Audio-language models combine audio encoders with large language models to enable multimodal reasoning, but they also introduce new security vulnerabilities. We propose a universal targeted latent space attack, an encoder-level adversarial attack that manipulates audio latent representations to induce attacker-specified outputs in downstream language generation. Unlike prior waveform-level or input-specific attacks, our approach learns a universal perturbation that generalizes across inputs and speakers and does not require access to the language model. Experiments on Qwen2-Audio-7B-Instruct demonstrate consistently high attack success rates with minimal perceptual distortion, revealing a critical and previously underexplored attack surface at the encoder level of multimodal systems.

翻译：音频-语言模型将音频编码器与大语言模型相结合，实现了多模态推理，但也引入了新的安全漏洞。我们提出了一种通用的目标潜在空间攻击，这是一种编码器层面的对抗性攻击，通过操纵音频潜在表征来诱导下游语言生成产生攻击者指定的输出。与以往的波形层面或输入特定的攻击不同，我们的方法学习一种通用扰动，该扰动能够泛化到不同输入和说话者，且无需访问语言模型。在 Qwen2-Audio-7B-Instruct 上的实验表明，该方法在保持最小感知失真的同时，实现了持续较高的攻击成功率，揭示了多模态系统在编码器层面一个关键且此前未被充分探索的攻击面。