BlueSuffix: Reinforced Blue Teaming for Vision-Language Models Against Jailbreak Attacks

In this paper, we focus on black-box defense for VLMs against jailbreak attacks.

Existing black-box defense methods are either unimodal or bimodal.

Unimodal methods enhance either the vision or language module of the VLM, while bimodal methods robustify the model through text-image representation realignment.

However, these methods suffer from two limitations: 1) they fail to fully exploit the cross-modal information, or 2) they degrade the model performance on benign inputs.

To address these limitations, we propose a novel blue-team method BlueSuffix that defends target VLMs against jailbreak attacks without compromising its performance under black-box setting.

BlueSuffix includes three key components: 1) a visual purifier against jailbreak images, 2) a textual purifier against jailbreak texts, and 3) a blue-team suffix generator using reinforcement fine-tuning for enhancing cross-modal robustness.

We empirically show on four VLMs (LLaVA, MiniGPT-4, InstructionBLIP, and Gemini) and four safety benchmarks (Harmful Instruction, AdvBench, MM-SafetyBench, and RedTeam-2K) that BlueSuffix outperforms the baseline defenses by a significant margin.

Our BlueSuffix opens up a promising direction for defending VLMs against jailbreak attacks.

Code is available at https://github.com/Vinsonzyh/BlueSuffix.