ML Security PapersVidDoS: Universal Denial-of-Service Attack on Video-based Large Language Models
Duoxun Tang 1, Dasen Dai 2, Jiyao Wang 3, Xiao Yang 4, Jianyu Wang 1, Siqi Cai 5,6
2 The Chinese University of Hong Kong
4 The Hong Kong University of Science and Technology
Published on arXiv
2603.01454
Input Manipulation Attack
OWASP ML Top 10 — ML01
Model Denial of Service
OWASP LLM Top 10 — LLM04
Key Finding
VidDoS induces over 205× token expansion and 15× inference latency inflation in Video-LLMs, with simulations showing critical safety violations when deployed against real-time autonomous driving streams
VidDoS
Novel technique introduced
Video-LLMs are increasingly deployed in safety-critical applications but are vulnerable to Energy-Latency Attacks (ELAs) that exhaust computational resources. Current image-centric methods fail because temporal aggregation mechanisms dilute individual frame perturbations. Additionally, real-time demands make instance-wise optimization impractical for continuous video streams. We introduce VidDoS, which is the first universal ELA framework tailored for Video-LLMs. Our method leverages universal optimization to create instance-agnostic triggers that require no inference-time gradient calculation. We achieve this through $\textit{masked teacher forcing}$ to steer models toward expensive target sequences, combined with a $\textit{refusal penalty}$ and $\textit{early-termination suppression}$ to override conciseness priors. Testing across three mainstream Video-LLMs and three video datasets, which include video question answering and autonomous driving scenarios, shows extreme degradation. VidDoS induces a token expansion of more than 205$\times$ and inflates the inference latency by more than 15$\times$ relative to clean baselines. Simulations of real-time autonomous driving streams further reveal that this induced latency leads to critical safety violations. We urge the community to recognize and mitigate these high-hazard ELA in Video-LLMs.
Key Contributions
- First universal Energy-Latency Attack (ELA) framework for Video-LLMs using instance-agnostic triggers that require no inference-time gradient computation, overcoming the dilution problem of frame-level perturbations in temporal aggregation
- Three novel optimization components — masked teacher forcing, refusal penalty, and early-termination suppression — that steer Video-LLMs toward maximally expensive output sequences
- Empirical demonstration of 205× token expansion and 15× latency inflation across three Video-LLMs, with simulated safety-critical failures in real-time autonomous driving streams
🛡️ Threat Analysis
Uses gradient-based universal adversarial perturbations applied to video frame inputs at inference time to steer model outputs — the core mechanism is adversarial input manipulation of a multimodal model's visual encoder.