Search papers, labs, and topics across Lattice.
This paper presents a taxonomy of jailbreak attacks against Large Audio Language Models (LALMs), categorizing them into semantic, acoustic, signal, and embedding-layer attacks, and evaluates representative attacks and defenses across ten open-source LALMs. The study introduces a cost-aware evaluation framework, measuring attack success rate, benign refusal, and latency to provide a more comprehensive understanding of LALM safety. Results indicate that Acoustic Best-of-N and Narrative Framing attacks are particularly effective, while current defenses often compromise benign usability, highlighting the need for cost- and utility-aware LALM safety benchmarks.
LALMs are surprisingly vulnerable to jailbreaks through carefully crafted audio, revealing a new attack surface beyond text prompts.
Large Audio Language Models (LALMs) expand jailbreak risks from token-level prompting to the full speech perception-to-reasoning pipeline, where unsafe behavior can be induced through semantics, acoustic style, signal artifacts, or internal representations. Existing work studies these risks under heterogeneous threat models and evaluation protocols, making it difficult to compare attack practicality or defense utility. This paper provides a unified taxonomy and a controlled empirical evaluation of LALM jailbreak attacks and defenses. We organize prior work into semantic, acoustic, signal, and embedding-layer attacks; guard-based, training-free, and training-based defenses; and cross-modal, audio-native, and interactive benchmarks. We then evaluate representative attacks and defenses across ten open-source LALMs, measuring not only attack success rate but also benign refusal and latency. Our results show that Acoustic Best-of-N reveals strong worst-case audio-space vulnerabilities, Narrative Framing is an effective low-latency semantic threat, and current defenses trade robustness against benign usability. These findings support cost- and utility-aware evaluation as a necessary complement to success-rate-only LALM safety benchmarks.
