SPIRIT: Patching Speech Language Models against Jailbreak Attacks
This addresses security risks for SLM users by patching against adversarial attacks, though it is incremental as it builds on existing defense methods.
The paper tackled the vulnerability of Speech Language Models (SLMs) to jailbreak attacks, finding they can achieve a 100% success rate, and proposed a post-hoc patching defense that improves robustness up to 99% with negligible utility impact and no re-training.
Speech Language Models (SLMs) enable natural interactions via spoken instructions, which more effectively capture user intent by detecting nuances in speech. The richer speech signal introduces new security risks compared to text-based models, as adversaries can better bypass safety mechanisms by injecting imperceptible noise to speech. We analyze adversarial attacks and find that SLMs are substantially more vulnerable to jailbreak attacks, which can achieve a perfect 100% attack success rate in some instances. To improve security, we propose post-hoc patching defenses used to intervene during inference by modifying the SLM's activations that improve robustness up to 99% with (i) negligible impact on utility and (ii) without any re-training. We conduct ablation studies to maximize the efficacy of our defenses and improve the utility/security trade-off, validated with large-scale benchmarks unique to SLMs.