Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Stop Reasoning! When Multimodal LLM with Chain-of-Thought Reasoning Meets Adversarial Image

Zefeng Wang, Zhen Han, Shuo Chen, Fan Xue, Zifeng Ding, Xun Xiao, Volker Tresp, Philip Torr, Jindong Gu

TL;DR

This work investigates the adversarial robustness of multimodal LLMs (MLLMs) that employ Chain-of-Thought (CoT) reasoning. By generalizing attacks to target both the rationale and the final answer, and by introducing a novel stop-reasoning attack that forces direct answers, the authors show that CoT provides only marginal robustness under existing attacks, while stop-reasoning can bypass CoT prompts and induce incorrect answers. Experiments on MiniGPT4, OpenFlamingo, and LLaVA across A-OKVQA and ScienceQA demonstrate that stop-reasoning consistently yields the strongest attacks, and the rationale behind CoT offers explainability but also reveals vulnerabilities under adversarial perturbations. Overall, the paper highlights that CoT-induced robustness is limited and that dedicated attacks to halt reasoning are particularly effective, underscoring the need for defenses that address reasoning processes in MLLMs.

Abstract

Multimodal LLMs (MLLMs) with a great ability of text and image understanding have received great attention. To achieve better reasoning with MLLMs, Chain-of-Thought (CoT) reasoning has been widely explored, which further promotes MLLMs' explainability by giving intermediate reasoning steps. Despite the strong power demonstrated by MLLMs in multimodal reasoning, recent studies show that MLLMs still suffer from adversarial images. This raises the following open questions: Does CoT also enhance the adversarial robustness of MLLMs? What do the intermediate reasoning steps of CoT entail under adversarial attacks? To answer these questions, we first generalize existing attacks to CoT-based inferences by attacking the two main components, i.e., rationale and answer. We find that CoT indeed improves MLLMs' adversarial robustness against the existing attack methods by leveraging the multi-step reasoning process, but not substantially. Based on our findings, we further propose a novel attack method, termed as stop-reasoning attack, that attacks the model while bypassing the CoT reasoning process. Experiments on three MLLMs and two visual reasoning datasets verify the effectiveness of our proposed method. We show that stop-reasoning attack can result in misled predictions and outperform baseline attacks by a significant margin.

Stop Reasoning! When Multimodal LLM with Chain-of-Thought Reasoning Meets Adversarial Image

TL;DR

This work investigates the adversarial robustness of multimodal LLMs (MLLMs) that employ Chain-of-Thought (CoT) reasoning. By generalizing attacks to target both the rationale and the final answer, and by introducing a novel stop-reasoning attack that forces direct answers, the authors show that CoT provides only marginal robustness under existing attacks, while stop-reasoning can bypass CoT prompts and induce incorrect answers. Experiments on MiniGPT4, OpenFlamingo, and LLaVA across A-OKVQA and ScienceQA demonstrate that stop-reasoning consistently yields the strongest attacks, and the rationale behind CoT offers explainability but also reveals vulnerabilities under adversarial perturbations. Overall, the paper highlights that CoT-induced robustness is limited and that dedicated attacks to halt reasoning are particularly effective, underscoring the need for defenses that address reasoning processes in MLLMs.

Abstract

Multimodal LLMs (MLLMs) with a great ability of text and image understanding have received great attention. To achieve better reasoning with MLLMs, Chain-of-Thought (CoT) reasoning has been widely explored, which further promotes MLLMs' explainability by giving intermediate reasoning steps. Despite the strong power demonstrated by MLLMs in multimodal reasoning, recent studies show that MLLMs still suffer from adversarial images. This raises the following open questions: Does CoT also enhance the adversarial robustness of MLLMs? What do the intermediate reasoning steps of CoT entail under adversarial attacks? To answer these questions, we first generalize existing attacks to CoT-based inferences by attacking the two main components, i.e., rationale and answer. We find that CoT indeed improves MLLMs' adversarial robustness against the existing attack methods by leveraging the multi-step reasoning process, but not substantially. Based on our findings, we further propose a novel attack method, termed as stop-reasoning attack, that attacks the model while bypassing the CoT reasoning process. Experiments on three MLLMs and two visual reasoning datasets verify the effectiveness of our proposed method. We show that stop-reasoning attack can result in misled predictions and outperform baseline attacks by a significant margin.
Paper Structure (30 sections, 5 equations, 22 figures, 5 tables, 1 algorithm)

This paper contains 30 sections, 5 equations, 22 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Adversarial attacks
  4. Chain-of-thought reasoning on multimodal LLMs
  5. Methodology
  6. Threat models
  7. Attack pipeline
  8. Generalized attacks
  9. Stop-reasoning attack
  10. Experiments
  11. Experimental settings
  12. How does CoT influence the robustness of MLLMs?
  13. CoT marginally enhances robustness only on existing attacks
  14. Stop-reasoning attack's effectiveness
  15. What does the rationale entail under adversarial attacks?
  16. ...and 15 more sections

Figures (22)

  • Figure 1: Given adversarial images, answer attack and rationale attack make an MLLM output an explanation for the incorrect predictions with CoT . The phrases highlighted with red are found to inaccurately depict the actual facts. Apart from these two attacks, stop-reasoning attack shows the ability to restrain the reasoning process and make an MLLM output an incorrect answer even if the model is prompted to leverage the CoT explicitly.
  • Figure 2: Pipeline. The dotted line indicates a clean prediction with the original image. The solid line visualizes the attack pipeline in one iteration. The adversarial image $v_{adv}$ is built with the corresponding attack method.
  • Figure 3: Models output rationale and answer as prediction without attack. After stop-reasoning attack, models output only the answer. (a) Prediction with CoT. The complete prediction with CoT can be divided into two components: the rationale and the answer. (b) Stop-Reasoning Attack. After stop-reasoning attack, MLLMs skip the reasoning part and output the answer directly without rationale.
  • Figure 4: Rationale with key changes and trivial changes after attacks. (a) Key change visualization. The replication of the answer serves as the key information to infer the answer from the rationale. After answer attack, the keyword in the rationale is also altered, even though the attack exclusively targets on the answer ("D" $\to$ "A"). (b) Trivial change visualization. The replication of the answer is the key information to infer the answer from the rationale. After answer attack, the keyword is not changed (the word "books" is not changed), while the other part of the rationale is changed.
  • Figure 5: Classifications of different types of changes made to rationale in three victim models under rational attack (based on 100 Samples$\slash$Model). The groups "Failure" and "Success" indicate whether the attack failed or succeeded. "Failure" indicates an unsuccessful attack where the model's prediction remains correct, while "Success" denotes a successful attack resulting in a change from a correct to an incorrect prediction.
  • ...and 17 more figures