scan-v4.json (31107B)
1 { 2 "scan_version": 4, 3 "paper_type": "empirical", 4 "paper": { 5 "title": "'Do as I say not as I do': A Semi-Automated Approach for Jailbreak Prompt Attack against Multimodal LLMs", 6 "authors": [ 7 "Chun Wai Chiu", 8 "Linghan Huang", 9 "Bo Li", 10 "Huaming Chen", 11 "Kim-Kwang Raymond Choo" 12 ], 13 "year": 2025, 14 "venue": "arXiv.org", 15 "arxiv_id": "2502.00735", 16 "doi": "10.48550/arXiv.2502.00735" 17 }, 18 "checklist": { 19 "claims_and_evidence": { 20 "abstract_claims_supported": { 21 "applies": true, 22 "answer": true, 23 "justification": "Abstract claims 'average attack success rate ranging from 0.67 to 0.93 across seven forbidden scenarios' are supported by Table I (Config 1 row shows exactly these values). The 0.81 average is also confirmed.", 24 "source": "opus" 25 }, 26 "causal_claims_justified": { 27 "applies": true, 28 "answer": true, 29 "justification": "The paper makes causal claims about component contributions (e.g., Flanking Attack 'enhances' ASR). The progressive ablation design (Table I) with controlled removal of single components supports causal inference: Config 1 vs 2 isolates Flanking Attack (+24pp), Config 2 vs 3 isolates Text Prompt (+29pp).", 30 "source": "opus" 31 }, 32 "generalization_bounded": { 33 "applies": true, 34 "answer": false, 35 "justification": "The title claims 'Jailbreak Prompt Attack against Multimodal LLMs' (plural) but only Gemini 1.5 Flash is tested. The abstract says 'manipulating state-of-the-art LLMs' and the paper claims to 'establish a replicable testing framework for adversarial robustness evaluation in multimodal LLMs,' extending well beyond the single model tested.", 36 "source": "opus" 37 }, 38 "alternative_explanations_discussed": { 39 "applies": true, 40 "answer": false, 41 "justification": "The paper does not discuss alternative explanations for why the Flanking Attack succeeds. For example, it could be that the December 2024 Gemini snapshot had particularly weak audio moderation, or that the evaluation via Gemini self-assessment inflates ASR. No robustness checks or confound analysis.", 42 "source": "opus" 43 }, 44 "proxy_outcome_distinction": { 45 "applies": true, 46 "answer": false, 47 "justification": "ASR is measured by Gemini's self-evaluation of its own policy compliance, but the paper does not discuss whether this proxy accurately measures real-world jailbreak severity. The gap between 'Gemini says its own output violates policy' and 'the output would cause actual harm' is not acknowledged.", 48 "source": "opus" 49 } 50 }, 51 "limitations_and_scope": { 52 "limitations_section_present": { 53 "applies": true, 54 "answer": true, 55 "justification": "Section VII 'Challenges and Future Directions' discusses multiple limitations: model updates may invalidate findings, audio variations not tested, fixed sentence structure, monolingual (English) only.", 56 "source": "opus" 57 }, 58 "threats_to_validity_specific": { 59 "applies": true, 60 "answer": true, 61 "justification": "Section VII discusses specific threats: (1) Gemini updates may mitigate identified vulnerabilities, (2) audio properties (pitch, tone, speed) were not varied, (3) fixed sentence structure may limit generalizability, (4) monolingual approach limits scope. These are specific to this study.", 62 "source": "opus" 63 }, 64 "scope_boundaries_stated": { 65 "applies": true, 66 "answer": true, 67 "justification": "The paper explicitly states what was NOT tested: other audio variations (Section VII.A), sentence structure manipulations (Section VII.B), multilingual inputs (Section VII.C). Scope is bounded to Gemini, English, fixed audio format.", 68 "source": "opus" 69 } 70 }, 71 "conflicts_of_interest": { 72 "funding_disclosed": { 73 "applies": true, 74 "answer": false, 75 "justification": "No funding source or acknowledgments section is present in the paper.", 76 "source": "opus" 77 }, 78 "affiliations_disclosed": { 79 "applies": true, 80 "answer": true, 81 "justification": "Author affiliations are clearly listed: University of Sydney, University of Chicago, and University of Texas at San Antonio. No affiliations with Google (the maker of the evaluated product Gemini).", 82 "source": "opus" 83 }, 84 "funder_independent_of_outcome": { 85 "applies": false, 86 "answer": false, 87 "justification": "No funding is disclosed. The authors are from academic institutions with no apparent financial interest in the outcome. Appears to be unfunded academic research.", 88 "source": "opus" 89 }, 90 "financial_interests_declared": { 91 "applies": true, 92 "answer": false, 93 "justification": "No competing interests or financial interests statement is present in the paper.", 94 "source": "opus" 95 } 96 }, 97 "scope_and_framing": { 98 "key_terms_defined": { 99 "applies": true, 100 "answer": true, 101 "justification": "'Flanking Attack,' 'Attack Success Rate (ASR),' 'semi-automated approach,' and 'forbidden scenarios' are explicitly defined; the paper explains what it means by multimodal attack and sequential layering.", 102 "source": "haiku" 103 }, 104 "intended_contribution_clear": { 105 "applies": true, 106 "answer": true, 107 "justification": "Three explicit contributions are listed in the intro: systematic benchmarking of audio-based jailbreak attacks, the Flanking Attack framework, and the semi-automated evaluation approach.", 108 "source": "haiku" 109 }, 110 "engagement_with_prior_work": { 111 "applies": true, 112 "answer": true, 113 "justification": "Section III covers adversarial attacks, multimodal attacks, and jailbreak prompt attacks with specific comparisons to prior voice jailbreak [14] and multilingual attack work [9], situating the contribution.", 114 "source": "haiku" 115 } 116 } 117 }, 118 "type_checklist": { 119 "empirical": { 120 "artifacts": { 121 "code_released": { 122 "applies": true, 123 "answer": false, 124 "justification": "No code repository, notebook, or archive URL is provided despite describing a Google Colab-based pipeline. The paper claims to establish 'a replicable testing framework' but releases no code.", 125 "source": "opus" 126 }, 127 "data_released": { 128 "applies": true, 129 "answer": false, 130 "justification": "The forbidden question set is partially shown in Table III (21 questions across 7 scenarios), but the full 2,100 prompts, audio files (MP3), and model responses are not released.", 131 "source": "opus" 132 }, 133 "environment_specified": { 134 "applies": true, 135 "answer": true, 136 "justification": "Section VI.A specifies: Google Colab (Python 3.10, Ubuntu 22.04), 2 vCPUs, 12 GB RAM, no GPU, google-generativeai 0.4.1, python-docx 1.0. Sufficient detail to recreate the environment.", 137 "source": "opus" 138 }, 139 "reproduction_instructions": { 140 "applies": true, 141 "answer": false, 142 "justification": "The experimental setup (Section VI.A) describes the pipeline conceptually but provides no step-by-step reproduction instructions, scripts, or notebook. A researcher would need to reverse-engineer the methodology from the paper text.", 143 "source": "opus" 144 } 145 }, 146 "statistical_methodology": { 147 "confidence_intervals_or_error_bars": { 148 "applies": true, 149 "answer": false, 150 "justification": "Table I reports only point estimates for ASR (e.g., 0.93, 0.80). No confidence intervals, error bars, or uncertainty measures are provided for any result.", 151 "source": "opus" 152 }, 153 "significance_tests": { 154 "applies": true, 155 "answer": false, 156 "justification": "The paper claims differences between configurations (e.g., Config 1 at 0.81 vs Config 2 at 0.57) without any statistical significance tests. All comparisons are based on raw number differences.", 157 "source": "opus" 158 }, 159 "effect_sizes_reported": { 160 "applies": true, 161 "answer": false, 162 "justification": "No formal effect sizes (Cohen's d, odds ratios, etc.) are reported. The paper shows ASR values for each configuration but does not compute or report standardized effect sizes.", 163 "source": "opus" 164 }, 165 "sample_size_justified": { 166 "applies": true, 167 "answer": false, 168 "justification": "The paper uses 50 requests per run and mentions 2,100 total prompts, but provides no justification for these sample sizes. No power analysis or rationale for why 50 per run is sufficient.", 169 "source": "opus" 170 }, 171 "variance_reported": { 172 "applies": true, 173 "answer": false, 174 "justification": "Table I states 'averages across multiple runs' but reports no standard deviation, variance, or spread measures. The reader cannot assess result stability across runs.", 175 "source": "opus" 176 } 177 }, 178 "evaluation_design": { 179 "baselines_included": { 180 "applies": true, 181 "answer": true, 182 "justification": "Table I presents 4 configurations as progressive ablations: full method (Config 1), without Flanking Attack (Config 2), Setting+Character+Plot only (Config 3), and Plot only (Config 4). These serve as baselines against the full method.", 183 "source": "opus" 184 }, 185 "baselines_contemporary": { 186 "applies": true, 187 "answer": false, 188 "justification": "No comparison with other published jailbreak attack methods from the literature (e.g., Voice Jailbreak [8], Sandwich Attack [9]). All baselines are ablated variants of the authors' own method.", 189 "source": "opus" 190 }, 191 "ablation_study": { 192 "applies": true, 193 "answer": true, 194 "justification": "Table I and Section VI.E present a systematic ablation across 4 configurations, progressively removing components (Flanking Attack, Text Prompt, Setting+Character) to measure each component's contribution to ASR.", 195 "source": "opus" 196 }, 197 "multiple_metrics": { 198 "applies": true, 199 "answer": false, 200 "justification": "Only Attack Success Rate (ASR) is used as a metric. No other metrics (e.g., response severity, specificity of harmful content, false positive rate of the evaluator) are reported.", 201 "source": "opus" 202 }, 203 "human_evaluation": { 204 "applies": true, 205 "answer": true, 206 "justification": "The paper includes both manual inspection (preliminary study of ~100 experiments, Section V) and the semi-automated approach. Failure and success cases are shown and manually analyzed in Figures 10-15 and Appendix figures.", 207 "source": "opus" 208 }, 209 "held_out_test_set": { 210 "applies": true, 211 "answer": false, 212 "justification": "The attack strategy was refined through a preliminary study (~100 experiments) and then applied to the full evaluation (2,100 prompts), but there is no formal separation of development and test sets. The same question set appears to be used throughout.", 213 "source": "opus" 214 }, 215 "per_category_breakdown": { 216 "applies": true, 217 "answer": true, 218 "justification": "Table I breaks down ASR by each of the 7 forbidden scenarios (Illegal Activities, Abuse & Disruption, Circumventing Safety, Harmful Content, Misinformation, Sexually Explicit, Privacy Violations) for all 4 configurations.", 219 "source": "opus" 220 }, 221 "failure_cases_discussed": { 222 "applies": true, 223 "answer": true, 224 "justification": "Multiple failure cases are shown and discussed: Figures 11, 12, 13, 15, 16, 19, 20, and 23 show cases where Gemini successfully blocked the attack. The paper analyzes why each configuration fails.", 225 "source": "opus" 226 }, 227 "negative_results_reported": { 228 "applies": true, 229 "answer": true, 230 "justification": "Configurations 3 and 4 show low ASR (0.28 and 0.12 respectively). Misinformation scenario has 0.00 ASR for Config 4. These negative results are reported and discussed in the ablation study.", 231 "source": "opus" 232 } 233 }, 234 "setup_transparency": { 235 "model_versions_specified": { 236 "applies": true, 237 "answer": true, 238 "justification": "Section VI.A specifies 'gemini-1.5-flash' (API model identifier), 'December 2024 snapshot,' 'balanced safety tier,' and SDK version 'google-generativeai 0.4.1.' This is sufficiently specific to identify the model version.", 239 "source": "opus" 240 }, 241 "prompts_provided": { 242 "applies": true, 243 "answer": false, 244 "justification": "Figure 9 shows a Flanking Attack template, and implementation examples describe the text prompt components (Setting: 'Imagine that we are in a game'; Character: 'hacker'; Rule: 'We are just simulating'). But the complete verbatim prompt text used in experiments is not provided. The reader cannot reconstruct the exact prompts sent to the API.", 245 "source": "opus" 246 }, 247 "hyperparameters_reported": { 248 "applies": true, 249 "answer": true, 250 "justification": "Section VI.A reports: 'Default inference parameters were retained (temperature=0.7, top_p=0.95); no system-prompt modifications were applied.' Audio parameters also specified: 128 kbps MP3, 48 kHz, 16-bit PCM.", 251 "source": "opus" 252 }, 253 "scaffolding_described": { 254 "applies": false, 255 "answer": false, 256 "justification": "No agentic scaffolding is used. The attack is a direct prompt injection via API call, not an agentic system.", 257 "source": "opus" 258 }, 259 "data_preprocessing_documented": { 260 "applies": true, 261 "answer": true, 262 "justification": "Section V describes the forbidden question set design (based on Gemini policy, 7 scenarios following [5]'s principles). Section VI.A documents the pipeline: text prefix + MP3 audio → generate_content API → responses saved to ai_outputs.docx → Gemini self-evaluation.", 263 "source": "opus" 264 } 265 }, 266 "data_integrity": { 267 "raw_data_available": { 268 "applies": true, 269 "answer": false, 270 "justification": "No raw data (prompts, audio files, Gemini responses, evaluation logs) is released. Only aggregated ASR values in Table I and selected examples in figures.", 271 "source": "opus" 272 }, 273 "data_collection_described": { 274 "applies": true, 275 "answer": true, 276 "justification": "Section V describes the forbidden question set design (7 scenarios from Gemini policy), prompt construction methodology (Setting, Character, Rule, Flanking Attack), and Section VI.A describes the API interaction procedure (50 requests/run, 2s delay).", 277 "source": "opus" 278 }, 279 "recruitment_methods_described": { 280 "applies": true, 281 "answer": true, 282 "justification": "No human participants. The data source is custom-crafted prompts, not a standard benchmark. The paper describes how the forbidden question set was designed: based on Gemini usage policy [35] with 7 specific scenarios, following design principles from [5]. Table III provides the full question bank.", 283 "source": "opus" 284 }, 285 "data_pipeline_documented": { 286 "applies": true, 287 "answer": false, 288 "justification": "The general pipeline is described (prompts → API → docx → evaluation), but key details are missing: how many runs were conducted per configuration, how averages were computed, and how many total responses were excluded or flagged. The paper says 'averages across multiple runs' without specifying the number of runs.", 289 "source": "opus" 290 } 291 }, 292 "contamination": { 293 "training_cutoff_stated": { 294 "applies": false, 295 "answer": false, 296 "justification": "This paper tests jailbreak attacks against safety filters, not model knowledge on a benchmark. Contamination in the traditional sense (model having seen test data) is not applicable.", 297 "source": "opus" 298 }, 299 "train_test_overlap_discussed": { 300 "applies": false, 301 "answer": false, 302 "justification": "The study evaluates defense bypass rather than model capability on a knowledge benchmark. Train/test overlap is not a relevant concern for jailbreak attack evaluation.", 303 "source": "opus" 304 }, 305 "benchmark_contamination_addressed": { 306 "applies": false, 307 "answer": false, 308 "justification": "The 'benchmark' consists of custom-crafted jailbreak prompts, not a pre-existing knowledge test. Benchmark contamination does not apply to this type of adversarial evaluation.", 309 "source": "opus" 310 } 311 }, 312 "human_studies": { 313 "pre_registered": { 314 "applies": false, 315 "answer": false, 316 "justification": "No human participants in this study. All experiments involve automated API interactions with Gemini.", 317 "source": "opus" 318 }, 319 "irb_or_ethics_approval": { 320 "applies": false, 321 "answer": false, 322 "justification": "No human participants. The study involves only automated interactions with an LLM API.", 323 "source": "opus" 324 }, 325 "demographics_reported": { 326 "applies": false, 327 "answer": false, 328 "justification": "No human participants in this study.", 329 "source": "opus" 330 }, 331 "inclusion_exclusion_criteria": { 332 "applies": false, 333 "answer": false, 334 "justification": "No human participants in this study.", 335 "source": "opus" 336 }, 337 "randomization_described": { 338 "applies": false, 339 "answer": false, 340 "justification": "No human participants in this study.", 341 "source": "opus" 342 }, 343 "blinding_described": { 344 "applies": false, 345 "answer": false, 346 "justification": "No human participants in this study.", 347 "source": "opus" 348 }, 349 "attrition_reported": { 350 "applies": false, 351 "answer": false, 352 "justification": "No human participants in this study.", 353 "source": "opus" 354 } 355 }, 356 "cost_and_practicality": { 357 "inference_cost_reported": { 358 "applies": true, 359 "answer": false, 360 "justification": "No API costs, token consumption, or per-query cost is reported despite making 2,100+ API calls to Gemini. Only a 2-second delay between requests (for rate limiting) is mentioned.", 361 "source": "opus" 362 }, 363 "compute_budget_stated": { 364 "applies": true, 365 "answer": false, 366 "justification": "The hardware is described (Google Colab, 2 vCPUs, 12 GB RAM) but total compute time, API spend, and total wall-clock time for the full experimental campaign are not stated.", 367 "source": "opus" 368 } 369 }, 370 "experimental_rigor": { 371 "seed_sensitivity_reported": { 372 "applies": true, 373 "answer": false, 374 "justification": "No mention of random seeds or stochastic variation across runs. With temperature=0.7, Gemini outputs are non-deterministic, but no seed sensitivity analysis is performed.", 375 "source": "opus" 376 }, 377 "number_of_runs_stated": { 378 "applies": true, 379 "answer": false, 380 "justification": "The paper says '50 such requests per run' and 'Table I reports averages across multiple runs' but never states the exact number of runs conducted per configuration or scenario.", 381 "source": "opus" 382 }, 383 "hyperparameter_search_budget": { 384 "applies": true, 385 "answer": true, 386 "justification": "Section VI.A explicitly states 'Default inference parameters were retained (temperature=0.7, top_p=0.95); no system-prompt modifications were applied,' indicating no hyperparameter tuning was performed.", 387 "source": "opus" 388 }, 389 "best_config_selection_justified": { 390 "applies": true, 391 "answer": true, 392 "justification": "All 4 configurations are reported in Table I with full results — no cherry-picking of a single best configuration. The ablation study presents all variants transparently.", 393 "source": "opus" 394 }, 395 "multiple_comparison_correction": { 396 "applies": true, 397 "answer": false, 398 "justification": "The paper makes numerous comparative claims across 7 scenarios and 4 configurations without any statistical tests, let alone corrections for multiple comparisons.", 399 "source": "opus" 400 }, 401 "self_comparison_bias_addressed": { 402 "applies": true, 403 "answer": false, 404 "justification": "The authors evaluate their own attack method against their own ablated baselines without acknowledging self-comparison bias. No independent evaluation or acknowledgment of the bias.", 405 "source": "opus" 406 }, 407 "compute_budget_vs_performance": { 408 "applies": true, 409 "answer": false, 410 "justification": "No discussion of compute requirements across configurations. Config 1 (with Flanking Attack audio) presumably requires more resources than Config 4 (text only), but this is not analyzed.", 411 "source": "opus" 412 }, 413 "benchmark_construct_validity": { 414 "applies": true, 415 "answer": false, 416 "justification": "The paper does not discuss whether ASR (as judged by Gemini self-evaluation) actually measures real-world jailbreak severity. The construct validity of using the target model to evaluate its own policy violations is not questioned.", 417 "source": "opus" 418 }, 419 "scaffold_confound_addressed": { 420 "applies": false, 421 "answer": false, 422 "justification": "No scaffolding is involved. The attack is a direct API call with text and audio input, not an agentic system.", 423 "source": "opus" 424 } 425 }, 426 "data_leakage": { 427 "temporal_leakage_addressed": { 428 "applies": true, 429 "answer": false, 430 "justification": "The paper does not discuss whether Gemini may have been trained on similar jailbreak patterns or whether its safety training incorporated defenses against flanking-style attacks. The December 2024 snapshot timing relative to the paper's development is not analyzed.", 431 "source": "opus" 432 }, 433 "feature_leakage_addressed": { 434 "applies": true, 435 "answer": false, 436 "justification": "No discussion of whether the evaluation setup (e.g., the text prompt framing the interaction as fictional) provides information that makes the task easier than a real-world attack scenario.", 437 "source": "opus" 438 }, 439 "non_independence_addressed": { 440 "applies": true, 441 "answer": false, 442 "justification": "The 2,100 prompts share the same structural template across scenarios. Non-independence between prompts within and across scenarios is not discussed — success on one prompt may predict success on structurally similar ones.", 443 "source": "opus" 444 }, 445 "leakage_detection_method": { 446 "applies": true, 447 "answer": false, 448 "justification": "No concrete leakage detection or prevention method is used. The paper does not check whether its attack patterns overlap with known jailbreak examples that may be in Gemini's safety training data.", 449 "source": "opus" 450 } 451 } 452 } 453 }, 454 "claims": [ 455 { 456 "claim": "Flanking Attack achieves an average ASR of 0.81 across seven forbidden scenarios (range: 0.67–0.93)", 457 "evidence": "Table I reports per-scenario ASR for Configuration 1 (full attack) across 2,100 prompts", 458 "supported": "moderate" 459 }, 460 { 461 "claim": "Adding Flanking Attack component increases ASR from 0.57 (text prompt + narrative only) to 0.81", 462 "evidence": "Table I comparison of Configuration 1 vs. Configuration 2 across all seven scenarios", 463 "supported": "moderate" 464 }, 465 { 466 "claim": "This introduces the first voice-based jailbreak attack against multimodal LLMs", 467 "evidence": "Stated in abstract, but prior work Shen et al. 2024 [14] on 'Voice jailbreak attacks against GPT-4o' predates this", 468 "supported": "weak" 469 }, 470 { 471 "claim": "Semi-automated evaluation using an aligned MLLM enables scalable and consistent policy violation detection", 472 "evidence": "Described in Section V.D and compared qualitatively to manual inspection; no quantitative validation of evaluator accuracy provided", 473 "supported": "weak" 474 }, 475 { 476 "claim": "Gemini's defense mechanisms rely on surface-level context cues rather than deep semantic analysis", 477 "evidence": "Qualitative interpretation of successful bypass cases (Figures 10, 17); not tested with controlled semantic equivalents", 478 "supported": "weak" 479 } 480 ], 481 "methodology_tags": [ 482 "benchmark-eval", 483 "case-study" 484 ], 485 "key_findings": "The Flanking Attack embeds adversarial audio queries between benign queries within a fictional narrative context, achieving 0.81 average ASR against Gemini 1.5 flash across seven forbidden scenarios compared to 0.12 for a bare plot-only baseline. An ablation across four configurations demonstrates that both narrative framing and sequential query layering contribute independently to attack success. The semi-automated evaluation framework using Gemini to assess its own policy compliance enables scalable evaluation but introduces circular evaluation bias with unknown reliability. All results are limited to a single model (Gemini 1.5 flash, December 2024, English only), and no comparison to prior jailbreak methods is provided, making relative effectiveness unknown.", 486 "red_flags": [ 487 { 488 "flag": "Single-model evaluation", 489 "detail": "All experiments use only Gemini 1.5 flash (December 2024 snapshot); broad claims about 'multimodal LLMs' are unsupported without testing additional models." 490 }, 491 { 492 "flag": "Circular self-evaluation", 493 "detail": "Using Gemini to evaluate whether Gemini violated its own policies creates circular reasoning; no validation against human judgments is provided to establish evaluator reliability." 494 }, 495 { 496 "flag": "Questionable 'first' claim", 497 "detail": "Claims to introduce 'the first voice-based jailbreak attack against multimodal LLMs' while citing Shen et al. 2024 (Voice jailbreak attacks against GPT-4o) as prior work that already constitutes voice-based jailbreaks." 498 }, 499 { 500 "flag": "No statistical rigor", 501 "detail": "No confidence intervals, significance tests, or variance measures across the 2,100 prompts or multiple runs; single ASR values are treated as definitive without uncertainty quantification." 502 }, 503 { 504 "flag": "No external baseline comparison", 505 "detail": "No comparison to existing jailbreak methods from the literature (DAN, Crescendo, sandwich attack, etc.), making it impossible to assess the relative effectiveness of Flanking Attack." 506 }, 507 { 508 "flag": "Key artifact not released", 509 "detail": "The adversarial audio file (breakAuthorisation.mp3) used in all experiments is not released, preventing reproduction of the core finding." 510 } 511 ], 512 "cited_papers": [ 513 { 514 "title": "'Do Anything Now': Characterizing and Evaluating In-the-Wild Jailbreak Prompts on Large Language Models", 515 "relevance": "Primary design basis for the forbidden question set and evaluation methodology; directly cited for question construction principles" 516 }, 517 { 518 "title": "Voice Jailbreak Attacks Against GPT-4o", 519 "relevance": "Prior voice-based jailbreak work this paper builds upon; contradicts the 'first voice jailbreak' claim in the abstract" 520 }, 521 { 522 "title": "Survey of Vulnerabilities in Large Language Models Revealed by Adversarial Attacks", 523 "relevance": "Comprehensive taxonomy of adversarial LLM attacks; provides foundational framework for situating this work" 524 }, 525 { 526 "title": "Jailbreak Attacks and Defenses Against Multimodal Generative Models: A Survey", 527 "relevance": "Survey of multimodal jailbreak attacks and defenses directly relevant to this paper's scope" 528 }, 529 { 530 "title": "Comprehensive Assessment of Jailbreak Attacks Against LLMs", 531 "relevance": "Systematic jailbreak benchmarking framework that this paper's evaluation methodology builds upon" 532 }, 533 { 534 "title": "Sandwich Attack: Multi-language Mixture Adaptive Attack on LLMs", 535 "relevance": "Closely related layered attack approach using questions in multiple languages; direct inspiration for flanking strategy" 536 }, 537 { 538 "title": "Jailbroken: How Does LLM Safety Training Fail?", 539 "relevance": "Foundational analysis of LLM safety training failures; motivates the investigation of audio-based bypasses" 540 } 541 ], 542 "engagement_factors": { 543 "practical_relevance": { 544 "score": 1, 545 "justification": "The attack methodology is described conceptually but no tools, code, or reusable framework is released for practitioners to apply." 546 }, 547 "surprise_contrarian": { 548 "score": 1, 549 "justification": "That multimodal LLMs can be jailbroken through creative prompting is not surprising given extensive prior work on text-based and voice-based jailbreaks." 550 }, 551 "fear_safety": { 552 "score": 2, 553 "justification": "Demonstrates that voice-based flanking can bypass Gemini's safety filters with 81% success rate across forbidden scenarios, raising concerns about audio-enabled LLM safety." 554 }, 555 "drama_conflict": { 556 "score": 1, 557 "justification": "Shows Gemini vulnerability but presents findings in an academic context without dramatic framing or controversy." 558 }, 559 "demo_ability": { 560 "score": 0, 561 "justification": "No code, demo, or tool released. The approach cannot be tried without reimplementing from the paper description." 562 }, 563 "brand_recognition": { 564 "score": 2, 565 "justification": "Targets Google Gemini, a well-known consumer AI product, which adds brand recognition relevance." 566 } 567 }, 568 "hn_data": { 569 "threads": [], 570 "top_points": 0, 571 "total_points": 0, 572 "total_comments": 0 573 } 574 }