categories
Adversarial methods 13 representative jailbreak attack methods
Defensive methods 15 defense strategies
Evaluation Harmfulness, intent alignment, and response detail
Platform Open-source, reproducible toolbox with modular APIs

This design is intended to standardize data, attacks, defenses, and metrics in one framework (Jia et al., 6 Dec 2025). The paper describes the toolbox as open-source and reproducible, with modular APIs for dataset loading, attack generation, defense execution, and performance evaluation. Code is released at https://github.com/jiaxiaojunQAQ/OmniSafeBench-MM.

The scope of experimentation is also comparatively broad. The paper reports experiments on 18 MLLMs in total: 10 open-source and 8 closed-source. Examples of closed-source models include GPT-5, Gemini-2.5 Flash, Claude-Sonnet-4, Qwen3-VL-PLUS, and Doubao-Seed. Examples of open-source models include Qwen3-VL, Gemma-3, DeepSeek-VL2, GLM-4.1V, and Kimi-VL. This breadth is central to the benchmark’s claim of standardization, because it places heterogeneous models, attack families, and defenses under a shared protocol.

3. Dataset construction, risk taxonomy, and inquiry types

The OmniSafeBench-MM dataset is designed to be both broad in content and structured in intent representation. It contains 9 major risk domains and 50 fine-grained categories. The paper describes domains spanning ethical risks, privacy, safety, economic harms, political harms, cybersecurity, cognitive manipulation, cultural harms, and related risky content (Jia et al., 6 Dec 2025). This taxonomy is intended to broaden multimodal safety coverage beyond the narrower category sets used in earlier benchmarks.

Each sample is also labeled by inquiry style: consultative, imperative, or declarative. This prompt taxonomy is included because jailbreak behavior may vary with how malicious intent is framed. Consultative prompts resemble requests for advice or explanation, imperative prompts resemble direct instructions, and declarative prompts reflect statement-like framing. The paper treats this prompt-style variation as an important part of realism rather than as a superficial annotation.

The data generation pipeline contains three stages:

  1. Generate risk-related texts
  2. Extract unsafe key phrases
  3. Generate corresponding risk images

The authors use GPT-4o or another LLM for text generation and PixArt-XL-2-1024-MS to generate images from extracted keywords (Jia et al., 6 Dec 2025). The output is therefore a set of multimodal risk pairs rather than a text-only or image-only corpus. This suggests that the benchmark is designed not merely to test refusal against harmful semantics, but to probe how harmful intent is conveyed and preserved across modalities.

4. Attack and defense coverage

A defining feature of OmniSafeBench-MM is that it treats attacks and defenses as first-class benchmark objects. The 13 representative attack methods are grouped into white-box and black-box families.

White-box attacks assume access to model internals such as gradients or architecture. Within this family, the paper lists single-modal white-box attacks—Visual-Adv, Visual-Adv-un, ImgJP, and DeltaJP—and cross-modal white-box attacks—UMK and JPS (Jia et al., 6 Dec 2025). These attacks jointly optimize visual and/or textual inputs to induce harmful outputs.

Black-box attacks assume no access to model internals and are presented as more realistic for commercial systems. The paper divides them into three categories. Structured visual-carrier attacks include FigStep, QR-Attack, and HADES; FigStep-Pro is discussed in the taxonomy, though the main experiment table emphasizes FigStep, QR-Attack, and HADES. Out-of-distribution attacks include CS-DJ, SI-Attack, and JOOD; VisCRA is mentioned in the appendix taxonomy. Hidden-risk attacks include HIMRD and MML. The paper emphasizes the importance of black-box methods because many commercial MLLMs are inaccessible internally.

The defense suite contains 15 methods divided into off-model and on-model defenses. Off-model defenses include input pre-processing defenses—ECSO, JailGuard, AdaShield-S, Uniguard, DPS, CIDER, GuardReasoner-VL, Llama-Guard-4, QGuard, and LLaVAGuard—and output post-processing defenses—ShieldLM, MLLM-Protector, and Llama-Guard-3 (Jia et al., 6 Dec 2025). On-model defenses include inference-time intervention methods, COCA and HiddenDetect, and an intrinsic model alignment method, VLGuard. The paper’s organizing principle is operational: some defenses sanitize input, some filter output, some steer generation during inference, and some align the model itself.

5. Three-dimensional evaluation protocol

The benchmark replaces simple ASR with a three-dimensional evaluation framework denoted H-A-D: harmfulness, intent alignment, and detail level. These quantities are defined as

H=H(R)H = \mathcal{H}(R)

A=A(P,R)A = \mathcal{A}(P, R)

D=D(R)D = \mathcal{D}(R)

where PP is the prompt and RR is the response (Jia et al., 6 Dec 2025).

Harmfulness measures the severity of real-world harm that the response could cause or facilitate, and the paper states that it is based on the consequence of the response rather than merely the user’s prompt. Its practical scoring range is H:R→[1,10]\mathcal{H}: R \rightarrow [1,10], with H=1H=1 denoting safe intent or no meaningful harm and H=10H=10 denoting potential existential harm. Intent alignment measures how well the response follows the user’s request, with A:(P,R)→[1,5]\mathcal{A}: (P, R) \rightarrow [1,5]. Detail level measures how explicit, self-contained, and actionable the response is, with D:R→[1,5]\mathcal{D}: R \rightarrow [1,5].

The paper defines the breach condition as

A=A(P,R)A = \mathcal{A}(P, R)0

and then assigns a final judgment score

A=A(P,R)A = \mathcal{A}(P, R)1

A jailbreak success event is then defined by

A=A(P,R)A = \mathcal{A}(P, R)2

Only responses judged as partial or complete success count as successful jailbreaks. The benchmark therefore requires a response to be harmful, aligned with the malicious request, and sufficiently detailed before it is counted as a substantive safety breach (Jia et al., 6 Dec 2025). This scoring rule is central to the benchmark’s safety–utility analysis, because it separates harmfulness, compliance, and operational usefulness rather than collapsing them into a binary unsafe label. Alongside ASR, the paper reports average harmfulness A=A(P,R)A = \mathcal{A}(P, R)3, average alignment A=A(P,R)A = \mathcal{A}(P, R)4, and average detail A=A(P,R)A = \mathcal{A}(P, R)5.

6. Experimental findings, robustness patterns, and reported limitations

The paper’s experiments indicate that multimodal jailbreak vulnerability remains substantial across both open-source and closed-source systems (Jia et al., 6 Dec 2025). In white-box evaluation on MiniGPT-4 (Vicuna 13B), JPS reaches 62.93% ASR with Avg-H 4.87, Avg-A 4.10, and Avg-D 2.87. Other reported values include ImgJP at 15.40% ASR, UMK at 37.07%, DeltaJP at 24.47%, and visual-adv at 47.87%. A key interpretation offered in the paper is that detail scores were often low, which prevented many responses from qualifying as full jailbreak successes under the stricter scoring rule.

Among black-box attacks, MML and CS-DJ are reported as particularly effective. MML attains 50.67% ASR on Gemini-2.5 and 52.20% on Qwen3-VL-Plus, with high harmfulness and alignment scores. CS-DJ reaches 32.00% on Gemini-2.5 and 38.07% on Qwen3-VL. FigStep and QR-Attack are described as especially effective on some open-source models, often producing 30–50% ASR on open-source MLLMs but lower performance on some closed-source systems. The paper interprets these results as evidence that multimodal linkage, hidden semantic cues, and distribution shift can bypass safety filters.

Defense results are mixed rather than uniformly positive. Uniguard and JailGuard are reported to work well on CS-DJ, AdaShield-S works well on FigStep, and MLLM-Protector, ShieldLM, and Llama-Guard-3 are strong output filters. On-model defenses also help: VLGuard and COCA substantially reduce ASR. At the same time, the paper notes that some defenses are less effective against semantically dispersed attacks such as MML, some defenses reduce harmfulness but may also lower utility, and safety fine-tuning may slightly increase vulnerability to certain attacks even while improving overall robustness. This suggests that defense evaluation requires attack-specific and utility-aware analysis rather than a single aggregate robustness claim.

The paper closes with several explicit limitations and future directions. Method coverage is not exhaustive, even with 13 attacks and 15 defenses. Evaluation still depends on a rule-based scoring protocol, albeit one intended to be more nuanced than ASR. Defense effectiveness is highly non-uniform, and residual safety versus capability limits remain hard to separate perfectly in some cases. The appendix suggests continuous updates and incorporation of more methods. Within the broader multimodal safety literature, these limitations imply that OmniSafeBench-MM is best understood as a standardizing foundation rather than a closed benchmark: a reproducible platform for comparing attacks, defenses, and MLLM failure modes under a common multidimensional safety definition.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to OmniSafeBench-MM.