🤖 AI Summary
This work addresses the vulnerability of vision-language models to indirect prompt injection attacks, a threat inadequately mitigated by existing defenses that rely on extensive retraining data or complex classifiers lacking specificity. The paper proposes the first training-free detection framework explicitly designed for indirect prompt injection, integrating Fourier-domain features with image embeddings from the visual encoder. It employs a dual-strategy approach—combining black-box and few-shot white-box techniques—to enable efficient identification of malicious inputs. Requiring only a minimal number of adversarial examples, the method significantly outperforms state-of-the-art defenses across diverse attack scenarios, demonstrating exceptional robustness and generalization capabilities.
📝 Abstract
Vision language models (VLMs) employ both visual and textual modalities to enable advanced vision-language inference. However, incorporating visual modalities expands the attack surface of VLMs, making them more susceptible to security threats such as adversarial perturbations and indirect prompt injection, wherein crafted malicious image prompts can elicit unintended model outputs. Existing defense methods against malicious image prompts remain insufficient as they typically demand extensive datasets for retraining or the deployment of additional, complex classifiers. Most critically, there is a profound lack of specialized defense mechanisms specifically targeting indirect prompt injections, a gap that serves as a primary motivation for this work. To address these limitations, we introduce DE-FIVE, a novel training-free framework for detecting malicious image prompts by leveraging Fourier features and the hidden state representations of the visual encoder (image vector embeddings) across perturbations. Specifically, we develop a hybrid detection strategy consisting of a black-box detector that operates on Fourier-domain features and a white-box detector that exploits image vector embeddings derived from only a few-shot malicious set. Extensive experiments demonstrate that the proposed framework consistently outperforms state-of-the-art baselines against malicious image prompts.