ML Security PapersGRM: Utility-Aware Jailbreak Attacks on Audio LLMs via Gradient-Ratio Masking
Yunqiang Wang , Hengyuan Na , Di Wu , Miao Hu , Guocong Quan
Published on arXiv
2604.09222
Input Manipulation Attack
OWASP ML Top 10 — ML01
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Achieves 88.46% average jailbreak success rate across four ALLMs while preserving transcription quality better than full-band baselines
GRM (Gradient Ratio Masking)
Novel technique introduced
Audio large language models (ALLMs) enable rich speech-text interaction, but they also introduce jailbreak vulnerabilities in the audio modality. Existing audio jailbreak methods mainly optimize jailbreak success while overlooking utility preservation, as reflected in transcription quality and question answering performance. In practice, stronger attacks often come at the cost of degraded utility. To study this trade-off, we revisit existing attacks by varying their perturbation coverage in the frequency domain, from partial-band to full-band, and find that broader frequency coverage does not necessarily improve jailbreak performance, while utility consistently deteriorates. This suggests that concentrating perturbation on a subset of bands can yield a better attack-utility trade-off than indiscriminate full-band coverage. Based on this insight, we propose GRM, a utility-aware frequency-selective jailbreak framework. It ranks Mel bands by their attack contribution relative to utility sensitivity, perturbs only a selected subset of bands, and learns a reusable universal perturbation under a semantic-preservation objective. Experiments on four representative ALLMs show that GRM achieves an average Jailbreak Success Rate (JSR) of 88.46% while providing a better attack-utility trade-off than representative baselines. These results highlight the potential of frequency-selective perturbation for better balancing attack effectiveness and utility preservation in audio jailbreak. Content Warning: This paper includes harmful query examples and unsafe model responses.
Key Contributions
- Frequency-selective jailbreak framework that perturbs only high-impact Mel bands identified via gradient-ratio ranking
- Demonstrates that full-band perturbation is suboptimal—selective band perturbation achieves better attack-utility trade-off
- Universal perturbation approach under semantic-preservation objective for reusable audio jailbreaks
🛡️ Threat Analysis
Gradient-based adversarial perturbation attack on audio inputs to ALLMs, causing the model to generate harmful responses at inference time. The attack uses frequency-domain optimization to craft adversarial audio examples that jailbreak safety alignment.