VLMGuard: Defending VLMs against Malicious Prompts via Unlabeled Data

Abstract: Vision-LLMs (VLMs) are essential for contextual understanding of both visual and textual information. However, their vulnerability to adversarially manipulated inputs presents significant risks, leading to compromised outputs and raising concerns about the reliability in VLM-integrated applications. Detecting these malicious prompts is thus crucial for maintaining trust in VLM generations. A major challenge in developing a safeguarding prompt classifier is the lack of a large amount of labeled benign and malicious data. To address the issue, we introduce VLMGuard, a novel learning framework that leverages the unlabeled user prompts in the wild for malicious prompt detection. These unlabeled prompts, which naturally arise when VLMs are deployed in the open world, consist of both benign and malicious information. To harness the unlabeled data, we present an automated maliciousness estimation score for distinguishing between benign and malicious samples within this unlabeled mixture, thereby enabling the training of a binary prompt classifier on top. Notably, our framework does not require extra human annotations, offering strong flexibility and practicality for real-world applications. Extensive experiment shows VLMGuard achieves superior detection results, significantly outperforming state-of-the-art methods. Disclaimer: This paper may contain offensive examples; reader discretion is advised.

• The paper introduces VLMGuard, which estimates prompt maliciousness in latent subspaces using SVD on VLM embeddings.
• It leverages unlabeled data to train a binary prompt classifier, bypassing extensive labeled dataset requirements.
• Empirical results demonstrate superior detection of adversarial and jailbreak prompts, highlighting its scalability and robustness.

VLMGuard: A Framework for Detecting Malicious Prompts in Vision-LLMs

The paper discusses a novel methodology, termed VLMGuard, designed to protect Vision-LLMs (VLMs) from adversarial and malicious user prompts by leveraging unlabeled data. This approach is particularly relevant given the increasing integration of VLMs into real-world applications, where adversarial attacks on these models could lead to harmful or unintended outputs. Key highlights from the paper include the detailed definition of the problem, the innovative approach to detecting malicious prompts, and empirical evidence demonstrating the effectiveness of VLMGuard.

Overview of VLMGuard

VLMGuard addresses the pressing issue of malicious prompt detection in environments where labeled data is scarce. Traditional methods often require extensive labeled datasets for training, which is impractical at scale and does not adapt well to the diverse and evolving nature of user inputs in the wild. To circumvent these limitations, VLMGuard leverages the unlabeled prompts that inevitably arise during the deployment of VLMs.

Methodology

VLMGuard's approach can be divided into two primary steps:

1. Estimating Maliciousness in the Latent Subspace:
   • The paper introduces a method for estimating the maliciousness of prompts by analyzing the embeddings produced by the VLM. The core idea is that embeddings of adversarial prompts occupy a distinct subspace in the latent representation space of the model.
   • By applying Singular Value Decomposition (SVD) to the embeddings, the method identifies key singular vectors that represent this subspace. A scoring function based on the projection of embeddings onto these vectors is developed to differentiate between benign and malicious prompts.
2. Training the Safeguarding Prompt Classifier:
   • Using the estimated maliciousness scores, the framework classifies the unlabeled prompts into potentially malicious or benign categories.
   • This classification feeds into the training of a binary prompt classifier, which is then used to enhance the detection of malicious prompts during inference.

Experimental Results

Extensive experiments underscore the robustness and efficacy of VLMGuard:

• For the task of detecting adversarial meta-instruction prompts, VLMGuard significantly outperforms state-of-the-art baselines. The detection accuracy, in terms of AUROC, registers superior values across various meta-objectives including Language, Politics, Formality, Spam, and Sentiment.
• The framework also demonstrates excellent performance in detecting jailbreak prompts, a challenging category of adversarial attacks that attempt to bypass the model's safety mechanisms.
• When trained on larger models such as LLaVA-13b, VLMGuard exhibits enhanced detection capabilities, highlighting its scalability to more complex VLMs.

Implications and Future Directions

VLMGuard introduces a practical and flexible solution for safeguarding VLMs in real-world applications. By forgoing the necessity for extensive labeled datasets, it democratizes the deployment of robust AI systems. The use of unlabeled data not only ensures adaptability to new and evolving types of adversarial attacks but also significantly reduces the overhead associated with data annotation.

From a theoretical standpoint, the approach opens avenues for further research into the characterization of malicious behavior in high-dimensional latent spaces. The subspace-based decomposition technique and its efficacy in capturing the essence of malicious inputs provide a fertile ground for advancing our understanding of adversarial robustness in multimodal AI systems.

Future work could focus on extending VLMGuard to handle other types of malicious data beyond adversarial noise, such as detecting harmful overlays in visual prompts or combinations of text and image manipulations. Additionally, methods to address potential distribution shifts between the training and deployment phases could be explored to enhance the robustness of the framework.

Conclusion

VLMGuard offers a sophisticated yet practical framework for detecting malicious prompts in Vision-LLMs by leveraging unlabeled data. This paper not only presents strong empirical results but also thoughtfully addresses the scalability and flexibility of the proposed approach, making it a valuable contribution to the AI safety domain. As VLMs become increasingly integrated into various applications, frameworks like VLMGuard will be essential in ensuring their safe and reliable operation.