HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models
Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the develo...
Gespeichert in:
| Hauptverfasser: | , , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Gao, Sensen Jia, Xiaojun Huang, Yihao Duan, Ranjie Gu, Jindong Bai, Yang Liu, Yang Guo, Qing |
| description | Text-to-Image(T2I) models have achieved remarkable success in image
generation and editing, yet these models still have many potential issues,
particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content.
Strengthening attacks and uncovering such vulnerabilities can advance the
development of reliable and practical T2I models. Most of the previous works
treat T2I models as white-box systems, using gradient optimization to generate
adversarial prompts. However, accessing the model's gradient is often
impossible in real-world scenarios. Moreover, existing defense methods, those
using gradient masking, are designed to prevent attackers from obtaining
accurate gradient information. While several black-box jailbreak attacks have
been explored, they achieve the limited performance of jailbreaking T2I models
due to difficulties associated with optimization in discrete spaces. To address
this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack
begins with an initialization that removes sensitive tokens, followed by a
heuristic search where high-performing candidates are recombined and mutated.
This process generates a new pool of candidates, and the optimal adversarial
prompt is updated based on their effectiveness. By incorporating both optimal
and suboptimal candidates, HTS-Attack avoids local optima and improves
robustness in bypassing defenses. Extensive experiments validate the
effectiveness of our method in attacking the latest prompt checkers, post-hoc
image checkers, securely trained T2I models, and online commercial models. |
| doi_str_mv | 10.48550/arxiv.2408.13896 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2408_13896</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2408_13896</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2408_138963</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjGw0DM0trA042Tw8AgJ1nUsKUlMzrZS8EgtLcosLslMVgjJz07NUwhOTSxKzlBIyy9S8ErMzEkqSk3MzsxLVwhJrSjRLcnX9cxNTE9V8M1PSc0p5mFgTUvMKU7lhdLcDPJuriHOHrpgO-MLijJzE4sq40F2x4PtNiasAgBtUDi_</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><source>arXiv.org</source><creator>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</creator><creatorcontrib>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</creatorcontrib><description>Text-to-Image(T2I) models have achieved remarkable success in image
generation and editing, yet these models still have many potential issues,
particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content.
Strengthening attacks and uncovering such vulnerabilities can advance the
development of reliable and practical T2I models. Most of the previous works
treat T2I models as white-box systems, using gradient optimization to generate
adversarial prompts. However, accessing the model's gradient is often
impossible in real-world scenarios. Moreover, existing defense methods, those
using gradient masking, are designed to prevent attackers from obtaining
accurate gradient information. While several black-box jailbreak attacks have
been explored, they achieve the limited performance of jailbreaking T2I models
due to difficulties associated with optimization in discrete spaces. To address
this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack
begins with an initialization that removes sensitive tokens, followed by a
heuristic search where high-performing candidates are recombined and mutated.
This process generates a new pool of candidates, and the optimal adversarial
prompt is updated based on their effectiveness. By incorporating both optimal
and suboptimal candidates, HTS-Attack avoids local optima and improves
robustness in bypassing defenses. Extensive experiments validate the
effectiveness of our method in attacking the latest prompt checkers, post-hoc
image checkers, securely trained T2I models, and online commercial models.</description><identifier>DOI: 10.48550/arxiv.2408.13896</identifier><language>eng</language><subject>Computer Science - Computer Vision and Pattern Recognition ; Computer Science - Cryptography and Security</subject><creationdate>2024-08</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2408.13896$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2408.13896$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Gao, Sensen</creatorcontrib><creatorcontrib>Jia, Xiaojun</creatorcontrib><creatorcontrib>Huang, Yihao</creatorcontrib><creatorcontrib>Duan, Ranjie</creatorcontrib><creatorcontrib>Gu, Jindong</creatorcontrib><creatorcontrib>Bai, Yang</creatorcontrib><creatorcontrib>Liu, Yang</creatorcontrib><creatorcontrib>Guo, Qing</creatorcontrib><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><description>Text-to-Image(T2I) models have achieved remarkable success in image
generation and editing, yet these models still have many potential issues,
particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content.
Strengthening attacks and uncovering such vulnerabilities can advance the
development of reliable and practical T2I models. Most of the previous works
treat T2I models as white-box systems, using gradient optimization to generate
adversarial prompts. However, accessing the model's gradient is often
impossible in real-world scenarios. Moreover, existing defense methods, those
using gradient masking, are designed to prevent attackers from obtaining
accurate gradient information. While several black-box jailbreak attacks have
been explored, they achieve the limited performance of jailbreaking T2I models
due to difficulties associated with optimization in discrete spaces. To address
this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack
begins with an initialization that removes sensitive tokens, followed by a
heuristic search where high-performing candidates are recombined and mutated.
This process generates a new pool of candidates, and the optimal adversarial
prompt is updated based on their effectiveness. By incorporating both optimal
and suboptimal candidates, HTS-Attack avoids local optima and improves
robustness in bypassing defenses. Extensive experiments validate the
effectiveness of our method in attacking the latest prompt checkers, post-hoc
image checkers, securely trained T2I models, and online commercial models.</description><subject>Computer Science - Computer Vision and Pattern Recognition</subject><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjGw0DM0trA042Tw8AgJ1nUsKUlMzrZS8EgtLcosLslMVgjJz07NUwhOTSxKzlBIyy9S8ErMzEkqSk3MzsxLVwhJrSjRLcnX9cxNTE9V8M1PSc0p5mFgTUvMKU7lhdLcDPJuriHOHrpgO-MLijJzE4sq40F2x4PtNiasAgBtUDi_</recordid><startdate>20240825</startdate><enddate>20240825</enddate><creator>Gao, Sensen</creator><creator>Jia, Xiaojun</creator><creator>Huang, Yihao</creator><creator>Duan, Ranjie</creator><creator>Gu, Jindong</creator><creator>Bai, Yang</creator><creator>Liu, Yang</creator><creator>Guo, Qing</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20240825</creationdate><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><author>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2408_138963</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer Science - Computer Vision and Pattern Recognition</topic><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Gao, Sensen</creatorcontrib><creatorcontrib>Jia, Xiaojun</creatorcontrib><creatorcontrib>Huang, Yihao</creatorcontrib><creatorcontrib>Duan, Ranjie</creatorcontrib><creatorcontrib>Gu, Jindong</creatorcontrib><creatorcontrib>Bai, Yang</creatorcontrib><creatorcontrib>Liu, Yang</creatorcontrib><creatorcontrib>Guo, Qing</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Gao, Sensen</au><au>Jia, Xiaojun</au><au>Huang, Yihao</au><au>Duan, Ranjie</au><au>Gu, Jindong</au><au>Bai, Yang</au><au>Liu, Yang</au><au>Guo, Qing</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</atitle><date>2024-08-25</date><risdate>2024</risdate><abstract>Text-to-Image(T2I) models have achieved remarkable success in image
generation and editing, yet these models still have many potential issues,
particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content.
Strengthening attacks and uncovering such vulnerabilities can advance the
development of reliable and practical T2I models. Most of the previous works
treat T2I models as white-box systems, using gradient optimization to generate
adversarial prompts. However, accessing the model's gradient is often
impossible in real-world scenarios. Moreover, existing defense methods, those
using gradient masking, are designed to prevent attackers from obtaining
accurate gradient information. While several black-box jailbreak attacks have
been explored, they achieve the limited performance of jailbreaking T2I models
due to difficulties associated with optimization in discrete spaces. To address
this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack
begins with an initialization that removes sensitive tokens, followed by a
heuristic search where high-performing candidates are recombined and mutated.
This process generates a new pool of candidates, and the optimal adversarial
prompt is updated based on their effectiveness. By incorporating both optimal
and suboptimal candidates, HTS-Attack avoids local optima and improves
robustness in bypassing defenses. Extensive experiments validate the
effectiveness of our method in attacking the latest prompt checkers, post-hoc
image checkers, securely trained T2I models, and online commercial models.</abstract><doi>10.48550/arxiv.2408.13896</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2408.13896 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2408_13896 |
| source | arXiv.org |
| subjects | Computer Science - Computer Vision and Pattern Recognition Computer Science - Cryptography and Security |
| title | HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-30T00%3A46%3A02IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=HTS-Attack:%20Heuristic%20Token%20Search%20for%20Jailbreaking%20Text-to-Image%20Models&rft.au=Gao,%20Sensen&rft.date=2024-08-25&rft_id=info:doi/10.48550/arxiv.2408.13896&rft_dat=%3Carxiv_GOX%3E2408_13896%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |