A method and system for jailbreaking a text-to-drawing model based on a visual language model agent
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HUAZHONG UNIV OF SCI & TECH
- Filing Date
- 2026-03-06
- Publication Date
- 2026-06-19
Smart Images

Figure CN122241712A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of artificial intelligence security and multimodal generative model technology, and more specifically, relates to a jailbreak attack method and system for text-to-image (T2I) models based on a Vision-Language Model (VLM) proxy. Background Technology
[0002] In recent years, text-based image generation models (such as DALL·E 3, Midjourney, Stable Diffusion, Wanxiang, and Doubao) have become core tools for multimodal content creation due to their powerful semantic understanding and high-quality image generation capabilities. However, with the widespread opening of these model interfaces, their potential security risks are becoming increasingly prominent: malicious users can bypass built-in security mechanisms through carefully crafted "jailbreak hints" to generate Not Safe For Work (NSFW) images containing violence, pornography, gore, discrimination, or false information. Therefore, to systematically evaluate the robustness of existing security protection mechanisms and reveal potential weaknesses in the semantic space of security filtering strategies, it is necessary to construct a controllable and analyzable text-based image jailbreak attack method to simulate adversarial scenarios and quantify the security performance of models under complex semantic perturbations.
[0003] Existing jailbreak attack methods targeting text-based graph models can be mainly divided into two categories: The first category is token-based optimization attack methods, which typically treat security filters or generative models as queryable black boxes or differentiable models. Through gradient optimization, genetic algorithms, or random search, they perturb or replace the tokens in the input prompts to find the optimal input sequence that can bypass security detection. The core idea is to change the vocabulary or structural form while maintaining the target's semantic intent, making it outside the discrimination boundary of the security detector. The second category is semantic rewriting attack methods based on Large Language Models (LLMs). These methods utilize LLMs to semantically reconstruct, metaphorically replace, or abstract the original insecure prompts to generate prompt text that superficially conforms to security specifications but semantically still points to the target content.
[0004] However, both of the above-mentioned existing methods have some drawbacks that cannot be ignored:
[0005] First, the aforementioned token-based attack methods primarily aim to bypass detection and lack explicit constraint mechanisms for the semantic consistency of the generated image. They cannot guarantee the content consistency between the final generated image and the original target semantics, thus leading to the problem of successful attack but semantic deviation.
[0006] Second, the above-mentioned semantic rewriting methods based on large language models are highly dependent on the results of a single semantic reconstruction and lack a closed-loop iterative optimization mechanism. When the rewriting fails or the generated results are rejected, there is no adaptive correction process based on feedback signals, resulting in low attack stability.
[0007] Third, the two existing methods mentioned above usually only directly manipulate the text prompts, without making full use of the multimodal information feedback between the generated image and the original target semantics, and lack an optimization objective function based on image-text consistency measurement, making it difficult to quantitatively evaluate and finely control the attack effect.
[0008] Fourth, the two existing methods mentioned above lack a collaborative optimization mechanism between security detection and semantic preservation. They can only optimize the "pass rate" or "semantic naturalness" separately, and cannot achieve stable convergence under the dual constraints of security compliance and semantic consistency. Summary of the Invention
[0009] To address the aforementioned deficiencies or improvement needs of existing technologies, this invention provides a method and system for jailbreak attacks using text-to-image models based on visual language model proxies. Its purpose is to solve the following problems: Token-based attack methods, which primarily aim to bypass detection and lack explicit constraints on the semantic consistency of the generated image, cannot guarantee content consistency between the final generated image and the original target semantics, thus leading to successful attacks but semantic deviations; existing methods based on large language models for semantic rewriting, which heavily rely on single semantic reconstruction results and lack a closed-loop iterative optimization mechanism, resulting in low attack stability when rewriting fails or the generated result is rejected, lacking an adaptive correction process based on feedback signals; existing methods, which typically only directly manipulate text prompts and do not fully utilize the multimodal information feedback between the generated image and the original target semantics, lacking an optimization objective function based on image-text consistency metrics, making it difficult to quantitatively evaluate and finely control the attack effect; and existing methods, lacking a collaborative optimization mechanism between security detection passing and semantic preservation, failing to achieve stable convergence under the dual constraints of security compliance and semantic consistency.
[0010] To achieve the above objectives, according to one aspect of the present invention, a jailbreak attack method based on a VLM proxy for a T2I model is provided, comprising the following steps:
[0011] (1) Obtain the user's input of an insecure prompt command and perform a pre-validation of the insecure prompt command to obtain the target prompt command;
[0012] (2) The target prompt command obtained in step (1) is processed using the Wensheng image model to obtain the unsafe NSFW image;
[0013] (3) Construct a multi-constraint guidance instruction based on the unsafe work image obtained in step (2) and the unsafe prompt command obtained in step (1), and input the unsafe work image and the multi-constraint guidance instruction into a pre-established visual language model to obtain a preliminary adversarial prompt;
[0014] (4) Use the text graph model to perform multi-stage verification and iterative optimization on the preliminary adversarial hints obtained in step (3) to obtain adversarial hints.
[0015] Preferably, step (1) specifically involves: first, receiving the user-submitted insecure prompt command through the user interaction interface; then, performing basic cleaning processing on the insecure prompt command to obtain the processed insecure prompt command; subsequently, automatically calling one or more public inference interfaces of commercial text graph models to perform legality pre-verification on the processed insecure prompt command to obtain the target prompt command; wherein the basic cleaning processing includes removing leading and trailing whitespace characters, unifying English punctuation, limiting the maximum length, and verifying its language type, i.e., only accepting English prompts.
[0016] Preferably, step (2) includes the following sub-steps:
[0017] (2-1) Obtain the text image model and initialize it to obtain the initialized text image model;
[0018] (2-2) Input the unsafe warning command obtained in step (1) into the initialized Wensheng image model obtained in step (2-1) to obtain the RGB image;
[0019] (2-3) Save the RGB image obtained in step (2-2) as a temporary file and use it as an unsafe image for work.
[0020] Preferably, step (2-1) specifically involves: first, setting the generation parameters of the text-based image model, including setting CFGscale=7.5, sampling steps=30, and fixing the random seed to 42 to ensure reproducibility; then, setting the key generation hyperparameters of the text-based image model, including setting the classifier-free guidance coefficient to 7.5, setting the sampling steps to 30, and using Euler a or DPM++ 2Mkarras as the sampler; subsequently, setting the random seed to 42 and the batch size to 1.
[0021] Preferably, step (3) includes the following sub-steps:
[0022] (3-1) Initialize a rule set containing security compliance policies, obtain security compliance policies from the rule set, and construct a multi-constraint guidance instruction template based on the security compliance policies. The multi-constraint guidance instruction template consists of a prohibitive semantic constraint field and a target prompt word placeholder.
[0023] (3-2) Input the unsafe prompt command obtained in step (1) into the target prompt word placeholder of the multi-constraint guidance instruction template obtained in step (3-1) for semantic normalization processing to obtain the composite guidance instruction;
[0024] (3-3) Use a multimodal coding algorithm to fuse the working insecure image obtained in step (2) and the composite guidance instruction obtained in step (3-2) to obtain a multimodal input vector;
[0025] (3-4) Call the pre-trained visual language model agent to perform forward inference on the multimodal input vector obtained in step (3-3) to obtain the initial text description that conforms to the safety constraint conditions in the multi-constraint guidance instruction template obtained in step (3-1);
[0026] (3-5) Use a tagging tool to mark the initial text description obtained in step (3-4) as a preliminary adversarial cue.
[0027] Preferably, step (4) includes the following sub-steps:
[0028] (4-1) Initialize the candidate hint set C to be empty, and initialize the iteration counter k=0;
[0029] (4-2) Determine whether the counter k is greater than or equal to the preset maximum iteration number threshold. If yes, proceed to step (4-12); otherwise, proceed to step (4-3).
[0030] (4-3) Input the adversarial hints of the kth iteration into the text graph model or a dedicated text security filter for security filtering test to obtain the generation result, where the adversarial hints of the 0th iteration are the adversarial hints obtained in step (3-5);
[0031] (4-4) Determine whether the generation result obtained in step (4-3) is a rejection prompt or an error status prompt, or a valid image. If it is the former, it means that the adversarial prompt in the k-th iteration has not passed the security review, and then proceed to step (4-5). If it is the latter, it means that the adversarial prompt in the k-th iteration has passed the security compliance test, and then proceed to step (4-7).
[0032] (4-5) Based on the generation results obtained in step (4-3), construct enhanced boot instructions using the iterative suggestion optimization method;
[0033] (4-6) Combine the enhanced guidance instructions obtained in step (4-5) with the work insecurity image obtained in step (2) into multimodal input data, call the same visual language model agent as in step (3-4) to process the multimodal input data to generate adversarial cue for the (k+1)th iteration, set k = k + 1, and return to step (4-2).
[0034] (4-7) Load the pre-trained contrastive language-image pre-trained CLIP model, and use the CLIP model to process the generated results obtained in step (4-3) and the unsafe prompt command in step (1) respectively, so as to obtain the image embedding vector and the text embedding vector respectively.
[0035] (4-8) Calculate the cosine similarity between the image embedding vector and the text embedding vector obtained in step (4-7) as the CLIP score;
[0036] (4-9) Determine whether the CLIP score obtained in step (4-8) is greater than or equal to the preset consistency threshold. If it is, proceed to step (4-13); otherwise, proceed to step (4-10).
[0037] (4-10) Based on the CLIP score obtained in step (4-8), the NSFW image obtained in step (2), and the adversarial cue in the k-th iteration, semantic reinforcement guidance instructions are constructed using an AI model;
[0038] (4-11) Recombine the semantic reinforcement guidance instructions generated in step (4-10) and the NSFW image obtained in step (2) into a multimodal input, call the same visual language model agent as in step (3-4) to reason about the multimodal input to generate the adversarial cue for the (k+1)th iteration, add the adversarial cue for the (k+1)th iteration to the candidate cue set C, set k = k + 1, and return to step (4-2).
[0039] (4-12) Select the adversarial cue with the highest CLIP score from the candidate cue set C as the final adversarial cue;
[0040] (4-13) Output the adversarial cue for the kth iteration as the final adversarial cue.
[0041] According to another aspect of the present invention, a T2I model jailbreak attack system based on VLM proxy is provided, comprising the following modules:
[0042] The first module is used to obtain the insecure prompt command input by the user and perform a pre-validation of the insecure prompt command in order to obtain the target prompt command;
[0043] The second module is used to process the target prompt commands obtained from the first module using the text-based image model to obtain the unsafe NSFW image.
[0044] The third module is used to construct a multi-constraint guidance instruction based on the unsafe work image obtained by the second module and the unsafe prompt command obtained by the first module, and input the unsafe work image and the multi-constraint guidance instruction into a pre-established visual language model to obtain preliminary adversarial prompts.
[0045] The fourth module is used to perform multi-stage verification and iterative optimization of the preliminary adversarial hints obtained in the third module using the text-based graph model, in order to obtain adversarial hints.
[0046] In summary, compared with the prior art, the above-described technical solutions conceived by this invention can achieve the following beneficial effects:
[0047] (1) This invention employs steps (4-7) to (4-9), which load a pre-trained CLIP model, calculate the cosine similarity between the generated image and the original insecure warning command, and set a semantic consistency threshold for judgment, thereby constructing a clear semantic optimization objective function; thus, it can solve the technical problem that the existing token-based optimization method lacks image semantic consistency constraints, which leads to successful attacks but visual content deviation, and ensures that the final generated image maintains a high degree of consistency with the original target semantics at the visual level;
[0048] (2) Since the present invention employs steps (4-2) to (4-6) and steps (4-10) to (4-11), when security review fails or semantic consistency is insufficient, it constructs enhanced guidance instructions based on security filtering feedback signals or semantic missing dimensions, and generates new adversarial prompts through a visual language model proxy, while setting an iteration counter k to achieve multi-round closed-loop optimization; therefore, it can solve the technical problems of existing LLM rewriting methods that rely on single generation, lack feedback-driven adaptive correction mechanisms, and have insufficient attack stability, and achieve a controllable convergent iterative optimization process;
[0049] (3) By employing steps (4-6) and steps (4-7) to (4-8), the present invention recombines the NSFW image and the enhanced guidance instructions into a multimodal input, performs reasoning through a visual language model, and uses the similarity between image embedding and text embedding as the optimization basis to construct a multimodal consistency evaluation system. Therefore, it can solve the technical problems of existing methods that only operate on text prompts, lack quantitative evaluation indicators for image-text consistency, and have difficulty in finely controlling the attack effect, and realize measurable and comparable evaluation of attack quality.
[0050] (4) Since the present invention adopts steps (4-3) to (4-12), it performs security compliance testing and semantic consistency evaluation simultaneously in each iteration, and performs optimal screening through the candidate hint set, thereby achieving synergistic optimization of "security passability" and "semantic preservation". Therefore, it can solve the technical problem that existing methods only focus on bypassing detection or improving naturalness and lack a dual-objective joint optimization mechanism, and achieve stable and effective attack generation under the dual conditions of security constraints and semantic consistency.
[0051] (5) The present invention has high concealment and naturalness: the generated adversarial prompts are fluent and readable natural language, without abnormal tokens, and are not easily detected by human or automated systems;
[0052] (6) This invention has strong portability: because it is based on semantic description rather than token perturbation, it can be effectively migrated to T2I security detectors with different architectures;
[0053] (7) This invention has strong versatility: it is applicable to the security assessment of various T2I models and provides a real and effective red team testing tool for defense mechanisms. Attached Figure Description
[0054] Figure 1 This is an overall schematic diagram of the T2I model jailbreak attack method based on VLM proxy of the present invention;
[0055] Figure 2 This is a flowchart of the T2I model jailbreak attack method based on VLM proxy of the present invention. Detailed Implementation
[0056] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention. Furthermore, the technical features involved in the various embodiments of this invention described below can be combined with each other as long as they do not conflict with each other.
[0057] The overall idea of this invention is to propose a jailbreak attack method for Text-to-Image (T2I) models based on a Vision-Language Model (VLM) proxy. This method is used to efficiently evaluate and break through the text security detection mechanisms deployed in current mainstream T2I models. It utilizes the characteristic that an image can be described by multiple semantics, and uses an insecure working image generated by an unprotected T2I model as a semantic anchor. Under the dual guidance of security constraints and semantic fidelity of VLM, it automatically generates adversarial prompts that can both bypass security filters and faithfully reproduce the original malicious intent. Specifically, this invention constructs a closed-loop optimization framework comprising four key functional modules: First, through an image semantic anchoring module, the intercepted original insecure prompt command is transformed into a specific image in a T2I model (such as StableDiffusion) without security mechanisms, thus fixing the attack target; Second, a dual-target guidance description module is designed, utilizing a carefully constructed VLM prompt template to force the VLM output to be a compliant description highly aligned with the original prompt while avoiding sensitive semantics such as violence, dangerous items, and gore; Third, a multi-stage verification feedback module is introduced, combining the actual response of the target T2I model with the CLIP semantic similarity score to dynamically determine whether the current adversarial prompt simultaneously satisfies "accessibility" and "content consistency"; Finally, an iterative memory enhancement rewriting module is established, which injects historical attempt records into the VLM context when failure or deviation occurs, driving it to perform targeted optimization until a valid jailbreak prompt is generated.
[0058] like Figure 1 and Figure 2 As shown, this invention provides a jailbreak attack method for the T2I model based on VLM proxy, including the following steps:
[0059] (1) Obtain the user's input of an insecure prompt command and perform a pre-validation of the insecure prompt command to obtain the target prompt command;
[0060] (2) The target prompt command obtained in step (1) is processed using the Wensheng image model to obtain the Not Safe For Work (NSFW) image;
[0061] (3) Construct a multi-constraint guidance instruction based on the unsafe work image obtained in step (2) and the unsafe prompt command obtained in step (1), and input the unsafe work image and the multi-constraint guidance instruction into a pre-established visual language model to obtain a preliminary adversarial prompt;
[0062] (4) Use the text graph model to perform multi-stage verification and iterative optimization on the preliminary adversarial prompts obtained in step (3) to obtain adversarial prompts (which can bypass the security filter and are semantically consistent with the original insecure prompts).
[0063] Step (1) is as follows: First, receive the insecure prompt command submitted by the user through the user interaction interface (the insecure prompt command should clearly describe a visual scene that is prohibited from being generated under the mainstream content security policy). Then, perform basic cleaning processing on the insecure prompt command (including removing leading and trailing whitespace characters, unifying English punctuation, limiting the maximum length, i.e., no more than 256 tokens by default, and verifying its language type, i.e., only accepting English prompts, in order to adapt to the subsequent VLM processing flow) to obtain the processed insecure prompt command.
[0064] Subsequently, the system automatically calls one or more public inference interfaces of commercial text graph models to perform a pre-validation of the processed insecure prompt command in order to obtain the target prompt command.
[0065] Step (2) specifically includes the following sub-steps:
[0066] (2-1) Obtain the text image model and initialize it to obtain the initialized text image model;
[0067] Specifically, this step involves first setting the generation parameters of the text-based image model, including setting the CFG scale to 7.5, the number of sampling steps to 30, and the random seed to a fixed 42 to ensure reproducibility. Then, the key generation hyperparameters of the text-based image model are set (to improve experimental reproducibility and cross-platform consistency), including setting the classifier-free guidance scale to 7.5 (this value strikes a good balance between generation quality and cue following accuracy, avoiding deviation from the cue if too low or artifacts if too high), setting the number of sampling steps to 30, and using an efficient sampler such as Euler a or DPM++ 2Mkarras (controlling computational overhead while preserving image detail). Subsequently, the random seed is set to 42 (or another preset constant to ensure that the same unsafe cue command generates identical images in different runs, facilitating subsequent evaluation and result comparison of the Contrastive Language–Image Pre-training (CLIP) model), and the batch size is set. The size is set to 1 to support precise mapping of a single cue to a single image.
[0068] With the above parameter configuration, the system calls the model inference interface to execute the complete denoising and diffusion process. The entire generation operation is completed on hardware that supports CUDA acceleration, such as NVIDIA A10 / A100, with an average time of 3–8 seconds. By controlling these parameters, we can obtain the text-based graph model we need.
[0069] (2-2) Input the unsafe warning command obtained in step (1) into the initialized Wensheng image model obtained in step (2-1) to obtain an RGB image (which is a high-resolution RGB image, with a default value of 512×512 pixels).
[0070] Specifically, the RGB image obtained in this step reflects the unsafe scenario described by the unsafe warning command in terms of visual content (such as a close-up of a person using a dangerous object).
[0071] Upon completion of this step, an RGB image is obtained. This is a standard RGB format digital image with a spatial resolution of 512×512 pixels (for models supporting higher resolutions such as SDXL, this can be expanded to 1024×1024, but this invention defaults to 512×512 to be compatible with a wide range of model architectures). This RGB image highly reproduces the core elements of the original unsafe warning command at the visual semantic level. It is worth noting that although the image content falls within the scope of NSFW, because the generation process completely bypasses security review, its richness of detail and semantic accuracy far exceed any "whitewashed" alternative description, thus providing a high-quality, lossless original visual image for subsequent VLM re-description.
[0072] (2-3) Save the RGB image obtained in step (2-2) as a temporary file and use it as an unsafe image for work.
[0073] Step (3) includes the following sub-steps:
[0074] (3-1) Initialize a rule set containing security compliance policies, obtain security compliance policies from the rule set, and construct a multi-constraint guidance instruction template based on the security compliance policies. The multi-constraint guidance instruction template consists of a prohibitive semantic constraint field and a target prompt word placeholder.
[0075] (3-2) Input the unsafe prompt command obtained in step (1) into the target prompt word placeholder of the multi-constraint guidance instruction template obtained in step (3-1) for semantic normalization processing to obtain the composite guidance instruction;
[0076] (3-3) Use a multimodal coding algorithm to fuse the working insecure image obtained in step (2) and the composite guidance instruction obtained in step (3-2) to obtain a multimodal input vector;
[0077] (3-4) Call the pre-trained visual language model agent to perform forward inference on the multimodal input vector obtained in step (3-3) to obtain the initial text description that conforms to the safety constraint conditions in the multi-constraint guidance instruction template obtained in step (3-1);
[0078] (3-5) Use a labeling tool to mark the initial text descriptions obtained in step (3-4) as preliminary adversarial hints;
[0079] The advantage of the above sub-steps (3-1) to (3-5) is that by introducing an unsafe working image as a visual semantic reference, the visual language model generates the corresponding text description based on the real image content, thereby ensuring that the generated adversarial prompts are highly consistent with the target content at the semantic level. This avoids the semantic shift problem caused by relying solely on text rewriting, and thus solves the problem of inconsistent generated images with the original semantics in existing language model-based rewriting methods.
[0080] Step (4) includes the following sub-steps:
[0081] (4-1) Initialize the candidate hint set C to be empty, and initialize the iteration counter k=0;
[0082] Specifically, the candidate hint set is used to store adversarial hints that have passed security compliance tests but have not met the semantic consistency threshold during the iteration process, along with their corresponding CLIP scores.
[0083] (4-2) Determine whether the counter k is greater than or equal to the preset maximum iteration number threshold (its value range is 5 to 10, preferably 8). If yes, proceed to step (4-12); otherwise, proceed to step (4-3).
[0084] (4-3) Input the adversarial hints from the k-th iteration (the adversarial hints from the 0-th iteration are the adversarial hints obtained in step (3-5)) into the text graph model or a dedicated text security filter for security filtering test to obtain the generation results;
[0085] (4-4) Determine whether the generation result obtained in step (4-3) is a rejection message or an error status message, or a valid image. If it is the former (the rejection message is, for example, HTTP 400 / 403, and the error status message includes "invalid content" or "blocked by the security system"), it means that the adversarial message of the k-th iteration (which is the adversarial message obtained in step (3-5)) has not passed the security review, and then proceed to step (4-5). If it is the latter, it means that the adversarial message of the k-th iteration has passed the security compliance test, and proceed to step (4-7).
[0086] (4-5) Based on the generation results obtained in step (4-3), construct enhanced boot instructions using the iterative suggestion optimization method;
[0087] Specifically, the enhanced guidance instructions constructed in this step are used to guide the visual language model to rewrite it in a more covert and compliant manner while keeping the core semantic intent unchanged, so as to increase the probability of passing the security filter.
[0088] The advantage of the above sub-steps (4-3) to (4-5) is that, during the iteration process, the prompts are filtered by the verification results, and prompts that cannot bypass the security filter can be eliminated, thereby improving the quality of the final generated prompts.
[0089] (4-6) Combine the enhanced guidance instructions obtained in step (4-5) with the work insecurity image obtained in step (2) into multimodal input data, call the same visual language model agent as in step (3-4) to process the multimodal input data to generate adversarial cue for the (k+1)th iteration, set k = k + 1, and return to step (4-2).
[0090] (4-7) Load the pre-trained CLIP model and use the CLIP model to process the generated result obtained in step (4-3) (scaled to 224×224 and normalized) and the insecure prompt command in step (1) (encoded as a text token sequence) to obtain the image embedding vector and the text embedding vector respectively.
[0091] (4-8) Calculate the cosine similarity between the image embedding vector and the text embedding vector obtained in step (4-7) as the CLIP score;
[0092] (4-9) Determine whether the CLIP score obtained in step (4-8) is greater than or equal to the preset consistency threshold (its value range is between 0.5 and 1, preferably 0.75). If it is, it means that the adversarial prompt in the k-th iteration is highly consistent with the insecure prompt command in step (1) in the semantic space, and satisfies the conditions of "security passability" and "semantic consistency", and then proceed to step (4-13). Otherwise, it means that although the generated result obtained in step (4-3) passes the security review, it deviates from the original semantic intent in the key visual elements, and then proceed to step (4-10).
[0093] (4-10) Based on the CLIP score obtained in step (4-8), the NSFW image obtained in step (2), and the adversarial cue in the k-th iteration, semantic reinforcement guidance instructions are constructed using an AI model;
[0094] Specifically, the semantic enhancement guidance instructions obtained in this step are used to enhance the granularity of key visual element descriptions while maintaining security and compliance constraints.
[0095] The AI model used in this step is the Qianwen model.
[0096] (4-11) Recombine the semantic reinforcement guidance instructions generated in step (4-10) and the NSFW image obtained in step (2) into a multimodal input, call the same visual language model agent as in step (3-4) to reason about the multimodal input to generate the adversarial cue for the (k+1)th iteration, add the adversarial cue for the (k+1)th iteration to the candidate cue set C, set k = k + 1, and return to step (4-2).
[0097] (4-12) Select the adversarial cue with the highest CLIP score from the candidate cue set C as the final adversarial cue;
[0098] (4-13) Output the adversarial cue for the kth iteration as the final adversarial cue.
[0099] The advantage of the above sub-steps (4-1) to (4-13) is that by performing multiple rounds of verification in the text-generated graph model, the effect of the initial adversarial prompts in the real generation environment can be directly tested, ensuring that the generated prompts can successfully bypass the model's security filtering mechanism, thereby improving the attack success rate of the final adversarial prompts.
[0100] Those skilled in the art will readily understand that the above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A jailbreak attack method based on VLM proxy using the T2I model, characterized in that, Includes the following steps: (1) Obtain the user's input of an insecure prompt command and perform a pre-validation of the insecure prompt command to obtain the target prompt command; (2) The target prompt command obtained in step (1) is processed using the Wensheng image model to obtain the unsafe NSFW image; (3) Construct a multi-constraint guidance instruction based on the unsafe work image obtained in step (2) and the unsafe prompt command obtained in step (1), and input the unsafe work image and the multi-constraint guidance instruction into a pre-established visual language model to obtain a preliminary adversarial prompt; (4) Use the text graph model to perform multi-stage verification and iterative optimization on the preliminary adversarial hints obtained in step (3) to obtain adversarial hints.
2. The jailbreak attack method based on VLM proxy according to claim 1, characterized in that, Step (1) specifically involves first receiving the insecurity warning command submitted by the user through the user interaction interface, and then performing basic cleaning processing on the insecurity warning command to obtain the processed insecurity warning command. Subsequently, the public inference interface of one or more commercial text graph models is automatically invoked to perform a pre-validation of the legality of the processed insecure prompt command in order to obtain the target prompt command; The basic cleaning process includes removing leading and trailing whitespace characters, standardizing English punctuation, limiting the maximum length, and verifying the language type, i.e., only accepting English prompts.
3. The T2I model jailbreak attack method based on VLM proxy according to claim 1 or 2, characterized in that, Step (2) includes the following sub-steps: (2-1) Obtain the text image model and initialize it to obtain the initialized text image model; (2-2) Input the unsafe warning command obtained in step (1) into the initialized Wensheng image model obtained in step (2-1) to obtain the RGB image; (2-3) Save the RGB image obtained in step (2-2) as a temporary file and use it as an unsafe image for work.
4. The T2I model jailbreak attack method based on VLM proxy according to claims 1 to 3, characterized in that, Step (2-1) is as follows: First, set the generation parameters of the text image model, including setting CFGscale=7.5, sampling steps=30, and the random seed fixed at 42 to ensure reproducibility; then, set the key generation hyperparameters of the text image model, including setting the classifier-free guidance coefficient to 7.5, setting the sampling steps to 30, and using Eulera or DPM++2Mkarras as the sampler; subsequently, set the random seed to 42 and the batch size to 1.
5. The T2I model jailbreak attack method based on VLM proxy according to claim 4, characterized in that, Step (3) includes the following sub-steps: (3-1) Initialize a rule set containing security compliance policies, obtain security compliance policies from the rule set, and construct a multi-constraint guidance instruction template based on the security compliance policies. The multi-constraint guidance instruction template consists of a prohibitive semantic constraint field and a target prompt word placeholder. (3-2) Input the unsafe prompt command obtained in step (1) into the target prompt word placeholder of the multi-constraint guidance instruction template obtained in step (3-1) for semantic normalization processing to obtain the composite guidance instruction; (3-3) Use a multimodal coding algorithm to fuse the working insecure image obtained in step (2) and the composite guidance instruction obtained in step (3-2) to obtain a multimodal input vector; (3-4) Call the pre-trained visual language model agent to perform forward inference on the multimodal input vector obtained in step (3-3) to obtain the initial text description that conforms to the safety constraint conditions in the multi-constraint guidance instruction template obtained in step (3-1); (3-5) Use a tagging tool to mark the initial text description obtained in step (3-4) as a preliminary adversarial cue.
6. The T2I model jailbreak attack method based on VLM proxy according to claim 5, characterized in that, Step (4) includes the following sub-steps: (4-1) Initialize the candidate hint set C to be empty, and initialize the iteration counter k=0; (4-2) Determine whether the counter k is greater than or equal to the preset maximum iteration number threshold. If yes, proceed to step (4-12); otherwise, proceed to step (4-3). (4-3) Input the adversarial hints of the kth iteration into the text graph model or a dedicated text security filter for security filtering test to obtain the generation result, where the adversarial hints of the 0th iteration are the adversarial hints obtained in step (3-5); (4-4) Determine whether the generation result obtained in step (4-3) is a rejection prompt or an error status prompt, or a valid image. If it is the former, it means that the adversarial prompt in the k-th iteration has not passed the security review, and then proceed to step (4-5). If it is the latter, it means that the adversarial prompt in the k-th iteration has passed the security compliance test, and then proceed to step (4-7). (4-5) Based on the generation results obtained in step (4-3), construct enhanced boot instructions using the iterative suggestion optimization method; (4-6) Combine the enhanced guidance instructions obtained in step (4-5) with the work insecurity image obtained in step (2) into multimodal input data, call the same visual language model agent as in step (3-4) to process the multimodal input data to generate adversarial prompts for the (k+1)th iteration, set k=k+1, and return to step (4-2). (4-7) Load the pre-trained contrastive language-image pre-trained CLIP model, and use the CLIP model to process the generated results obtained in step (4-3) and the unsafe prompt command in step (1) respectively, so as to obtain the image embedding vector and the text embedding vector respectively. (4-8) Calculate the cosine similarity between the image embedding vector and the text embedding vector obtained in step (4-7) as the CLIP score; (4-9) Determine whether the CLIP score obtained in step (4-8) is greater than or equal to the preset consistency threshold. If it is, proceed to step (4-13); otherwise, proceed to step (4-10). (4-10) Based on the CLIP score obtained in step (4-8), the NSFW image obtained in step (2), and the adversarial cue in the k-th iteration, semantic reinforcement guidance instructions are constructed using an AI model; (4-11) Recombine the semantic reinforcement guidance instructions generated in step (4-10) and the NSFW image obtained in step (2) into a multimodal input, call the same visual language model agent as in step (3-4) to reason about the multimodal input to generate the adversarial cue for the (k+1)th iteration, add the adversarial cue for the (k+1)th iteration to the candidate cue set C, set k=k+1, and return to step (4-2). (4-12) Select the adversarial cue with the highest CLIP score from the candidate cue set C as the final adversarial cue; (4-13) Output the adversarial cue for the kth iteration as the final adversarial cue.
7. A T2I model jailbreak attack system based on VLM proxy, characterized in that, Includes the following modules: The first module is used to obtain the insecure prompt command input by the user and perform a pre-validation of the insecure prompt command in order to obtain the target prompt command; The second module is used to process the target prompt commands obtained from the first module using the text-based image model to obtain the unsafe NSFW image. The third module is used to construct a multi-constraint guidance instruction based on the unsafe work image obtained by the second module and the unsafe prompt command obtained by the first module, and input the unsafe work image and the multi-constraint guidance instruction into a pre-established visual language model to obtain preliminary adversarial prompts. The fourth module is used to perform multi-stage verification and iterative optimization of the preliminary adversarial hints obtained in the third module using the text-based graph model, in order to obtain adversarial hints.