Adversarial Prompt Injection Attack on Multimodal Large Language Models
This addresses security risks for users of MLLMs in real-world applications, representing an incremental advance by extending prompt injection to the visual modality.
The paper tackles the vulnerability of multimodal large language models (MLLMs) to imperceptible visual prompt injection attacks, achieving superior performance in compromising multiple closed-source MLLMs on multimodal understanding tasks compared to existing methods.
Although multimodal large language models (MLLMs) are increasingly deployed in real-world applications, their instruction-following behavior leaves them vulnerable to prompt injection attacks. Existing prompt injection methods predominantly rely on textual prompts or perceptible visual prompts that are observable by human users. In this work, we study imperceptible visual prompt injection against powerful closed-source MLLMs, where adversarial instructions are embedded in the visual modality. Our method adaptively embeds the malicious prompt into the input image via a bounded text overlay to provide semantic guidance. Meanwhile, the imperceptible visual perturbation is iteratively optimized to align the feature representation of the attacked image with those of the malicious visual and textual targets at both coarse- and fine-grained levels. Specifically, the visual target is instantiated as a text-rendered image and progressively refined during optimization to more faithfully represent the desired semantics and improve transferability. Extensive experiments on two multimodal understanding tasks across multiple closed-source MLLMs demonstrate the superior performance of our approach compared to existing methods.