TLDR: A new two-stage defense framework, SPO-VLM, protects Vision Language Models (VLMs) from “jailbreak” attacks by combining adaptive internal “steering vectors” with sequence-level preference optimization. This approach significantly reduces harmful outputs and attack success rates while preserving or even improving the VLM’s visual understanding and general utility, offering a balanced and robust safety solution.
Vision Language Models (VLMs) are powerful AI systems that combine visual and textual information, allowing them to understand and reason about the world in a more comprehensive way. However, these advanced models are also vulnerable to “jailbreak” attacks, where malicious prompts can trick them into generating harmful or inappropriate content. A new research paper introduces a novel defense framework called Sequence-Level Preference Optimization for VLM (SPO-VLM) to combat these vulnerabilities.
The paper, titled “Activation Steering Meets Preference Optimization: Defense Against Jailbreaks in Vision Language Models,” by Sihao Wu, Gaojie Jin, Wei Huang, Jianhong Wang, and Xiaowei Huang, presents a two-stage approach to make VLMs safer without compromising their ability to understand images and text.
Understanding the Problem: VLM Vulnerabilities
VLMs have made significant strides in AI, enabling seamless integration of visual and textual data for tasks like image captioning and visual question answering. Despite their success, they are susceptible to adversarial attacks. These “jailbreak” attacks exploit both visual and textual inputs to bypass safety mechanisms and induce harmful responses. Existing defense methods, such as activation steering, modify the model’s internal representations to guide its behavior. However, these often rely on specific prompts and can sometimes degrade the model’s visual understanding.
SPO-VLM: A Two-Stage Defense
SPO-VLM addresses these limitations with a unique two-stage framework.
In Stage I: Initialization of Steering Activation, the system computes adaptive, layer-specific “steering vectors.” Think of these as internal guides that push the model away from harmful behaviors. These vectors are derived from diverse datasets containing both safe and unsafe examples, allowing for a broad suppression of harmful content during the model’s inference process. Instead of a single, fixed direction, SPO-VLM creates a combination of multiple attribute-specific steering vectors, making the defense more flexible and robust against various attack types.
Stage II: Sequence-Level Preference Optimization refines these initial steering vectors. This stage uses a technique inspired by Reinforcement Learning from Human Feedback (RLHF), specifically a sequence-level variant of Proximal Policy Optimization (PPO). Here, the model learns to favor outputs that are both safe and visually consistent. It does this by using a multi-objective reward system: one part penalizes toxic content, and another ensures the generated text aligns with the visual input. This optimization process directly learns the steering vectors in the model’s activation space, rather than fine-tuning the entire model, making it efficient and less invasive.
Key Advantages and Results
The researchers conducted extensive experiments on popular VLMs like Qwen2-VL-7B, MiniGPT-4-13B, and LLaVA-v1.5-13B. The results show that SPO-VLM significantly enhances safety against jailbreak attacks by reducing toxicity scores and attack success rates across multiple benchmarks. For instance, it achieved lower toxicity scores on the RealToxicityPrompt dataset and reduced attack success rates on AdvBench and Anthropic Harmful datasets compared to previous methods like ASTRA and the original models.
Crucially, SPO-VLM maintains strong performance on benign tasks, meaning it doesn’t sacrifice the model’s helpfulness or visual understanding capabilities for safety. In fact, for some models like Qwen2-VL-7B, it even enhanced visual understanding scores. This optimal balance between safety and utility is a significant improvement over prior defenses, which often showed a trade-off where increased safety led to a decline in visual comprehension.
The framework also demonstrates strong transfer capabilities, effectively defending against different types of structure-based attacks, including challenging combined attacks. This suggests that SPO-VLM is well-suited for real-world deployment where new and varied adversarial strategies are common.
Also Read:
- Securing and Safeguarding AI-Driven Robots: A Unified Framework for Reliable Operation
- Pinpointing Safety: A New Look at LLM Jailbreak Defenses Through Knowledge Neurons
Conclusion
SPO-VLM represents a significant step forward in securing Vision Language Models. By combining activation-level intervention with policy-level optimization, it offers a robust and generalizable defense against jailbreak attacks, ensuring VLMs can be deployed more safely and reliably. The researchers plan to release their code, model weights, and evaluation toolkit to support further research in this critical area.
For more technical details, you can refer to the full research paper available at arXiv.
