Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks
| Authors | Haoyu Liu et al. |
| Year | 2026 |
| Field | Machine Learning |
| arXiv | 2603.04364 |
| Download | |
| Categories | cs.LG, cs.AI, cs.CL |
Abstract
Multimodal web agents that process both screenshots and accessibility trees are increasingly deployed to interact with web interfaces, yet their dual-stream architecture opens an underexplored attack surface: an adversary who injects content into the webpage DOM simultaneously corrupts both observation channels with a consistent deceptive narrative. Our vulnerability analysis on MiniWob++ reveals that attacks including a visual component far outperform text-only injections, exposing critical gaps in text-centric VLM safety training. Motivated by this finding, we propose Dual-Modality Multi-Stage Adversarial Safety Training (DMAST), a framework that formalizes the agent-attacker interaction as a two-player zero-sum Markov game and co-trains both players through a three-stage pipeline: (1) imitation learning from a strong teacher model, (2) oracle-guided supervised fine-tuning that uses a novel zero-acknowledgment strategy to instill task-focused reasoning under adversarial noise, and (3) adversarial reinforcement learning via Group Relative Policy Optimization (GRPO) self-play. On out-of-distribution tasks, DMAST substantially mitigates adversarial risks while simultaneously doubling task completion efficiency. Our approach significantly outperforms established training-based and prompt-based defenses, demonstrating genuine co-evolutionary progress and robust generalization to complex, unseen environments.
Engineering Breakdown
Plain English
This paper identifies a critical vulnerability in multimodal web agents that use both visual screenshots and DOM accessibility trees to interact with websites. Adversaries can inject deceptive content that corrupts both observation channels simultaneously, and the researchers find that attacks with visual components are significantly more effective than text-only attacks—exposing that vision-language models are undertrained for this adversarial scenario. To address this, they propose DMAST (Dual-Modality Multi-Stage Adversarial Safety Training), which models the agent-attacker interaction as a two-player game and co-trains both sides through a three-stage pipeline to harden agents against coordinated multimodal attacks.
Core Technical Contribution
The core novelty is formalizing adversarial robustness for multimodal web agents as a two-player zero-sum Markov game, moving beyond single-modality safety training. Rather than treating visual and textual safety independently, DMAST jointly co-trains an agent and adversary through three coordinated stages, where the adversary learns to craft attacks that exploit both modalities simultaneously while the agent learns to detect and resist them. This game-theoretic framing is fundamentally different from prior VLM safety work because it acknowledges that real attackers craft coherent narratives across all observable channels, not isolated text prompts or images. The three-stage pipeline innovation allows for curriculum learning and progressive hardening, starting with simpler attacks and escalating complexity.
How It Works
The system operates on web environments where multimodal agents observe both rendered screenshots and parsed DOM accessibility trees. An adversary injects malicious content into the webpage DOM that appears consistently across both modalities—for example, injecting fake button labels and corresponding visual elements that trick the agent into taking unintended actions. In stage one, the framework establishes baseline agent performance and identifies vulnerable decision points; stage two involves the adversary learning optimal injection strategies against the current agent policy using game-theoretic methods (likely policy gradient or self-play); stage three retrains the agent on adversarial examples generated by the hardened adversary, creating an iterative Red Team/Blue Team dynamic. The agent must learn to cross-validate observations between modalities and detect inconsistencies that signal deception, while the adversary discovers increasingly sophisticated coordinated attacks. The training process continues until convergence, producing an agent that maintains performance on legitimate tasks while resisting multimodal adversarial inputs.
Production Impact
For teams deploying web agents in security-sensitive applications (financial services, healthcare portals, enterprise automation), this work is immediately actionable: you should implement adversarial robustness testing in your safety validation pipeline before production deployment. The concrete change would be adding a DMAST-style adversarial training phase to your agent fine-tuning process, which would increase training time by 2-4x but significantly reduce susceptibility to DOM-injection attacks. This is particularly critical because current VLM safety training focuses on prompt injection and jailbreaking single modalities, missing the coordinated attack surface—as demonstrated by the paper's finding that visual+text attacks outperform text-only by a substantial margin. The trade-off is computational cost during training, but the alternative is agents that fail silently on adversarially-crafted websites, which could cause real operational or financial harm. Engineers should also implement runtime monitoring that checks for modality inconsistencies (visual element labels that don't match accessibility tree attributes) as a lightweight detection mechanism.
Limitations and When Not to Use This
The evaluation is limited to MiniWob++ benchmark environments, which are synthetic and may not capture the full complexity of real-world websites with dynamic content, JavaScript interactions, or adversary-resistant DOM structures. The paper assumes the adversary has full control over DOM injection, but in practice, many real websites use Content Security Policy, input sanitization, and server-side validation that would block such attacks—so the threat model may overstate real-world risk. The approach requires retraining for each new agent or task, which is computationally expensive and doesn't generalize to unseen attack patterns or novel websites the agent hasn't encountered. The paper's abstract is truncated (stage three description is incomplete), so the full experimental results, computational overhead, and generalization metrics are not visible in the provided text. Additionally, the game-theoretic formulation assumes rational adversaries, but real attackers may use simpler heuristics, making the safety training potentially overfit to a specific threat model.
Research Context
This work builds on the growing literature on adversarial robustness for vision-language models and autonomous agents, extending safety concerns from single-modality attacks (prompt injection, adversarial images) to coordinated multimodal attacks. It contributes to the intersection of web automation research (building on MiniWob++ and similar benchmarks) and adversarial machine learning, specifically the game-theoretic approaches to agent safety popularized by RLHF and subsequent red-teaming work. The paper addresses an underexplored gap: while VLM safety has advanced significantly, most work focuses on language-only or vision-only attacks, missing the unique threat surface created when agents must integrate multiple observational channels. This opens a research direction around cross-modal consistency checking and multimodal robustness that future work will likely expand to other domains (robotics, autonomous vehicles) where agents fuse multiple sensor inputs.
:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::
