Red teaming GPT-4V: are GPT-4V safe against uni/multi-modal jailbreak attacks?

Conference item

Various jailbreak attacks have been proposed to red-team Large Language Models (LLMs) and revealed the vulnerable safeguards of LLMs. Besides, some methods are not limited to the textual modality and extend the jailbreak attack to Multimodal Large Language Models (MLLMs) by perturbing the visual input. However, the absence of a universal evaluation benchmark complicates the performance reproduction and fair comparison. Besides, there is a lack of comprehensive evaluation of closed-source state-of-the-art (SOTA) models, especially MLLMs, such as GPT-4V. To address these issues, this work first builds a comprehensive jailbreak evaluation dataset with 1445 harmful questions covering 11 different safety policies. Based on this dataset, extensive red-teaming experiments are conducted on 11 different LLMs and MLLMs, including both SOTA proprietary models and open-source models. We then conduct a deep analysis of the evaluated results and find that (1) GPT4 and GPT-4V demonstrate better robustness against jailbreak attacks compared to open-source LLMs and MLLMs. (2) Llama2 and Qwen-VL-Chat are more robust compared to other open-source models. (3) The transferability of visual jailbreak methods is relatively limited compared to textual jailbreak methods. The dataset and code can be found here.

Authors: Chen, S; Han, Z; He, B; Ding, Z; Yu, W

• Publication status: Accepted
• Peer review status: Peer reviewed
• Publisher: OpenReview
• Host title: Proceedings of the 12th International Conference on Learning Representations (ICLR 2024)
• Publication date: 2024-03-04
• Acceptance date: 2024-03-03
• Event title: 12th International Conference on Learning Representations (ICLR 2024)
• Event location: Vienna, Austria
• Event website: https://iclr.cc/
• Event start date: 2024-05-07
• Event end date: 2024-05-11
• Language: English
• Keywords: jailbreak; LLMs; AI safety; multimodal LLMs