Search papers, labs, and topics across Lattice.
This paper introduces VPA-Guard, a defense framework designed to protect image-to-video (I2V) generation models from visual prompt attacks, which exploit seemingly benign visual cues to trigger harmful video outputs. The authors establish VVA-Bench, a novel benchmark that reveals the vulnerability of state-of-the-art I2V models, with attack success rates reaching as high as 100% in certain scenarios. Through extensive experimentation, VPA-Guard demonstrates a significant reduction in attack success rates by 44.2% and harmfulness scores by 73.4%, while preserving the models' utility for legitimate user inputs.
State-of-the-art image-to-video models are alarmingly vulnerable to visual prompt attacks, achieving up to 100% success in triggering harmful outputs.
Recent advancements in Image-to-Video (I2V) generation have transformed input images from simple appearance references into interactive control interfaces where visual cues such as arrows, sketches, and emojis orchestrate complex video dynamics with unprecedented controllability. However, these seemingly innocuous static cues can be interpreted by models as executable temporal instructions, unfolding into harmful actions in the generated videos. Despite the severity of this threat, existing safety benchmarks remain predominantly focused on text-based and content-only image-based jailbreaks, leaving implicit visual prompt attacks insufficiently explored. To bridge this gap, we present VVA-Bench, the first systematic benchmark for evaluating video generation safety under categorized vision-centric prompt attacks. Extensive experiments on VVA-Bench demonstrate that state-of-the-art models are highly susceptible to such attacks, with Attack Success Rates (ASR) reaching 100.0\% on Wan 2.7 and 74.8\% on Veo 3.1. To mitigate these risks, we propose VPA-Guard, a retrieval-augmented and self-evolving defense framework. By leveraging few-shot reasoning to identify latent malicious intents, our method reduces the attack ASR by 44.2\% and the harmfulness score by 73.4\% on average, while maintaining the model's utility for legitimate user edits. Our work provides both a rigorous benchmark and an effective defense strategy to advance safe and socially responsible multimodal generation.