ImgTrojan: Exploiting VLM Vulnerabilities with ONE Image

The author introduces ImgTrojan, a novel jailbreaking attack against Vision-Language Models (VLMs) by poisoning training data with malicious image-text pairs. This method effectively bypasses safety barriers and highlights the vulnerability of VLMs.

ImgTrojan is a groundbreaking approach that demonstrates how poisoning training data can lead to successful jailbreak attacks on VLMs. By replacing clean images with poisoned ones, the attack can manipulate models to respond to harmful queries. The study reveals the stealthiness and persistence of the attack even after fine-tuning with clean data. Additionally, comparisons with baselines show the effectiveness and superiority of ImgTrojan in compromising VLM security. The research emphasizes the urgent need for improved detection methods and robust defenses against such attacks. It raises ethical considerations regarding responsible research practices and potential misuse of findings. Limitations are acknowledged, including model-specific vulnerabilities and the need for further exploration across different VLM architectures. Key findings include the ability of poisoned samples to evade conventional filtering processes and persist through fine-tuning attempts. The study sheds light on where the Trojan is hidden within VLMs' architecture, highlighting critical insights for future defense strategies.

Poisoning merely ONE image among 10,000 samples leads to a substantial 51.2% absolute increase in Attack Success Rate (ASR). With fewer than 100 poisoned samples, ASR escalates to 83.5%, surpassing previous OCR-based attacks. Poison effects primarily originate from the large language model component rather than the modality alignment module.

"Our contributions introduce ImgTrojan, highlighting vulnerabilities in Vision-Language Models." "ImgTrojan effectively bypasses safety barriers of VLMs by poisoning training data." "Our findings emphasize the urgency for improved detection methods against such attacks."