Attacking LLMs via Additional Modalities a

Mitigation strategy

1. Implement Layered Input Sanitization and Inspection Mandate the application of a comprehensive, layered defense pipeline that subjects all multimodal inputs to rigorous preprocessing. This includes treating all text and instruction-bearing content extracted from media (e.g., images, video frames) as untrusted, applying both rule-based and machine learning content classifiers to detect malicious instructions, and utilizing noise reduction or smoothing techniques (e.g., SmoothGuard) to neutralize gradient-based adversarial perturbations before the input reaches the core LLM. 2. Employ Adversarial Training and Cross-Modal Consistency Checks Enhance model intrinsic robustness through a regimen of adversarial training, exposing the model to a wide array of synthesized cross-modal attack examples (e.g., perturbed images paired with benign text). Integrate real-time cross-modal consistency checks during inference to enforce semantic alignment between modalities, flagging inputs where, for instance, a visual cue (even if manipulated) contradicts the safety-aligned text output or system instructions, thereby preventing cross-modal exploits. 3. Enforce Least-Privilege Policy Gating for Triggered Actions Establish strict policy and access controls to mitigate the impact of a successful prompt injection. Specifically, enforce least-privilege principles for all tool-calling, external access, and data exfiltration capabilities. All actions or outputs triggered by a multimodal input must pass through an explicit policy gate for approval, with comprehensive logging and auditing of tool invocations and, ideally, execution within an isolated sandboxed environment to contain potential system damage.