Co-Evolutionary Multi-Modal Alignment via Structured Adversarial Evolution

Adversarial behavior plays a central role in aligning large language models with human values. However, existing alignment methods largely rely on static adversarial settings, which fundamentally limit robustness, particularly in multimodal settings with a larger attack surface. In this work, we move beyond static adversarial supervision and introduce co-evolutionary alignment with evolving attacks, instantiated by CEMMA (Co-Evolutionary Multi-Modal Alignment), an automated and adaptive framework for multimodal safety alignment. We introduce an Evolutionary Attacker that decomposes adversarial prompts into method templates and harmful intents. By employing genetic operators, including mutation, crossover, and differential evolution, it enables simple seed attacks to inherit the structural efficacy of sophisticated jailbreaks. The Adaptive Defender is iteratively updated on the synthesized hard negatives, forming a closed-loop process that adapts alignment to evolving attacks. Experiments show that the Evolutionary Attacker substantially increases red-teaming jailbreak attack success rate (ASR), while the Adaptive Defender improves robustness and generalization across benchmarks with higher data efficiency, without inducing excessive benign refusal, and remains compatible with inference-time defenses such as AdaShield.

💡 Research Summary

The paper “Co-Evolutionary Multi-Modal Alignment via Structured Adversarial Evolution” addresses a critical challenge in AI safety: aligning Multimodal Large Language Models (MLLMs) with human values in a dynamic threat landscape. The authors argue that existing alignment methods, which largely rely on static adversarial datasets and fixed training distributions, are fundamentally limited. They fail to keep pace with newly emerging, sophisticated jailbreak strategies, especially in multimodal contexts where the attack surface—combining both image and text—is significantly larger. This creates a robustness gap.

To bridge this gap, the authors propose CEMMA (Co-Evolutionary Multi-Modal Alignment), a novel framework that reconceptualizes safety alignment as a continuous, adaptive co-evolutionary process between an attacker and a defender. The core premise is that successful jailbreaks often share reusable, high-level strategy patterns (e.g., discourse wrappers, role-play scaffolds). CEMMA aims to automatically identify, recombine, and evolve these patterns to generate potent attacks, which in turn are used to iteratively strengthen the defender.

The CEMMA framework operates through two tightly coupled components in a closed loop:

1. The Evolutionary Attacker: This component performs black-box optimization on textual prompts (while keeping visual inputs fixed) against the current defender model. It maintains a population of attack candidates, each consisting of an image, a text prompt, and a harmful intent label. The attacker employs three key genetic operators guided by a scoring LLM judge:

   • Mutation: Generates diverse surface-level variations (rephrasing, style changes) within the same attack family while preserving the core harmful intent and image coherence.
   • Crossover: Transfers effective high-level structural patterns from a successful “parent” attack in one family to improve a failing prompt from another family. This enables non-local, strategic improvements beyond mere paraphrasing.
   • Differential Evolution: Extracts a contrastive “edit direction” by comparing a successful and a failed prompt from the same family. This directional signal is then applied to refine other target prompts, leading to more sample-efficient and targeted improvements. These operators allow simple seed attacks to inherit the structural efficacy of sophisticated jailbreaks, systematically exploring the discrete prompt space to discover new vulnerabilities.

2. The Adaptive Defender: This is the MLLM being aligned. After each round of evolutionary attack, all newly discovered successful jailbreaks (deemed both relevant and successful by the judge) are added to a cumulative archive. The defender is then updated via supervised fine-tuning on a mixture of this evolving archive of “hard negatives” and a benign dataset. Training on the archive directly corrects the exposed failure modes, while mixing with benign data prevents excessive refusal behavior on harmless queries (mitigating the “alignment tax”). This creates a defender that adapts as the attack distribution shifts.

The paper presents extensive experiments to validate CEMMA along two axes. First, it demonstrates that the Evolutionary Attacker alone can significantly boost the Attack Success Rate (ASR) against a fixed black-box defender compared to static baselines, proving the effectiveness of its structured genetic operators for red-teaming. Second, it shows that the full co-evolutionary loop (the Adaptive Defender updated by the attacker’s output) enhances model robustness and generalization across multiple multimodal safety benchmarks (e.g., MM-SafetyBench). Crucially, it achieves this with higher data efficiency—requiring less training data to reach a given level of safety—and without degrading performance on benign tasks. Furthermore, the updated defender remains compatible with and can be enhanced by inference-time defenses like AdaShield, showcasing the framework’s modular, data-centric design.

In summary, CEMMA offers a paradigm shift from static, one-off alignment to a dynamic, continuous process. It automates the generation of high-quality, diverse adversarial data, reducing reliance on manual red-teaming. By framing safety as a co-evolutionary arms race, the work provides a scalable and adaptive framework for securing MLLMs against an ever-evolving landscape of threats. The code is publicly available, facilitating further research and application.