HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models

Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the develo...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	arXiv.org 2024-12
Hauptverfasser:	Gao, Sensen, Jia, Xiaojun, Huang, Yihao, Duan, Ranjie, Gu, Jindong, Bai, Yang, Liu, Yang, Guo, Qing
Format:	Artikel
Sprache:	eng
Schlagworte:	Black boxes Heuristic Image processing Maximization Optimization Similarity System reliability
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page
container_issue
container_start_page
container_title	arXiv.org
container_volume
creator	Gao, Sensen Jia, Xiaojun Huang, Yihao Duan, Ranjie Gu, Jindong Bai, Yang Liu, Yang Guo, Qing
description	Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the development of reliable and practical T2I models. Most of the previous works treat T2I models as white-box systems, using gradient optimization to generate adversarial prompts. However, accessing the model's gradient is often impossible in real-world scenarios. Moreover, existing defense methods, those using gradient masking, are designed to prevent attackers from obtaining accurate gradient information. While several black-box jailbreak attacks have been explored, they achieve the limited performance of jailbreaking T2I models due to difficulties associated with optimization in discrete spaces. To address this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack begins with an initialization that removes sensitive tokens, followed by a heuristic search where high-performing candidates are recombined and mutated. This process generates a new pool of candidates, and the optimal adversarial prompt is updated based on their effectiveness. By incorporating both optimal and suboptimal candidates, HTS-Attack avoids local optima and improves robustness in bypassing defenses. Extensive experiments validate the effectiveness of our method in attacking the latest prompt checkers, post-hoc image checkers, securely trained T2I models, and online commercial models.
format	Article
fullrecord	<record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_3097950664</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3097950664</sourcerecordid><originalsourceid>FETCH-proquest_journals_30979506643</originalsourceid><addsrcrecordid>eNqNyr0KwjAUQOEgCBbtO1xwDsSkP9ZNRImCk9lLrLc1bW00ScHH18EHcDrDdyYk4kKs6DrhfEZi71vGGM9ynqYiIlKqC92GoKtuAxJHZ3wwFSjb4QAX1K66Q20dnLTprw51Z4YGFL4DDZYeH7pBONsb9n5BprXuPca_zsnysFc7SZ_Ovkb0oWzt6IYvlYIVeZGyLEvEf9cHqe469w</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3097950664</pqid></control><display><type>article</type><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><source>Free E- Journals</source><creator>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</creator><creatorcontrib>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</creatorcontrib><description>Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the development of reliable and practical T2I models. Most of the previous works treat T2I models as white-box systems, using gradient optimization to generate adversarial prompts. However, accessing the model's gradient is often impossible in real-world scenarios. Moreover, existing defense methods, those using gradient masking, are designed to prevent attackers from obtaining accurate gradient information. While several black-box jailbreak attacks have been explored, they achieve the limited performance of jailbreaking T2I models due to difficulties associated with optimization in discrete spaces. To address this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack begins with an initialization that removes sensitive tokens, followed by a heuristic search where high-performing candidates are recombined and mutated. This process generates a new pool of candidates, and the optimal adversarial prompt is updated based on their effectiveness. By incorporating both optimal and suboptimal candidates, HTS-Attack avoids local optima and improves robustness in bypassing defenses. Extensive experiments validate the effectiveness of our method in attacking the latest prompt checkers, post-hoc image checkers, securely trained T2I models, and online commercial models.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Black boxes ; Heuristic ; Image processing ; Maximization ; Optimization ; Similarity ; System reliability</subject><ispartof>arXiv.org, 2024-12</ispartof><rights>2024. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Gao, Sensen</creatorcontrib><creatorcontrib>Jia, Xiaojun</creatorcontrib><creatorcontrib>Huang, Yihao</creatorcontrib><creatorcontrib>Duan, Ranjie</creatorcontrib><creatorcontrib>Gu, Jindong</creatorcontrib><creatorcontrib>Bai, Yang</creatorcontrib><creatorcontrib>Liu, Yang</creatorcontrib><creatorcontrib>Guo, Qing</creatorcontrib><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><title>arXiv.org</title><description>Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the development of reliable and practical T2I models. Most of the previous works treat T2I models as white-box systems, using gradient optimization to generate adversarial prompts. However, accessing the model's gradient is often impossible in real-world scenarios. Moreover, existing defense methods, those using gradient masking, are designed to prevent attackers from obtaining accurate gradient information. While several black-box jailbreak attacks have been explored, they achieve the limited performance of jailbreaking T2I models due to difficulties associated with optimization in discrete spaces. To address this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack begins with an initialization that removes sensitive tokens, followed by a heuristic search where high-performing candidates are recombined and mutated. This process generates a new pool of candidates, and the optimal adversarial prompt is updated based on their effectiveness. By incorporating both optimal and suboptimal candidates, HTS-Attack avoids local optima and improves robustness in bypassing defenses. Extensive experiments validate the effectiveness of our method in attacking the latest prompt checkers, post-hoc image checkers, securely trained T2I models, and online commercial models.</description><subject>Black boxes</subject><subject>Heuristic</subject><subject>Image processing</subject><subject>Maximization</subject><subject>Optimization</subject><subject>Similarity</subject><subject>System reliability</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>BENPR</sourceid><recordid>eNqNyr0KwjAUQOEgCBbtO1xwDsSkP9ZNRImCk9lLrLc1bW00ScHH18EHcDrDdyYk4kKs6DrhfEZi71vGGM9ynqYiIlKqC92GoKtuAxJHZ3wwFSjb4QAX1K66Q20dnLTprw51Z4YGFL4DDZYeH7pBONsb9n5BprXuPca_zsnysFc7SZ_Ovkb0oWzt6IYvlYIVeZGyLEvEf9cHqe469w</recordid><startdate>20241215</startdate><enddate>20241215</enddate><creator>Gao, Sensen</creator><creator>Jia, Xiaojun</creator><creator>Huang, Yihao</creator><creator>Duan, Ranjie</creator><creator>Gu, Jindong</creator><creator>Bai, Yang</creator><creator>Liu, Yang</creator><creator>Guo, Qing</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20241215</creationdate><title>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</title><author>Gao, Sensen ; Jia, Xiaojun ; Huang, Yihao ; Duan, Ranjie ; Gu, Jindong ; Bai, Yang ; Liu, Yang ; Guo, Qing</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_30979506643</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Black boxes</topic><topic>Heuristic</topic><topic>Image processing</topic><topic>Maximization</topic><topic>Optimization</topic><topic>Similarity</topic><topic>System reliability</topic><toplevel>online_resources</toplevel><creatorcontrib>Gao, Sensen</creatorcontrib><creatorcontrib>Jia, Xiaojun</creatorcontrib><creatorcontrib>Huang, Yihao</creatorcontrib><creatorcontrib>Duan, Ranjie</creatorcontrib><creatorcontrib>Gu, Jindong</creatorcontrib><creatorcontrib>Bai, Yang</creatorcontrib><creatorcontrib>Liu, Yang</creatorcontrib><creatorcontrib>Guo, Qing</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Gao, Sensen</au><au>Jia, Xiaojun</au><au>Huang, Yihao</au><au>Duan, Ranjie</au><au>Gu, Jindong</au><au>Bai, Yang</au><au>Liu, Yang</au><au>Guo, Qing</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models</atitle><jtitle>arXiv.org</jtitle><date>2024-12-15</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>Text-to-Image(T2I) models have achieved remarkable success in image generation and editing, yet these models still have many potential issues, particularly in generating inappropriate or Not-Safe-For-Work(NSFW) content. Strengthening attacks and uncovering such vulnerabilities can advance the development of reliable and practical T2I models. Most of the previous works treat T2I models as white-box systems, using gradient optimization to generate adversarial prompts. However, accessing the model's gradient is often impossible in real-world scenarios. Moreover, existing defense methods, those using gradient masking, are designed to prevent attackers from obtaining accurate gradient information. While several black-box jailbreak attacks have been explored, they achieve the limited performance of jailbreaking T2I models due to difficulties associated with optimization in discrete spaces. To address this, we propose HTS-Attack, a heuristic token search attack method. HTS-Attack begins with an initialization that removes sensitive tokens, followed by a heuristic search where high-performing candidates are recombined and mutated. This process generates a new pool of candidates, and the optimal adversarial prompt is updated based on their effectiveness. By incorporating both optimal and suboptimal candidates, HTS-Attack avoids local optima and improves robustness in bypassing defenses. Extensive experiments validate the effectiveness of our method in attacking the latest prompt checkers, post-hoc image checkers, securely trained T2I models, and online commercial models.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	EISSN: 2331-8422
ispartof	arXiv.org, 2024-12
issn	2331-8422
language	eng
recordid	cdi_proquest_journals_3097950664
source	Free E- Journals
subjects	Black boxes Heuristic Image processing Maximization Optimization Similarity System reliability
title	HTS-Attack: Heuristic Token Search for Jailbreaking Text-to-Image Models
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-04T19%3A08%3A48IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=HTS-Attack:%20Heuristic%20Token%20Search%20for%20Jailbreaking%20Text-to-Image%20Models&rft.jtitle=arXiv.org&rft.au=Gao,%20Sensen&rft.date=2024-12-15&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E3097950664%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3097950664&rft_id=info:pmid/&rfr_iscdi=true