Phi: Preference Hijacking in Multi-modal Large Language Models at Inference Time

Summary

This paper explores a new security vulnerability in Multimodal Large Language Models (MLLMs), which are AI systems that can understand both text and images. It shows how attackers can subtly influence the responses these models give by manipulating the images they are shown.

What's the problem?

MLLMs are becoming more popular, but they're also potentially unsafe. While we worry about them generating obviously harmful content, this paper highlights a more sneaky problem: attackers can change what the model *prefers* to say, leading to biased or misleading answers without the responses being overtly offensive. It's hard to detect because the responses still seem reasonable and relevant to the situation.

What's the solution?

The researchers developed a technique called 'Preference Hijacking' (Phi). This method involves adding a carefully crafted, almost invisible change to an image. When the MLLM sees this altered image, it shifts its preferences and starts generating responses that align with what the attacker wants, even if those responses aren't truthful or neutral. Importantly, this attack happens when the model is being *used* – it doesn't require changing the model itself, and the same image alteration can work on different images to achieve the desired bias.

Why it matters?

This research is important because it reveals a hidden way to manipulate powerful AI systems. It demonstrates that even if an MLLM isn't explicitly programmed to be biased, an attacker can still influence its output. This has implications for how we trust and deploy these models in real-world applications, and it emphasizes the need for better security measures to protect against these kinds of subtle attacks.