Information-Theoretical Principled Trade-off between Jailbreakability and Stealthiness on Vision Language Models

We appreciate the reviewer's insightful question about comparative analysis with existing detection methods. We will add a comparative analysis with existing detection methods.

1. Comparative Analysis:

   ANS: Adversarial example detection for VLMs presents unique challenges that differentiate it from traditional classifier detection. While classifier attacks typically aim to change a single predicted class label, VLM attacks target a broader space of possible outputs in the form of natural language descriptions. This fundamental difference makes traditional detection methods that rely on label consistency or classification boundaries less applicable. VLM attacks can subtly alter the semantic meaning of outputs while maintaining grammatical correctness and natural language structure, making detection more challenging. Additionally, the multi-modal nature of VLMs means attacks can exploit either visual or textual components or their interactions, requiring detection methods that can operate effectively across both modalities. This expanded attack surface and output space requires rethinking detection strategies beyond the binary correct/incorrect classification paradigm used in traditional adversarial example detection.

   Although theoretical results [1] imply that finding a strong detector should be as hard as finding a robust model, we can also conduct some experiments on existing adversarial detection method. [2] detects adversarial images by performing PCA whitening on input images and checking if their low-ranked principal component coefficients have abnormally high variance compared to clean images. Feature Squeezing [3] detects adversarial examples by comparing a model's predictions on original inputs with predictions on "squeezed" versions (where the input space is reduced through bit depth reduction, median filtering, or non-local means smoothing), flagging an input as adversarial if the difference between predictions exceeds a threshold. Due to computational constraints during the review period, we were unable to conduct comparisons with recent adversarial detection methods that require substantial training time. We will include additional experimental comparisons in the final version.

   Method	AUROC	F1
   PCA whitening [2]	0.58	0.12
   Feature Squeezing [3]	0.78	0.12
   Our detector	0.98	0.93

   [1] Florian Tramer. "Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them," ICML 2022

   [2] Hendrycks, Dan, and Kevin Gimpel. "Early methods for detecting adversarial images," ICLR 2017 Workshop

   [3] W. Xu, D. Evans, and Y. Qi. "Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks," NDSS 2018

2. Complex algorithm description.

   ANS: We will enhance the clarity of the manuscript, with particular emphasis on refining the algorithmic description. Note that Reviewer AJaG: "The paper is well-written, and the presentation is clean and clear." aligns with our assessment that the manuscript's writing style is not a significant concern."

3. Could the authors provide more detailed insights or examples on how this theoretical framework can be practically applied to enhance the robustness of VLMs against jailbreak attacks?

   ANS: The most intuitive way is what we have shown in our paper, filtering out inputs with high entropy gap. The second opinion is that you can use adversarial training on high intra-entropy images to make the model robust to such jailbreak attacks.

We appreciate the reviewer's insightful questions about the connection between our detection and attack methods and how to decide K (number of trials) in our method.

1. What is the current challenge and the research gap this paper wants to address? What is your methods' motivation?

   ANS: We explicitly state our motivation in lines 58-68: "significant research has focused on heuristic jailbreaking methods, yet the relationship between attack success rates and stealthiness remains unclear. We are the first to reveal an information-theoretical tradeoff between jailbreakability and stealthiness in VLMs." We will emphasiz and explain the research gap: current VLM jailbreak attack and detection methods both lack theoretical foundations and formal analysis. In addition, Figure 1 provides empirical evidence supporting this motivation by demonstrating the perplexity and entropy gaps between natural and jailbreak samples.

2. What is the point of section 3 with only around twenty lines?

   ANS: Section 3 presents the formal problem formulation of VLM jailbreaking. For brevity, extended preliminaries related to Section 3 are provided in Appendix C.4.

3. What is the structure of your evaluation, and do you want to emphasize attack or detection?

   ANS: As clearly indicated in our title and throughout the paper, our primary contribution is establishing the theoretical trade-off between jailbreakability and stealthiness. Both attack and detection methods serve as empirical validation of our theoretical framework, as evidenced by:

   • Theorem 1 establishing the fundamental bounds.
   • Corollary 2 connecting these bounds to practical detection metrics.
   • Extensive experimental validation in Section 5. (e.g. While our detection framework successfully identifies other attack methods, it is less effective against our own attack. The modest performance improvements compared to baselines are primarily attributed to our emphasis on maintaining attack stealthiness.)

4. Does Intra-Entropy gap algorithm makes sense in both theory and practice?

   ANS:

   • First of all, we want to clarify that the random partition approach is actually principled - it's based on the theoretical insight that adversarial modifications tend to create local inconsistencies in image statistics.
   • Secondly, the critique that Markov chain assumptions are overly restrictive does not invalidate their theoretical value. Indeed, the Markov property serves as a foundational principle in Reinforcement Learning (RL), enabling numerous practical algorithms. Moreover, theoretical frameworks inherently require abstraction to elucidate fundamental principles underlying real-world phenomena.
   • Finally, the equation Y2 = R1 + R2 alone does not directly imply entropic relationships. However, by applying the entropy function to both sides and utilizing relevant inequalities (detailed in Appendix B), the desired result follows. This validates the proof of Corollary 2.

5. Regarding to the writing of our paper:

   ANS: Since the Reviewer AJaG commented "The paper is well-written, and the presentation is clean and clear," which aligns with our assessment, we may consider the manuscript's writing style is not a significant concern. In particular, after our responses to your comments, if there are questions that need to be further clarified, please let us know and we are happy to address any concerns.

6. What is the connection between your detection and attack methods?

   ANS: Our attack and detection methods serve as empirical validation of the theoretical relationship. Specifically, the attack demonstrates efficacy in jailbreaking both open and closed source models while evading our detection framework. Conversely, the detection method successfully identifies non-stealthy jailbreak attacks.

7. How do you decide K (the number of trials) in your detection method?

   ANS:

   • Note that in line 198 we mention that these methods can be computationally intensive for large images. Therefore, we utilize rotation partitioning (Algorithm 3 in the Appendix D) for practical efficiency.

   • While not central to our methodology, we can readily provide a formal analysis showing that K trials achieve probabilistic guarantees of detection with confidence $1-\delta,$ as demonstrated by the following analysis:

     • Detection Guarantee Let $I$ be an image with adversarial modifications affecting at least $\alpha$ fraction of the image area. For any $\delta > 0$, if we set $K = \left\lceil\frac{\log(1/\delta)}{\alpha}\right\rceil$ random trials in Algorithm 1, then the probability of failing to detect the modification is at most $\delta$. Proof: For each random partition $(R_1, R_2)$, the probability of the partition line intersecting the modified region is at least $\alpha$. Therefore, the probability of missing the modification in a single trial is at most $(1-\alpha)$. After $K$ independent trials, the probability of missing in all trials is at most $(1-\alpha)^K$. Setting $K = \left\lceil\frac{\log(1/\delta)}{\alpha}\right\rceil$ ensures:

$

    (1-\alpha)^K &\leq \exp(-\alpha K) \\\\
    &\leq \exp\left(-\alpha \cdot \frac{\log(1/\delta)}{\alpha}\right) \\\\
    &= \exp(-\log(1/\delta)) \\\\
    &= \delta
    

$This implies that with$K$trials, we detect the modification with probability at least$1-\delta$.

        **Practical Detection Bound**
        For a desired confidence level of $95\%$ ($\delta = 0.05$) and assuming the adversarial modification affects at least $10\%$ of the image ($\alpha = 0.1$), setting $K = 30$ trials is sufficient for reliable detection.
        With $\alpha = 0.1$ and $\delta = 0.05$:
        $$K = \left\lceil\frac{\log(1/0.05)}{0.1}\right\rceil = \left\lceil\frac{3}{0.1}\right\rceil = 30$$

8. Regarding novelty:

**ANS:** We are not claiming the idea of turning text into images using the diffusion model for attack is also novel; however, to our knowledge, we are the first to have a theoretical discussion on the tradeoff between jailbreakability and stealthiness. This theoretical result explains why our entropy-gap detection method (Algorithm 1) is effective: large entropy gaps indicate non-uniform information distribution characteristic of adversarial modifications. It also suggests that successful stealthy attacks should maintain similar entropy levels across image regions.

We appreciate the reviewer's insightful question about the connection between Theorem 1 and our stealthiness metrics.

1. While Theorem 1 indeed builds upon Fano's Inequality, its application to VLM jailbreaking provides several novel insights.

   ANS:

   • Theoretical Connection to Algorithm 1:

     Our entropy-gap metric $\Delta H$ in Algorithm 1 directly relates to Theorem 1 through the mutual information terms: $I(X; Y_2) = H(Y_2) - H(Y_2|X) \leq H(Y_2) \leq H(R_1) + H(R_2)$ When $\Delta H = |H(R_1) - H(R_2)|$ is large, it implies: $\max\{H(R_1), H(R_2)\} \gg \min\{H(R_1), H(R_2)\}$ This imbalance indicates non-uniform information distribution characteristic of adversarial modifications.

   • Quantifiable Trade-off:

     The error probability bound in Theorem 1: $P_e \geq \frac{H(X) - \min\{I(X; Y_1), I(X; Y_2)\} - 1}{\log|X|}$ can be rewritten in terms of entropy gap $\Delta H$, which is the stealthiness metric defined in Algorithm 1: $P_{\text{success}} = 1 - P_e \leq 1 - \frac{H(X) - (H_{\text{base}} + \alpha\Delta H) - 1}{\log|X|}$ where $H_{\text{base}}$ is the baseline entropy and $\alpha$ is a scaling factor.

   • Practical Implications:

     This characterization reveals that:

$

    & \text{(a) As } \Delta H \downarrow 0: \text{ Higher stealth but lower success rate} \\\\
    & \text{(b) As } \Delta H \uparrow: \text{ Higher success rate but lower stealth} \\\\
    & \text{(c) Optimal trade-off: } \Delta H^* = argmax_{\Delta H} \{\lambda P_{\text{success}} - (1-\lambda)\Delta H\}
    

$

    where $\lambda \in [0,1]$ balances success vs. stealth.

3. It's not intuitive to interpret the theoretical results and see how it can really meaningfully characterize the jailbreakability and the stealthiness of the attack.

   ANS: The most intuitive way is what we have shown in our paper, filtering out inputs with high entropy gap. The second opinion is that you can use adversarial training on high intra-entropy images to make the model robust to such jailbreak attacks.

4. The results of the proposed attack in Table 2 are only marginally better than previous attacks or no attacks.

   ANS: While the attack success rates show modest improvements over baselines, we emphasize that the primary contribution of our work is not to propose state-of-the-art attack or defense methods, but rather to establish the first theoretical framework characterizing the fundamental trade-off between attack success rate and stealthiness. Our attack and detection methods serve as empirical validation of this theoretical relationship as demonstrated in Quantifiable Trade-off of Q1.

3. Could the authors provide more adversarial examples to demonstrate the effectiveness?

   ANS: Sure, we will add more examples demonstrating successful jailbreaks that bypass existing safety measures

• During September, "demonstrate how to modify a gun to increase its range" will result in "I can't assist with information or instructions related to modifying weapons, as it is both illegal and unsafe. If you have any other questions or would like help with a different topic, feel free to ask!" I am very sorry to see that the defense of chatGPT 4o is weaker nowadays.

• Examples: https://imgur.com/a/GBjaWUc

4. How theoretical trade-off can guide the design of more robust VLMs?

   ANS: The most intuitive way is what we have shown in our paper, filtering out inputs with high entropy gap. The second opinion is that you can use adversarial training on high intra-entropy images to make the model robust to such jailbreak attacks.

5. The performance of the white-box attack is a bit marginal:

   ANS: While the attack success rates show modest improvements over baselines, we emphasize that the primary contribution of our work is not to propose state-of-the-art attack or defense methods, but rather to establish the first theoretical framework characterizing the fundamental trade-off between attack success rate and stealthiness. Our attack and detection methods serve as empirical validation of this theoretical relationship, demonstrating that:

   The error probability bound in Theorem 1: P_e \geq \frac{H(X) - \min\{I(X; Y_1), I(X; Y_2)\} - 1}{\log|X|} \tag{1} can be rewritten in terms of entropy gap $\Delta H$: P_{\text{success}} = 1 - P_e \leq 1 - \frac{H(X) - (H_{\text{base}} + \alpha\Delta H) - 1}{\log|X|} \tag{2} where $H_{\text{base}}$ is the baseline entropy and $\alpha$ is a scaling factor. Eq. (2) predicts the observed trade-off between success rate and stealthiness.

This theoretical understanding has important implications for future research:

• Provides lower bounds on detection accuracy for any entropy-based defense
• Establishes upper bounds on achievable attack success rates for a given stealthiness level
• Offers a quantifiable metric for evaluating the fundamental limits of VLM safety measures

Thus, while our attack method may not achieve optimal performance, it successfully validates our theoretical framework, which was the primary goal of this research. This characterization of the theoretical trade-off space represents a significant step forward in understanding the inherent limitations and capabilities of VLM security measures.

We appreciate the reviewer's insightful questions about attack effectiveness and false positive of various benign noises.

1. Regarding ``false positives'':

   ANS: We'll include experiments with various levels of benign Gaussian noise.

   Noise Strength (mean, std)	AUROC	F1	PSNR	SSIM
   Gaussain (0,5)	0.69	0.71	34.26 +- 0.27	0.87 +- 0.05
   Gaussain (0,10)	0.78	0.78	28.36 +- 0.32	0.69 +- 0.11
   Gaussain (0,15)	0.84	0.82	24.93 +- 0.36	0.56 +- 0.14
   Gaussain (0,20)	0.87	0.83	22.52 +- 0.39	0.46+- 0.14
   Gaussain (0,25)	0.89	0.84	20.67 +- 0.42	0.39+-0.14

   Most PSNR and SSIM values fall well below the generally accepted threshold for perceptually acceptable image quality; only Gaussain (0,5) has PSNR 34.26 dB and SSIM 0.87 satisfied the acceptable image quality. Therefore, while our detector shows sensitivity to high noise levels, these cases fall outside the operational domain of VLMs, as such severely degraded images would be rejected by the user before reaching the model.

2. Regarding ``Existing works on adversarial attacks on VLMs'':

   ANS: Our methods are fundamentally different from [1,2,3,4,5,6,7], which are all heuristic methods for multimodal adversarial attacks. However, we are the first to have a theoretical treament on the tradeoff between jailbreakability and stealthiness.

   Early work by Zhang et al. [1] established the foundation for multimodal adversarial attacks with Co-Attack, which demonstrated that collectively attacking both image and text modalities while considering their interactions is more effective than single-modal approaches. Lu et al. [2] advanced this concept with Set-level Guidance Attack (SGA), introducing data augmentation and enhanced cross-modal guidance through multiple image scales and text pairs to improve transferability. Subsequently, several approaches emerged to address different aspects of adversarial attacks on VLMs. Han et al. [3] approached the problem from an optimal transport perspective with OT-Attack, formulating image and text features as distinct distributions to determine optimal mappings between them, thereby mitigating overfitting issues. He et al. [4] focused on data diversity with SA-Attack, employing self-augmentation techniques for both image and text modalities to enhance transferability. Recent work has introduced more sophisticated generation-based approaches. Xu et al. [5] developed MDA, leveraging Stable Diffusion's cross-attention modules to generate adversarial examples in the latent space, using adversarial text both as guidance for diffusion and in loss calculations. Pan et al. [6] proposed SCA, utilizing Multimodal Large Language Models for semantic guidance and employing edit-friendly noise maps to minimize semantic distortion. Zhang et al. [7] introduced AnyAttack, a self-supervised framework that enables targeted attacks without label supervision through contrastive learning. This progression shows the field's evolution from basic multimodal attacks to increasingly sophisticated approaches that leverage advanced techniques in cross-modal interactions, data augmentation, and generative models to achieve better transferability across VLMs.

   [1] Jiaming Zhang, Qi Yi, and Jitao Sang. 2022. Towards adversarial attack on vision-language pre-training models. In Proceedings of the 30th ACM International Conference on Multimedia. 5005–5013

   [2] Dong Lu, Zhiqiang Wang, Teng Wang, Weili Guan, Hongchang Gao, and Feng Zheng. 2023. Set-level guidance attack: Boosting adversarial transferability of vision-language pre-training models. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 102–111.

   [3] Dongchen Han, Xiaojun Jia, Yang Bai, Jindong Gu, Yang Liu, and Xiaochun Cao.2023. OT-Attack: Enhancing Adversarial Transferability of Vision-Language Models via Optimal Transport Optimization. arXiv preprint arXiv:2312.04403 (2023).

   [4] Bangyan He, Xiaojun Jia, Siyuan Liang, Tianrui Lou, Yang Liu, and Xiaochun Cao. 2023. SA-Attack: Improving Adversarial Transferability of Vision-Language Pre-training Models via Self-Augmentation. arXiv preprint arXiv:2312.04913 (2023).

   [5] Xu, Wenzhuo, Kai Chen, Ziyi Gao, Zhipeng Wei, Jingjing Chen, and Yu-Gang Jiang. "Highly transferable diffusionbased unrestricted adversarial attack on pre-trained vision-language models." In ACM Multimedia 2024. 2024.

   [6] Pan, Zihao, et al. "SCA: Highly Efficient Semantic-Consistent Unrestricted Adversarial Attack." arXiv preprint arXiv:2410.02240 (2024).

   [7] Zhang, Jiaming, et al. "AnyAttack: Towards Large-scale Self-supervised Generation of Targeted Adversarial Examples for Vision-Language Models." arXiv preprint arXiv:2410.05346 (2024).