Adversarial Confusion Attack: Disrupting Multimodal Large Language Models
This addresses security vulnerabilities in MLLMs for AI agents, though it is incremental as it builds on basic adversarial techniques like PGD.
The paper tackles the problem of disrupting multimodal large language models (MLLMs) by introducing the Adversarial Confusion Attack, which induces systematic disruption to generate incoherent or incorrect outputs, and shows that a single adversarial image can disrupt multiple models, including unseen proprietary ones like GPT-5.1.
We introduce the Adversarial Confusion Attack, a new class of threats against multimodal large language models (MLLMs). Unlike jailbreaks or targeted misclassification, the goal is to induce systematic disruption that makes the model generate incoherent or confidently incorrect outputs. Practical applications include embedding such adversarial images into websites to prevent MLLM-powered AI Agents from operating reliably. The proposed attack maximizes next-token entropy using a small ensemble of open-source MLLMs. In the white-box setting, we show that a single adversarial image can disrupt all models in the ensemble, both in the full-image and Adversarial CAPTCHA settings. Despite relying on a basic adversarial technique (PGD), the attack generates perturbations that transfer to both unseen open-source (e.g., Qwen3-VL) and proprietary (e.g., GPT-5.1) models.