Unfiltered and Unseen: Universal Multimodal Jailbreak Attacks on Text-to-Image Model Defenses

Download PDF

Song Yan, Hui Wei, Jinlong Fei, Bingbing Zhao, Guoliang Yang, Jia liu, Zheng Wang

18 Sept 2024 (modified: 13 Nov 2024)ICLR 2025 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: Diffusion Model, Not-Safe-for- Work (NSFW), Adversarial Attack, Jailbreak Attack
TL;DR: Our paper presents U3-Attack, a universal multimodal jailbreak attack that bypasses prompt filters and safety checkers in Text-to-Image models, revealing significant security vulnerabilities in existing defense mechanisms.
Abstract: Text-to-Image (T2I) models have revolutionized the synthesis of visual content from textual descriptions. However, their potential misuse for generating Not-Safe-For-Work (NSFW) content presents significant risks. While developers have implemented prompt filters and safety checkers, these defense mechanisms have proven inadequate against determined adversaries. In this paper, we introduce U3-Attack, a novel multimodal jailbreak attack against T2I models that effectively circumvents existing safeguards to generate NSFW images. To achieve a universal attack, U3-Attack constructs a context-independent paraphrase candidate set for each sensitive word in the text modality. This approach enables practical attacks against prompt filters with minimal perturbation. In the image modality, we propose a two-stage adversarial patch generation strategy that does not require access to the T2I model's internal architecture or parameters. This design makes our attack applicable to both open-source models and online T2I platforms. Extensive experiments demonstrate the effectiveness of our method across various T2I models, including Stable Diffusion, Leonardo.Ai, and Runway. Our work exposes critical vulnerabilities in current T2I model defenses and underscores the urgent need for more robust safety measures in this rapidly evolving field.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 1603