Sparse Autoencoders as Plug-and-Play Firewalls for Adversarial Attack Detection in VLMs

Researchers propose SAEgis, a lightweight adversarial attack detection framework using sparse autoencoders (SAEs) to protect vision-language models from adversarial perturbations. The plug-and-play method requires no additional adversarial training and demonstrates strong cross-domain generalization, addressing a critical safety gap in increasingly deployed VLM systems.

Vision-language models have achieved remarkable capabilities but face a concerning vulnerability: adversarial attacks that exploit their perception systems remain largely undefended. SAEgis addresses this gap by leveraging sparse autoencoders—a technique from interpretability research—as a detection mechanism. The approach works by training an SAE module on a pretrained VLM's hidden representations, enabling it to distinguish adversarially perturbed inputs from clean ones based on learned sparse latent features that naturally encode attack-relevant information.

This development reflects a broader shift in AI safety research toward efficient, modular defenses. Rather than retraining entire models or deploying computationally expensive adversarial training regimens, SAEgis offers a lightweight post-hoc solution. The research demonstrates that sparse representations capture meaningful vulnerability signals, suggesting that interpretability techniques could play a underappreciated role in AI robustness.

For deployment contexts—particularly agent-based systems making real-world decisions based on visual input—the implications are significant. A detection mechanism that generalizes across different attack types and domains substantially reduces the risk surface. The ability to combine signals from multiple layers further enhances robustness without proportional computational cost.

Future work should examine whether SAE-based detection transfers to adversarially trained models, whether adaptive attacks can circumvent the detection mechanism, and how detection signals could inform downstream system responses. As VLMs become embedded in safety-critical applications, the availability of practical, non-invasive safety layers creates opportunities for more robust real-world deployments without architectural constraints.

• →Sparse autoencoders naturally capture adversarial perturbation signals when trained on VLM hidden representations, enabling reliable attack detection.
• →SAEgis requires no adversarial training or model retraining, making it a practical plug-and-play defense for existing deployed systems.
• →The method shows strong cross-domain generalization, a critical advantage for real-world deployment where attack types and data distributions vary.
• →Multi-layer signal fusion improves detection robustness and stability, suggesting redundancy across model depths encodes vulnerability information.
• →This represents the first systematic application of sparse autoencoders to adversarial detection in VLMs, opening new research directions in interpretability-based safety.