Benchmarking Zero-Shot Robustness of Multimodal Foundation Models: A Pilot Study

TL;DR

The paper introduces RoZ, a robustness benchmark for zero-shot image classification in multimodal foundation models, and uses CLIP as a pilot to study robustness across seven natural distribution shifts, three synthetic shifts, and eleven adversarial attacks. It finds that CLIP exhibits robustness gains under natural distribution shifts but sizeable weaknesses under synthetic distribution shifts and adversarial attacks, with typographic attacks causing substantial degradation. The authors argue that observed natural-shift robustness may be driven in part by data overlap between pretraining data and test sets, and they show that prompt learning (CLIP-Auto) yields limited improvements in robustness. The study emphasizes the need for comprehensive robustness evaluations in real-world deployments and invites future work on data-cleaning, adversarially robust prompt learning, and improved zero-shot multimodal robustness models.

Abstract

Pre-training image representations from the raw text about images enables zero-shot vision transfer to downstream tasks. Through pre-training on millions of samples collected from the internet, multimodal foundation models, such as CLIP, produce state-of-the-art zero-shot results that often reach competitiveness with fully supervised methods without the need for task-specific training. Besides the encouraging performance on classification accuracy, it is reported that these models close the robustness gap by matching the performance of supervised models trained on ImageNet under natural distribution shift. Because robustness is critical to real-world applications, especially safety-critical ones, in this paper, we present a comprehensive evaluation based on a large-scale robustness benchmark covering 7 natural, 3 synthetic distribution shifts, and 11 adversarial attacks. We use CLIP as a pilot study. We show that CLIP leads to a significant robustness drop compared to supervised ImageNet models on our benchmark, especially under synthetic distribution shift and adversarial attacks. Furthermore, data overlap analysis suggests that the observed robustness under natural distribution shifts could be attributed, at least in part, to data overlap. In summary, our evaluation shows a comprehensive evaluation of robustness is necessary; and there is a significant need to improve the robustness of zero-shot multimodal models.

Figures (12)

• Figure 1: Summary of results on our RoZ benchmark. An ideal robust model (dashed line) performs equally well on the ImageNet distribution and other distributions. Multimodal models such as CLIP fail to improve robustness on test sets in (b) of our benchmark except for the test sets in (a). Red: standard ImageNet models. Blue: zero-shot CLIP models. Purple: CLIP-Auto models.
• Figure 2: Zero-shot multimodal CLIP fails to significantly improve the robustness over standard ImageNet models on our RoZ benchmark. Red: standard ImageNet models. Blue: zero-shot CLIP models. Purple: CLIP-Auto models. The notable outlier to this trend is CLIP on natural distribution shifts. In particular, we observe a significant performance drop in robustness on our ImageNet-T and CIFAR-10-T. The original CLIP and CLIP-Auto perform similarly on all the test sets.
• Figure 3: Our ImageNet-T samples. We show the gold class (upper) and the target class (lower) of each sample.
• Figure 4: Model accuracies on two synthetic distribution shifts. Different from the results on natural distribution shifts, we show that CLIP fails to improve the robustness compared to standard models. Red: standard ImageNet models. Blue: zero-shot CLIP models. Purple: CLIP-Auto models.
• Figure 5: Model accuracies under typographic attacks on our ImageNet-T and CIFAR-10-T. Red: standard ImageNet models. Blue: zero-shot CLIP models. Purple: CLIP-Auto models.