Toward Universal and Transferable Jailbreak Attacks on Vision-Language Models

The paper proposes UltraBreak, a framework for crafting universal adversarial perturbations that transfer across vision-language models and jailbreak objectives. It resides in the Gradient-Based White-Box Attacks leaf, which contains five papers including the original work. This leaf sits within Attack Methodology and Optimization, a moderately populated branch covering gradient-based, black-box, universal perturbation, and cross-modal strategies. The taxonomy reveals a crowded research area with substantial prior work on gradient-driven optimization for adversarial attacks, suggesting the paper enters a well-explored domain.

The taxonomy tree shows neighboring leaves addressing Black-Box and Transfer-Based Attacks (nine papers), Universal Adversarial Perturbations (four papers), and Cross-Modal and Multimodal Perturbation Strategies (seven papers). UltraBreak bridges gradient-based optimization with transferability concerns, connecting to both the white-box methodology branch and the broader Transferability and Generalization category. The scope note for Gradient-Based White-Box Attacks explicitly includes optimization on known model parameters, while excluding black-box methods without gradient access. This positioning suggests the work straddles methodological boundaries, leveraging white-box surrogates to achieve black-box transferability.

Among twenty-five candidates examined, the analysis found two refutable pairs across three contributions. The core UltraBreak framework and semantic adversarial target mechanism each examined ten candidates with zero refutations, indicating limited direct overlap within this search scope. However, vision-space constraints via transformations and regularization examined five candidates and identified two refutable instances, suggesting more substantial prior work in this specific technical component. The limited search scale means these statistics reflect top-K semantic matches rather than exhaustive coverage, leaving open the possibility of additional relevant work beyond the examined set.

Based on the limited search scope of twenty-five candidates, the framework-level contributions appear less directly anticipated, while the vision-space regularization techniques show clearer precedent. The taxonomy context reveals a densely populated research area with multiple overlapping methodological branches, suggesting incremental refinement rather than paradigm shift. Acknowledging the bounded search, the analysis captures immediate semantic neighbors but cannot rule out relevant work in adjacent taxonomy leaves or outside the top-K retrieval window.