ML Security PapersARMs: Adaptive Red-Teaming Agent against Multimodal Models with Plug-and-Play Attacks
Zhaorun Chen 1, Xun Liu 2, Mintong Kang 2, Jiawei Zhang 1, Minzhou Pan 3, Shuang Yang 4, Bo Li 1,2,3
Published on arXiv
2510.02677
Input Manipulation Attack
OWASP ML Top 10 — ML01
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
ARMs achieves SOTA attack success rates, improving ASR by an average of 52.1% over baselines and exceeding 90% ASR on Claude-4-Sonnet
ARMs
Novel technique introduced
As vision-language models (VLMs) gain prominence, their multimodal interfaces also introduce new safety vulnerabilities, making the safety evaluation challenging and critical. Existing red-teaming efforts are either restricted to a narrow set of adversarial patterns or depend heavily on manual engineering, lacking scalable exploration of emerging real-world VLM vulnerabilities. To bridge this gap, we propose ARMs, an adaptive red-teaming agent that systematically conducts comprehensive risk assessments for VLMs. Given a target harmful behavior or risk definition, ARMs automatically optimizes diverse red-teaming strategies with reasoning-enhanced multi-step orchestration, to effectively elicit harmful outputs from target VLMs. We propose 11 novel multimodal attack strategies, covering diverse adversarial patterns of VLMs (e.g., reasoning hijacking, contextual cloaking), and integrate 17 red-teaming algorithms into ARMs via model context protocol (MCP). To balance the diversity and effectiveness of the attack, we design a layered memory with an epsilon-greedy attack exploration algorithm. Extensive experiments on instance- and policy-based benchmarks show that ARMs achieves SOTA attack success rates, exceeding baselines by an average of 52.1% and surpassing 90% on Claude-4-Sonnet. We show that the diversity of red-teaming instances generated by ARMs is significantly higher, revealing emerging vulnerabilities in VLMs. Leveraging ARMs, we construct ARMs-Bench, a large-scale multimodal safety dataset comprising over 30K red-teaming instances spanning 51 diverse risk categories, grounded in both real-world multimodal threats and regulatory risks. Safety fine-tuning with ARMs-Bench substantially improves the robustness of VLMs while preserving their general utility, providing actionable guidance to improve multimodal safety alignment against emerging threats.
Key Contributions
- ARMs adaptive red-teaming agent with reasoning-enhanced multi-step orchestration and epsilon-greedy exploration over a layered memory of diverse attack strategies
- 11 novel multimodal attack strategies (reasoning hijacking, contextual cloaking, etc.) and integration of 17 red-teaming algorithms via MCP for plug-and-play composition
- ARMs-Bench: 30K+ multimodal safety dataset across 51 risk categories enabling safety fine-tuning that substantially improves VLM robustness while preserving utility
🛡️ Threat Analysis
Proposes 11 novel multimodal attack strategies that manipulate VLM inputs across visual and text modalities (e.g., contextual cloaking) to elicit harmful outputs, covering adversarial multimodal input manipulation at inference time.