[New Features] Multi-modal Jailbreaking Attack on LLaVA

[DavidLee528]

Thanks for your review.

This PR include:

• New Generator: LLaVA (Image+Text->Text)
• New multi-modal jailbreak attack probe
• New multi-modal jailbreak attack detector

Please let me know if there are anything I can do better.

[leondz]

Wow, thanks for this! We'll get it reviewed

[erickgalinkin]

Looks pretty good generally. I think we want to put the generator into huggingface.py and add some checks to the probe so we can ensure we're operating against the right generator type.

[DavidLee528]

I think the class name should be FigStep rather than VisualJailbreak for garak/detectors/visual_jailbreak.py and garak/probes/visual_jailbreak.py because the attack method FigStep is a subset of visual jailbreak attack. I think there will be more visual jailbreak attack in the future. (65f94cc)

[leondz]

Looks awesome, great idea to include FigStep/SafeBench.

The image collection is a little large, and also I want to be careful about including another project's code. Could we implement a pattern where:

• The image files are not distributed with garak
• When first run, the probe checks for the image files (perhaps in the resources/ directory)
• If the image files are not there, we download from https://github.com/ThuCCSLab/FigStep/tree/main/data/images/SafeBench
• The default probe uses 80 images
• Optionally, a "Full" probe uses more images, but is deactivated by default. This can inherit from the 80 image version (or vice versa) - that's a pretty common pattern in garak
• The FigStep paper needs to be cited/recognised somewhere in the garak code, maybe in a docstring for the FigStep probe? With a reference and paper link? This seems appropriate enough

Thanks so much for working on this, this is very close and will be a big change when it hits. Really appreciate your contributions!

[DavidLee528]

The FigStep paper needs to be cited/recognised somewhere in the garak code, maybe in a docstring for the FigStep probe? With a reference and paper link? This seems appropriate enough

Paper title, arxiv link, and reference in acm format of FigStep are added in docstring in 39c57a2.

[DavidLee528]

• The default probe uses 80 images
• Optionally, a "Full" probe uses more images, but is deactivated by default. This can inherit from the 80 image version (or vice versa) - that's a pretty common pattern in garak

Full (size 500) and small (size 80) of FigStep probe classes have been added in de6c6ef.

Additionally, size check logic for self.prompts of those two classes is added in 6784255 and ce23255 respectively.

[leondz]

Detector needs improvement, but this is probably best done with LLM-as-a-judge + the FigStep "instruction" columns (cf e.g. https://github.com/ThuCCSLab/FigStep/blob/main/data/question/SafeBench-Tiny.csv)

[leondz]

We need to work on this, but I'm happy for that to be tracked in a separate issue/PR

[leondz]

pinging llm-as-a-judge issue: #419

[DavidLee528]

Yes! We are working on this now.

[DavidLee528]

We can download two different version (tiny and full) of dataset SafeBench from external repo now!