Search papers, labs, and topics across Lattice.
This paper introduces DE-FIVE, a training-free framework designed to detect malicious image prompts targeting vision language models (VLMs) by utilizing Fourier features and image vector embeddings. The motivation stems from the increasing vulnerability of VLMs to security threats like adversarial perturbations and indirect prompt injections, which existing defenses inadequately address. Experimental results show that DE-FIVE significantly outperforms current state-of-the-art methods in detecting these malicious prompts, highlighting its effectiveness and practical applicability.
Malicious image prompts can now be detected without extensive retraining, thanks to a novel framework that leverages Fourier features and image embeddings.
Vision language models (VLMs) employ both visual and textual modalities to enable advanced vision-language inference. However, incorporating visual modalities expands the attack surface of VLMs, making them more susceptible to security threats such as adversarial perturbations and indirect prompt injection, wherein crafted malicious image prompts can elicit unintended model outputs. Existing defense methods against malicious image prompts remain insufficient as they typically demand extensive datasets for retraining or the deployment of additional, complex classifiers. Most critically, there is a profound lack of specialized defense mechanisms specifically targeting indirect prompt injections, a gap that serves as a primary motivation for this work. To address these limitations, we introduce DE-FIVE, a novel training-free framework for detecting malicious image prompts by leveraging Fourier features and the hidden state representations of the visual encoder (image vector embeddings) across perturbations. Specifically, we develop a hybrid detection strategy consisting of a black-box detector that operates on Fourier-domain features and a white-box detector that exploits image vector embeddings derived from only a few-shot malicious set. Extensive experiments demonstrate that the proposed framework consistently outperforms state-of-the-art baselines against malicious image prompts.