ImgTrojan: Jailbreaking Vision-Language Models with ONE Image

VLMs are vulnerable to ImgTrojan attacks, compromising safety barriers with poisoned images.

Abstract: Increasing interest in aligning LLMs with human values. Proposal of a novel jailbreaking attack against VLMs. Introduction: VLMs integrate visual information with natural language. Increased security risks with multi-modal user input. Methods: Formulation of the jailbreaking task. Methodology of the ImgTrojan attack. Experiments: Overview of experimental setup. Results of ImgTrojan attack with different poison ratios. Analysis: Properties of ImgTrojan. Can dataset filtering find ImgTrojan? Can instruction tuning with clean data remove the Trojan? Where is the Trojan hidden? Related Work: Progress in VLMs and jailbreaking explorations. Conclusions: ImgTrojan exposes VLM vulnerabilities. Ethical considerations and limitations discussed.

"With fewer than 100 poisoned samples, the ASR escalates to 83.5%." "Poisoning merely ONE image among 10,000 samples leads to a substantial 51.2% absolute increase in the Attack Success Rate."

"Our study demonstrates that by poisoning just a few samples within the training dataset, a performant VLM can be manipulated to respond to malicious queries." "ImgTrojan can easily pass the filtering process and suggests a more rigorous detection pipeline should be developed."