What problem does this paper attempt to address?

### Problems the paper attempts to solve This paper aims to address the vulnerability of vision - language models (VLMs) to malicious prompts in practical applications. Specifically, the paper focuses on how to detect these malicious prompts to ensure that the content generated by VLMs is reliable and safe. Malicious prompts may manipulate VLMs through text or image inputs, resulting in harmful outputs or triggering unexpected behaviors, which is especially concerning in applications involving critical decisions such as personal assistants. ### Main challenges 1. **Difficulty in data annotation**: The main challenge in constructing a reliable malicious - prompt - detection classifier is the lack of a large amount of annotated benign and malicious sample data. Annotating this data is not only time - consuming but also difficult to scale, especially in the context of evolving generative models and diverse user inputs. 2. **Requirement for real - time detection**: To ensure the security of VLMs in actual deployment, a method that can effectively detect malicious prompts in a real - time environment without additional manual annotation is required. ### Solutions To solve the above problems, the paper proposes a new framework named **VLMG UARD**. This framework utilizes unlabeled user - prompt data to achieve malicious - prompt detection through the following steps: 1. **Latent - space extraction and maliciousness estimation**: Extract embeddings from the VLM's representation and identify the latent subspaces related to malicious prompts through singular - value decomposition (SVD). Calculate the norm of each sample projected onto these principal singular vectors as the maliciousness - estimation score. The formula is as follows: \[ \kappa_i=\frac{1}{k} \sum_{j = 1}^{k} \lambda_j\cdot\langle f_i, v_j\rangle^2 \] where \( f_i \) is the embedding of the \( i \)-th sample, \( v_j \) is the \( j \)-th singular vector, \( \lambda_j \) is the corresponding singular value, and \( k \) is the dimension of the subspace. 2. **Binary - classifier training**: According to the maliciousness - estimation score, divide the samples into a potential malicious - prompt set \( M \) and a candidate - benign - prompt set \( B \), and train a binary classifier \( h_\theta \) to distinguish between these two types of samples. The training objective is to minimize the following risk function: \[ L_{M,B}(h_\theta)=L^+_{M}(h_\theta)+L^-_{B}(h_\theta)=\mathbb{E}_{(x_v^{\text{prompt}}, x_t^{\text{prompt}})\in M}[1\{h_\theta(x_v^{\text{prompt}}, x_t^{\text{prompt}})\leq0\}]+\mathbb{E}_{(x_v^{\text{prompt}}, x_t^{\text{prompt}})\in B}[1\{h_\theta(x_v^{\text{prompt}}, x_t^{\text{prompt}})>0\}] \] ### Experimental results Experiments show that VLMG UARD significantly outperforms existing methods in various types of malicious - prompt - detection tasks. In particular, on the LLaVA and Phi - 3 models, VLMG UARD has an average 13.21% improvement in AUROC (area under the receiver - operating - characteristic curve), demonstrating its superior performance and robustness in practical applications. ### Summary VLMG UARD provides a novel and effective solution that can use unlabeled data for malicious - prompt detection, thereby improving the reliability and security of VLMs in practical applications.