Saved in:
Bibliographic Details
Main Authors: Zheng, Ziwei, Zhao, Junyao, Yang, Le, He, Lijun, Li, Fan
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2501.02029
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913635006152704
author Zheng, Ziwei
Zhao, Junyao
Yang, Le
He, Lijun
Li, Fan
author_facet Zheng, Ziwei
Zhao, Junyao
Yang, Le
He, Lijun
Li, Fan
contents With the integration of an additional modality, large vision-language models (LVLMs) exhibit greater vulnerability to safety risks (e.g., jailbreaking) compared to their language-only predecessors. Although recent studies have devoted considerable effort to the post-hoc alignment of LVLMs, the inner safety mechanisms remain largely unexplored. In this paper, we discover that internal activations of LVLMs during the first token generation can effectively identify malicious prompts across different attacks. This inherent safety perception is governed by sparse attention heads, which we term ``safety heads." Further analysis reveals that these heads act as specialized shields against malicious prompts; ablating them leads to higher attack success rates, while the model's utility remains unaffected. By locating these safety heads and concatenating their activations, we construct a straightforward but powerful malicious prompt detector that integrates seamlessly into the generation process with minimal extra inference overhead. Despite its simple structure of a logistic regression model, the detector surprisingly exhibits strong zero-shot generalization capabilities. Experiments across various prompt-based attacks confirm the effectiveness of leveraging safety heads to protect LVLMs. Code is available at \url{https://github.com/Ziwei-Zheng/SAHs}.
format Preprint
id arxiv_https___arxiv_org_abs_2501_02029
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Spot Risks Before Speaking! Unraveling Safety Attention Heads in Large Vision-Language Models
Zheng, Ziwei
Zhao, Junyao
Yang, Le
He, Lijun
Li, Fan
Machine Learning
Artificial Intelligence
Cryptography and Security
Computer Vision and Pattern Recognition
With the integration of an additional modality, large vision-language models (LVLMs) exhibit greater vulnerability to safety risks (e.g., jailbreaking) compared to their language-only predecessors. Although recent studies have devoted considerable effort to the post-hoc alignment of LVLMs, the inner safety mechanisms remain largely unexplored. In this paper, we discover that internal activations of LVLMs during the first token generation can effectively identify malicious prompts across different attacks. This inherent safety perception is governed by sparse attention heads, which we term ``safety heads." Further analysis reveals that these heads act as specialized shields against malicious prompts; ablating them leads to higher attack success rates, while the model's utility remains unaffected. By locating these safety heads and concatenating their activations, we construct a straightforward but powerful malicious prompt detector that integrates seamlessly into the generation process with minimal extra inference overhead. Despite its simple structure of a logistic regression model, the detector surprisingly exhibits strong zero-shot generalization capabilities. Experiments across various prompt-based attacks confirm the effectiveness of leveraging safety heads to protect LVLMs. Code is available at \url{https://github.com/Ziwei-Zheng/SAHs}.
title Spot Risks Before Speaking! Unraveling Safety Attention Heads in Large Vision-Language Models
topic Machine Learning
Artificial Intelligence
Cryptography and Security
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2501.02029