Multimodal Large Language Models (MLLMs) have shown great promise but require substantial computational resources during inference. Attackers can exploit this by inducing excessive output, leading to resource exhaustion and service degradation. Prior energy-latency attacks aim to increase generation time by broadly shifting the output token distribution away from the EOS token, but they neglect the influence of token-level Part-of-Speech (POS) characteristics on EOS and sentence-level structural patterns on output counts, limiting their efficacy. To address this, we propose LingoLoop, an attack designed to induce MLLMs to generate excessively verbose and repetitive sequences. First, we find that the POS tag of a token strongly affects the likelihood of generating an EOS token. Based on this insight, we propose a POS-Aware Delay Mechanism to postpone EOS token generation by adjusting attention weights guided by POS information. Second, we identify that constraining output diversity to induce repetitive loops is effective for sustained generation. We introduce a Generative Path Pruning Mechanism that limits the magnitude of hidden states, encouraging the model to produce persistent loops. Extensive experiments on models like Qwen2.5-VL-3B demonstrate LingoLoop's powerful ability to trap them in generative loops; it consistently drives them to their generation limits and, when those limits are relaxed, can induce outputs with up to 367x more tokens than clean inputs, triggering a commensurate surge in energy consumption. These findings expose significant MLLMs' vulnerabilities, posing challenges for their reliable deployment.

翻译：多模态大语言模型（MLLMs）展现出巨大潜力，但在推理过程中需要大量计算资源。攻击者可利用此漏洞诱导模型产生过多输出，导致资源耗尽和服务降级。先前的能量-延迟攻击通过将输出token分布大规模偏离结束符（EOS）来增加生成时间，但忽视了token级词性（POS）特征对EOS的影响以及句子级结构模式对输出数量的作用，限制了攻击效果。为此，我们提出LingoLoop——一种旨在诱导MLLMs生成过度冗长且重复序列的攻击方法。首先，我们发现token的POS标签会显著影响生成EOS token的概率。基于此洞察，我们提出词性感知延迟机制，通过根据POS信息调整注意力权重来推迟EOS token的生成。其次，我们认识到限制输出多样性以诱导重复循环对持续生成十分有效。我们引入了生成路径剪枝机制，通过限制隐藏状态的幅度来促使模型产生持久循环。在Qwen2.5-VL-3B等模型上的大量实验表明，LingoLoop具有强大的能力将这些模型困入生成循环；它持续将它们推向生成极限，且当这些限制被放宽时，可诱导模型产生多达清洁输入367倍数量的token，引发相应的能量消耗激增。这些发现暴露了MLLMs的重大漏洞，对其可靠部署构成挑战。