DE-FIVE: Detecting Malicious Image Prompts via Fourier Features and Image Vector Embeddings

📅 2026-06-21
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of vision-language models to indirect prompt injection attacks, a threat inadequately mitigated by existing defenses that rely on extensive retraining data or complex classifiers lacking specificity. The paper proposes the first training-free detection framework explicitly designed for indirect prompt injection, integrating Fourier-domain features with image embeddings from the visual encoder. It employs a dual-strategy approach—combining black-box and few-shot white-box techniques—to enable efficient identification of malicious inputs. Requiring only a minimal number of adversarial examples, the method significantly outperforms state-of-the-art defenses across diverse attack scenarios, demonstrating exceptional robustness and generalization capabilities.
📝 Abstract
Vision language models (VLMs) employ both visual and textual modalities to enable advanced vision-language inference. However, incorporating visual modalities expands the attack surface of VLMs, making them more susceptible to security threats such as adversarial perturbations and indirect prompt injection, wherein crafted malicious image prompts can elicit unintended model outputs. Existing defense methods against malicious image prompts remain insufficient as they typically demand extensive datasets for retraining or the deployment of additional, complex classifiers. Most critically, there is a profound lack of specialized defense mechanisms specifically targeting indirect prompt injections, a gap that serves as a primary motivation for this work. To address these limitations, we introduce DE-FIVE, a novel training-free framework for detecting malicious image prompts by leveraging Fourier features and the hidden state representations of the visual encoder (image vector embeddings) across perturbations. Specifically, we develop a hybrid detection strategy consisting of a black-box detector that operates on Fourier-domain features and a white-box detector that exploits image vector embeddings derived from only a few-shot malicious set. Extensive experiments demonstrate that the proposed framework consistently outperforms state-of-the-art baselines against malicious image prompts.
Problem

Research questions and friction points this paper is trying to address.

malicious image prompts
indirect prompt injection
vision language models
adversarial perturbations
security threats
Innovation

Methods, ideas, or system contributions that make the work stand out.

Fourier features
image vector embeddings
malicious image prompts
training-free detection
indirect prompt injection
🔎 Similar Papers
No similar papers found.