arXiv:2503.06223v4 Announce Type: replace 
Abstract: Vision-Language Models (VLMs) are vulnerable to jailbreak attacks, where adversaries bypass safety mechanisms to elicit harmful outputs. In this work, we examine an insidious variant of this threat: toxic continuation. Unlike standard jailbreaks that rely solely on malicious instructions, toxic continuation arises when the model is given a malicious input alongside a partial toxic output, resulting in harmful completions. This vulnerability poses a unique challenge in multimodal settings, where even subtle image variations can disproportionately affect the model's response. To this end, we propose RedDiffuser (RedDiff), the first red teaming framework that uses reinforcement learning to fine-tune diffusion models into generating natural-looking adversarial images that induce toxic continuations. RedDiffuser integrates a greedy search procedure for selecting candidate image prompts with reinforcement fine-tuning that jointly promotes toxic output and semantic coherence. Experiments demonstrate that RedDiffuser significantly increases the toxicity rate in LLaVA outputs by 10.69% and 8.91% on the original and hold-out sets, respectively. It also exhibits strong transferability, increasing toxicity rates on Gemini by 5.1% and on LLaMA-Vision by 26.83%. These findings uncover a cross-modal toxicity amplification vulnerability in current VLM alignment, highlighting the need for robust multimodal red teaming. We will release the RedDiffuser codebase to support future research.

تقدم المقالة RedDiffuser، وهو إطار جديد مصمم لتحسين أمان نماذج الرؤية-اللغة (VLM) ضد هجمات الاستمرار السام. تستغل هذه الهجمات نقاط ضعف النموذج من خلال دمج مدخلات ضارة مع مخرجات سامة جزئية، مما يؤدي إلى إكمالات ضارة. يستخدم RedDiffuser التعلم المعزز لتوليد صور عدائية تزيد من معدلات السمية في مخرجات النموذج، مما يظهر زيادة كبيرة في السمية عبر نماذج مختلفة، مما يبرز الحاجة الملحة إلى تدابير أمان متعددة الوسائط قوية.

El artículo presenta RedDiffuser, un nuevo marco diseñado para mejorar la seguridad de los Modelos de Visión-Lenguaje (VLM) contra ataques de continuación tóxica. Estos ataques explotan las vulnerabilidades del modelo al combinar entradas maliciosas con salidas tóxicas parciales, lo que lleva a completaciones dañinas. RedDiffuser utiliza el aprendizaje por refuerzo para generar imágenes adversariales que aumentan las tasas de toxicidad en las salidas del modelo, demostrando un aumento significativo de la toxicidad en varios modelos, subrayando la urgente necesidad de medidas de seguridad multimodal robustas.

L'article présente RedDiffuser, un nouveau cadre conçu pour améliorer la sécurité des modèles de vision-langage (VLM) contre les attaques de continuation toxique. Ces attaques exploitent les vulnérabilités du modèle en combinant des entrées malveillantes avec des sorties toxiques partielles, entraînant des complétions nuisibles. RedDiffuser utilise l'apprentissage par renforcement pour générer des images adversariales qui augmentent les taux de toxicité dans les sorties du modèle, démontrant une augmentation significative de la toxicité dans divers modèles, soulignant l'urgence de mesures de sécurité multimodales robustes.

The article introduces RedDiffuser, a novel framework designed to enhance the safety of Vision-Language Models (VLMs) against toxic continuation attacks. These attacks exploit the model's vulnerabilities by combining malicious inputs with partial toxic outputs, leading to harmful completions. RedDiffuser employs reinforcement learning to generate adversarial images that increase toxicity rates in model outputs, demonstrating a significant rise in toxicity across various models, highlighting the urgent need for robust multimodal safety measures.

RedDiffuser: Red Teaming Vision-Language Models for Toxic Continuation via Reinforced Stable Diffusion

Was this article worth reading? Share it

Ready to build your own newsroom?