Unaligning Everything: Or Aligning Any Text to Any Image in Multimodal Models

TL;DR

This paper reveals a fundamental vulnerability in multimodal models with shared embedding spaces: using a gradient-based Embedding Alignment Procedure, one can minimally perturb an image so that its embedding matches the embedding of any target text, effectively aligning unrelated images with arbitrary texts. The method is model- and dataset-agnostic and achieves high success across ImageBind and other multimodal models, with convincing demonstrations on ImageNet, MS-COCO, and toxic-text datasets. The study shows that semantically unrelated images can share text embeddings while visually identical images can map to different texts, raising questions about the semantic meaning of aligned embeddings and the robustness of zero-shot capabilities. It also discusses detection and potential mitigations, emphasizing the need for alignment-sensitive design choices and further evaluation for secure deployment of multimodal systems.

Abstract

Utilizing a shared embedding space, emerging multimodal models exhibit unprecedented zero-shot capabilities. However, the shared embedding space could lead to new vulnerabilities if different modalities can be misaligned. In this paper, we extend and utilize a recently developed effective gradient-based procedure that allows us to match the embedding of a given text by minimally modifying an image. Using the procedure, we show that we can align the embeddings of distinguishable texts to any image through unnoticeable adversarial attacks in joint image-text models, revealing that semantically unrelated images can have embeddings of identical texts and at the same time visually indistinguishable images can be matched to the embeddings of very different texts. Our technique achieves 100\% success rate when it is applied to text datasets and images from multiple sources. Without overcoming the vulnerability, multimodal models cannot robustly align inputs from different modalities in a semantically meaningful way. \textbf{Warning: the text data used in this paper are toxic in nature and may be offensive to some readers.}

Figures (14)

• Figure 1: Typical examples from ImageNet obtained using the proposed framework. The visually indistinguishable images have different representations from each other as shown in their low-dimensional projections. Note that the arrow in the title ($original \rightarrow target$) signifies a derived image from the original one by aligning the embedding of the original image with the target text embedding using our method. The projections of embedding-aligned images closely resemble the projections of the aligned text. The matrix shows the classification outcomes from the multimodal ImageBind pretrained model used directly with no modifications; each row corresponds to one image.
• Figure 2: Low-dimensional projections of the embeddings of images and texts, showing texts and images share the same embedding space. We use all of the toxic comments (i.e., 992) from the 1,2,3-tokens toxic dataset and the same number of strawberry and cauliflower images from ImageNet.
• Figure 3: (top) More examples involving ImageNet and 1,2,3-tokens toxic dataset, where visually indistinguishable images have very different representations via embedding alignment with the corresponding texts and therefore very different classification outcomes (as shown in the classification probabilities; each row in the matrix corresponds to one image (from left to right)). (bottom) Visually very different images have very similar embeddings, aligned and classified to a particular text.
• Figure 4: The evolution of loss while matching a target embedding. (left) the loss w.r.t. steps. (right) the cosine similarity between the embeddings of the new input and the target w.r.t. the steps, along with the average pixel value difference between the new input and the original image.
• Figure 5: (to be viewed in color) Cosine similarity distribution. The red and green ones stand for the cosine similarity values corresponding to pairs of texts (i.e., embeddings) from the two toxic datasets considered. The blue one shows the distribution of cosine similarities of the embeddings of embedding-aligned image and text pair from the ImageNet and toxic dataset. As the cosine similarities of toxic data pairs do not overlap with other embeddings, potential mapping opportunities exist.