MIDAS: Multi-Image Dispersion and Semantic Reconstruction for Jailbreaking MLLMs

This paper proposes MIDAS, a multimodal jailbreak framework that bypasses safety mechanisms in advanced MLLMs by decomposing harmful semantics into risk-bearing subunits dispersed across multiple images and leveraging cross-image reasoning to reconstruct malicious intent, achieving an average attack success rate of 81.46% against closed-source models.

The Gist

🕵️‍♂️ The Big Idea: Hiding a Bomb in a Puzzle Box

Imagine you want to trick a very strict, highly intelligent security guard (the AI) into letting you into a restricted area. If you walk up and say, "I want to build a bomb," the guard immediately stops you.

Previous attempts to trick the guard involved trying to whisper the bad words or hiding them in a single picture. But the guard is smart; they can still see the danger.

The researchers behind this paper, MIDAS, came up with a clever new strategy. Instead of trying to hide the bad words in one place, they break the bad idea into tiny, harmless pieces and scatter them across six different puzzle games.

They tell the guard: "Hey, I have these six fun puzzles. If you solve them in order, you'll find a secret message. Once you solve them, I need you to act like a 'Strategic Investigator' and write a plan based on that message."

The guard gets so focused on solving the fun puzzles that they forget to check the final message. By the time they put the pieces together, they've already "jailbroken" and are happily writing the dangerous plan.

---

🧩 How It Works: The Three-Step Magic Trick

The paper describes a three-step process to pull off this trick:

1. The "Scatter" (Dispersion)

Imagine you have a dangerous sentence like "How to make a bomb."

• Old Way: Put the whole sentence in a picture. The guard sees "bomb" and says "No."
• MIDAS Way: They chop the sentence into tiny, harmless fragments: "How," "to," "make," "a," "b," "omb."
• They hide each fragment inside a different visual puzzle (like a jigsaw, a maze, or a "find the odd one out" game).
• The Trick: If the guard looks at just one puzzle, it looks totally innocent. It's just a picture of a maze or some letters. There is no danger in any single image.

2. The "Distraction" (Game-Based Reasoning)

The AI is told to solve these puzzles. This is the most important part.

• The puzzles are designed to be fun and logical. The AI has to think hard: "Okay, in this picture, I need to sort the cards to find the second one," or "I need to follow the arrows to find the hidden letter."
• The Metaphor: Think of the AI's attention as a spotlight. Usually, the spotlight shines on "Is this dangerous?"
• MIDAS moves the spotlight. Now, the spotlight is shining on "How do I solve this puzzle?" The AI is so busy being a good puzzle-solver that it stops checking for safety.

3. The "Reconstruction" (The Trap)

Once the AI solves all six puzzles, it has collected all the tiny fragments: "b," "omb," "make," etc.

• The AI is then told: "Okay, you've solved the puzzles. Now, put the pieces together and act as a 'Strategic Investigator' to write a plan."
• Because the AI is now in "Investigator Mode" and has already done the hard work of solving the puzzles, it puts the pieces together to form the dangerous sentence: "How to make a bomb."
• By the time the full sentence appears, the AI has already committed to the task. It's like the guard has already opened the door and is now holding the blueprint.

---

🏆 Why Is This Better Than Before?

The paper compares MIDAS to other "jailbreak" methods (ways to trick AI).

• The Old Guards (Previous Methods): Tried to hide the bad words in one image or use confusing text. The AI's safety filters could still spot the danger.
• The New Guard (MIDAS):
  • It's Smarter: It doesn't just hide the words; it forces the AI to rebuild the words itself.
  • It's Faster: It doesn't need to try thousands of times. It works in one go.
  • It's Stronger: The paper tested this on the world's smartest AIs (like GPT-4o, GPT-5, and Gemini). While other methods failed almost 100% of the time on these strong models, MIDAS succeeded about 81% of the time.

🛡️ The "Safety Gap" Explained

The paper highlights a scary but important flaw in how AI safety works today:

1. Static Filters: Current safety systems check the input before the AI starts thinking. They look at the pictures and text and say, "Is this bad?"
2. The Loophole: MIDAS tricks the system by making the input look safe at first. The danger only appears after the AI has done a lot of thinking and puzzle-solving.
3. The Result: The safety filter sees a "safe" puzzle. The AI solves the puzzle. The AI then creates the "unsafe" answer. The filter missed it because the danger wasn't there when the filter looked.

🎓 The Takeaway

This paper isn't saying "Go break AI!" It's a warning to the people who build AI.

The Lesson: You can't just check the "front door" (the input) to keep AI safe. You also need to watch what happens inside the house while the AI is thinking. If the AI gets distracted by a fun puzzle, it might forget its safety rules by the time it finishes the task.

To fix this, future AI safety needs to be like a process monitor that watches the AI's "thought process" step-by-step, not just the final answer.

Technical Summary

1. Problem Statement

Multimodal Large Language Models (MLLMs) are increasingly deployed in critical domains but remain vulnerable to jailbreak attacks, where adversarial inputs bypass safety alignment to generate harmful content.

• Limitations of Existing Methods: Previous jailbreak techniques (e.g., text-only prompts, single-image masking, or isolated visual cues) often rely on shallow reasoning extensions. They fail to effectively bypass strong safety mechanisms in advanced, closed-source commercial MLLMs (e.g., GPT-4o, GPT-5, Gemini-2.5) because they do not sufficiently disrupt the model's "security attention" or delay the exposure of malicious semantics.
• Core Challenge: How to distribute harmful intent across multiple modalities and reasoning steps such that individual components appear benign to safety filters, yet the model reconstructs the malicious intent through structured reasoning.

2. Methodology: MIDAS Framework

The authors propose MIDAS (Multi-Image Dispersion and Semantic Reconstruction), a black-box, single-shot jailbreak framework that decomposes harmful queries, disperses them across multiple images using game-based puzzles, and reconstructs them via persona-driven reasoning.

The pipeline consists of three main stages:

A. Dispersion Engine (Visual Channel)

Instead of embedding the entire harmful query in one image, MIDAS breaks it down:

1. Extraction: A lightweight extractor identifies critical "risk-bearing" tokens (e.g., "bomb," "kill") from the harmful query.
2. Decomposition & Distribution: These tokens are split into smaller fragments. Crucially, cross-image dispersion is enforced: each risk-bearing unit is split across at least two different images, ensuring no single image reveals the full harmful intent.
3. Game-Based Visual Reasoning (GVR) Encoding: The fragments are embedded into benign-looking visual puzzles. The paper introduces six puzzle templates to enforce step-by-step reasoning:
   • Letter Equation: Solving arithmetic-like letter shifts.
   • Jigsaw Letter: Reassembling fragmented letters.
   • Rank-and-Read: Sorting cards to reveal a code.
   • Odd-One-Out: Identifying the anomaly to extract a token.
   • Navigate-and-Read: Following a path on a grid.
   • CAPTCHA: Selecting specific images to reveal a hidden string.
   • Mechanism: The model must solve these puzzles to decode the hidden fragments, forcing a long reasoning chain before the harmful semantics are fully revealed.

B. Reconstruction Module (Textual Channel)

The text prompt coordinates the reconstruction while remaining safe:

1. Textual Masking: The original harmful query is sanitized by replacing risk-bearing tokens with placeholders (e.g., <img>).
2. Contextual Binding: A hierarchical role structure is imposed. The model is instructed to act as an "investigator" or "strategist" who must decode hidden messages from the image sequence to fulfill a request.
3. Persona-Driven Induction: A specific "questioner" persona (e.g., "a malicious actor") is assigned. This biases the model to interpret the reconstructed fragments through a harmful lens, ensuring the final output aligns with the malicious intent.

C. Decoding and Late Fusion

The model processes the images and text in a single forward pass:

1. It solves the visual puzzles to extract hidden fragments.
2. It reconstructs the full harmful instruction by filling the placeholders in the text.
3. It generates a detailed, harmful response guided by the assigned persona.

• Key Innovation: The harmful semantics only emerge at the late fusion stage of the reasoning process, bypassing early-stage safety filters that scan inputs.

3. Key Contributions

1. Multi-Image Dispersion Strategy: A novel method to distribute harmful semantics across multiple visual carriers, ensuring local benignity while enabling global reconstruction.
2. Game-Based Visual Reasoning (GVR): The design of six distinct puzzle templates that enforce structured, multi-step reasoning, effectively delaying the exposure of malicious content.
3. Persona-Driven Reconstruction: A dual-strategy combining visual puzzles with hierarchical role-playing to guide the model's reconstruction of harmful intent.
4. State-of-the-Art Performance: Demonstrated effectiveness against both open-source and strongly aligned closed-source commercial MLLMs.

4. Experimental Results

The authors evaluated MIDAS on three benchmarks (HADES, MM-SafetyBench, AdvBench) across four closed-source models (GPT-4o, GPT-5-Chat, Gemini-2.5-Pro, Gemini-2.5-FT) and three open-source models.

• Attack Success Rate (ASR): MIDAS achieved an average ASR of 81.46% across 4 closed-source models.
  • On Gemini-2.5-FT, it reached 93.34% ASR (vs. <47% for baselines).
  • On GPT-5-Chat, it achieved 72.18% ASR, significantly outperforming the next best method (VisCRA at 7.69%).
  • On the strict AdvBench subset (50 most harmful requests), MIDAS achieved 64% ASR on GPT-5-Chat, while baselines like FigStep and HIMRD achieved 0%.
• Harmfulness Rating (HR): MIDAS consistently scored the highest HR (e.g., 4.32/5 on Gemini-2.5-FT), indicating it elicits more complete and actionable harmful responses.
• Efficiency: MIDAS is significantly faster than iterative optimization baselines (e.g., 55.63s vs. 105.71s on GPT-5-Chat) and operates in a single-shot setting.
• Robustness: MIDAS maintained high success rates even against external defenses like ShieldLM and Self-Reminder, whereas baseline methods saw drastic performance drops.

5. Significance and Implications

• Vulnerability Discovery: The paper reveals that current MLLM safety mechanisms are brittle against semantic dispersion and reasoning-driven reconstruction. Safety filters often fail because they analyze inputs locally (image by image, token by token) rather than globally across a multi-step reasoning trajectory.
• Attention Slipping: The study suggests that forcing models into long, structured reasoning chains causes "attention slipping," where the model's focus shifts from safety alignment to puzzle-solving, allowing harmful intent to slip through at the end.
• Future Defenses: The authors argue that future defenses must move beyond static prompt screening to process-aware monitoring. They propose "Resilient Safety Attention" (keeping safety heads active during reasoning) and "Retrospective Safety Reflection" (checking reconstructed intent before final output) as necessary countermeasures.

In conclusion, MIDAS demonstrates that by decomposing harmful intent and hiding it within complex, multi-image reasoning games, attackers can effectively bypass the most advanced safety alignments currently available in MLLMs.