TRIAD Framework: Building an Active Defense System Against Multi-turn Multimodal Attacks Using Survival Prediction Theory

For distributed progressive cross-modal attacks faced by multimodal large language models (MLLMs) in multi-turn dialogues, researchers propose the TRIAD three-layer anomaly defense framework, which converts security verification into a dynamic survival prediction problem. Through structural anomaly detection, trajectory topology analysis, and a time-varying Cox risk model, it achieves early warning of malicious drift.

Traditional adversarial attacks focus on single-turn input perturbation optimization, but new distributed progressive attacks disperse malicious intent into multi-turn multimodal dialogue trajectories, achieving their goals through cumulative structural contamination. Such attacks have non-stationarity (strategies adjust dynamically with the dialogue) and cumulative (malicious effects accumulate gradually) characteristics. Existing static defenses are limited by the Markov assumption—they only judge based on the current state and ignore historical anomaly accumulation patterns.

The first layer of defense focuses on changes in the geometric structure of the feature space. In the high-dimensional embedding space, the semantics of multi-turn dialogues form a specific distribution pattern, and attackers injecting malicious content will cause covariance shift. TRIAD uses the Ledoit-Wolf regularized Mahalanobis distance to quantify the shift (which offers better numerical stability in high-dimensional sparse scenarios), establishes a statistical profile of dialogue states, continuously monitors the deviation of each dialogue turn in the embedding space from the historical distribution, and raises the alert level when a significant covariance shift is detected.

The second layer introduces a differential geometry perspective, treating dialogue trajectories as curves on a manifold. By calculating the curvature, torsion, and acceleration vectors of the trajectory, it distinguishes two movement modes:

• Benign exploration: Semantic trajectories exhibit Brownian motion characteristics, with random directions and acceleration conforming to a normal distribution;
• Malicious drift: Trajectories are directional, with acceleration vectors continuously pointing to dangerous areas, forming significant directional drift. The core of this layer is topological trajectory acceleration calculation, which computes geometric features through a sliding time window and performs hypothesis testing against the historical distribution of benign trajectories. When an abnormal acceleration pattern is detected, it triggers fine-grained analysis.

The third layer is the decision core, integrating the geometric features from the first two layers into a time-varying Cox proportional hazards model. It defines the "failure event" as the moment when the model output violates the security policy, and "survival time" as the expected time from the start of the dialogue to the violation. The time-varying nature of the model is reflected in the dynamic adjustment of risk coefficients as the dialogue progresses. Through a Bayesian Hidden Markov Model (HMM) feedback loop, it updates the dialogue risk state estimation in real time, and has predictability—not only detecting already occurred anomalies but also predicting the future probability distribution of violations.

TRIAD provides strict theoretical guarantees: under adversarial perturbations, the expected failure time of the framework has a mathematical upper bound, and the acceleration of malicious trajectories diverges positively, allowing early warning before the attack reaches the critical point. In terms of computational efficiency, covariance monitoring is implemented through incremental updates, trajectory geometric feature calculation can be parallelized, and Cox model inference has mature approximate algorithms. The overall inference delay reaches the millisecond level, meeting the real-time requirements of online services.

TRIAD represents a paradigm shift in AI security: from static to dynamic (continuous monitoring of the entire dialogue lifecycle), from detection to prediction (pre-event warning), and from rules to statistics (data-driven models have strong generalization capabilities). For developers, this framework can be deployed as a lightweight middleware at the inference layer without retraining the model. Limitations include baseline establishment (requiring a large amount of high-quality user interaction data) and false positive control (needing fine parameter tuning). Future directions: introducing reinforcement learning into defense strategy optimization, exploring cross-modal attention anomaly detection, and building large-scale adversarial dialogue datasets to verify robustness.