Skip to content

Vect0rdecay/lvlm-adversarial-carrier-modality-framework

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

lvlm-adversarial-carrier-modality-framework

A Taxonomy for Representation-Level Safety Evaluation in Large Vision–Language Models


Overview

This repository contains a taxonomy for studying inference-phase safety failures in Large Vision–Language Models (LVLMs).

The core idea of this project is that unsafe model behavior does not originate from prompt text alone, but from latent intent reconstruction across representations—including images, structure, symbols, time, and context. This repository provides:

  • A carrier ontology for categorizing non-textual and cross-modal prompt representations
  • A threat model scoped to black-box, inference-phase adversaries
  • A structural failure classification identifying recurring classes of safety degradation

This is a measurement and analysis taxonomy, not an exploit toolkit.


Motivation

Most LVLM safety research focuses on textual jailbreaks or pixel-level visual perturbations. But modern LVLMs reason over structure, relationships, abstraction, time, and inferred context.

This project formalizes representation-level risk, enabling principled categorization of prompt-based defenses, inference-time safety mechanisms, and multimodal alignment strategies.


Key Contributions

1. Carrier Ontology

A carrier is any representation capable of encoding latent task intent that a model can reconstruct during inference.

Carrier classes: Perceptual (images, audio, video) · Structural (graphs, tables, flowcharts) · Symbolic (math, logic, formal notation) · Temporal (multi-turn or sequential inputs) · Contextual (roles, environments, authority cues) · Composite (cross-modal or conflicting representations). Each carrier is specified using a CarrierRecord schema.


2. Threat Model (Black-Box, Inference-Phase)

Adversary capabilities: query-only access through intended user-facing interfaces (text, image, audio upload). No access to model gradients, weights, training data, or system-level internals. The adversary can craft and submit multimodal inputs but cannot modify the model, its safety filters, or its deployment configuration.

Adversary objective: latent intent reconstruction — encoding prohibited intent in non-textual or cross-modal representations such that the model recovers and acts on it during inference. This is distinct from explicit instruction injection; the intent is never stated in plaintext.

System model: a deployed LVLM with text-level safety filters (system prompts, RLHF alignment, output classifiers). The model accepts multimodal input and performs reasoning operations (describe, summarize, plan, etc.) over fused representations.

Out of scope: training-time attacks (data poisoning, backdoors), white-box gradient attacks, system-level compromise (prompt leakage, API abuse), and social engineering of human operators.


3. Structural Failure Classes

The repository identifies eight recurring structural failure patterns across carrier classes. These are documented in detail in failure-classes.md.

Summary:

  • Representation gap failures – safety filters trained on text miss equivalent intent encoded in non-textual carriers
  • Temporal intent emergence – benign individual turns combine into unsafe intent only visible across a sequence
  • Distributed compositional payloads – unsafe intent is split across modalities so no single channel triggers defenses
  • Cognitive operation mismatch – the model performs reasoning operations (analogy, abstraction) that safety classifiers don't monitor
  • Modality dominance bias – one modality's signal overrides safety cues from another during fusion
  • Abstraction amplification – abstract or symbolic inputs get decoded into concrete unsafe outputs at inference time
  • Refusal instability – refusal behavior is inconsistent across semantically equivalent rephrasings or contexts
  • Contextual prior override – role, authority, or environmental framing suppresses learned safety priors

Intended Use Cases

This taxonomy is designed for defensive benchmarking, inference-phase safety evaluation, red-team / blue-team alignment research, academic surveys, and pre-deployment risk assessment for multimodal systems. It is not intended for misuse, exploit development, or policy circumvention.


Research Positioning

This project does not provide step-by-step attacks.
It characterizes structural failure modes that arise from representation-level reasoning in LVLMs. Look at this more like vulnerability classes.

The goal is to shift the safety conversation from:

“Which prompt broke the model?” (exploit)

to:

“Which representations inevitably reconstruct unsafe intent?” (vulnerability)


Citation

If you use this taxonomy in academic work, please cite as: @misc{lvlm_carrier_ontology, title = {A Carrier Ontology and Failure Taxonomy for Inference-Phase Safety in LVLMs}, author = {Vect0rdecay (pseudonym)}, year = {2026}, note = {Github / working paper} }

About

Adversarial research on multi-modal LM like LVLMs.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Contributors