Search papers, labs, and topics across Lattice.
This survey integrates four distinct tracks of adversarial evaluation in AI鈥攄iffusion-based attacks on text and LLMs, image classifiers, jailbreaks against vision-language models, and input purification defenses鈥攊nto a unified conceptual framework. By cataloging fifty relevant papers and proposing a six-class taxonomy of diffusion roles in adversarial pipelines, the authors provide a comprehensive overview of attack methodologies and defenses across modalities. The analysis highlights five key weaknesses in current LLM literature and outlines a research agenda aimed at addressing these gaps, emphasizing the need for cohesive evaluation criteria and collaborative efforts across communities.
A unified framework reveals critical weaknesses in LLM adversarial defenses and sets a bold agenda for future research across modalities.
Adversarial evaluation of AI systems has matured along four largely disconnected tracks: diffusion-based attacks on text and large language models (LLMs), diffusion-based attacks on image classifiers, jailbreak pipelines against vision-language models, and diffusion-based input purification defenses. Each has developed its own vocabulary, threat models, and benchmarks, with denoising diffusion models emerging as a shared generative mechanism whose recipes are now actively ported between communities. This survey performs an information-fusion exercise at the meta-research level: we integrate these four tracks into a single conceptual framework with a unified taxonomy, evaluation criteria, and research agenda, focusing on the LLM-side slice. We catalog fifty published papers across four scope areas (text/LLM, image classifier, vision-language model, defense), plus four diffusion-LLM-as-victim entries and ten non-diffusion baselines against which any new attack must be compared. We propose a six-class taxonomy of diffusion roles in adversarial pipelines, augmented by a threat-model axis recording attacker knowledge, query budget, and target accessibility, and apply a five-dimension framework (attack success rate, transferability, query budget, perplexity, defense-evasion) uniformly across modalities. The review adopts a dual attacker-defender perspective: alongside the attack catalog we cover four diffusion-based defenses that form the natural evaluation backdrop for new attacks. Our critical analysis identifies five recurring weaknesses of the current LLM-side literature, and we close with a research agenda of open questions and concrete experimental designs. The companion catalog and spreadsheet are released with the paper. We are explicit that this is a narrative review with quality assessment, not a PRISMA-compliant systematic review, and discuss the implications for replication.