Attacks on multimodal models

TL;DR

The paper investigates security vulnerabilities in multimodal models that fuse vision and language by examining universal adversarial perturbations and patch-based attacks on CLIP-ViT and derived systems like LLaVA. It employs gradient-based optimization to craft patches and evaluate transferability of attacks across ViT backbones and modalities, including video processing. Key findings show high attack efficacy, with patch attacks achieving substantial success rates and text-enabled patches improving impact, while augmentations bolster cross-model transferability. The work underscores substantial safety risks in deploying open-source, multimodal components, highlighting the need for robust defenses and careful component selection in real-world applications.

Abstract

Today, models capable of working with various modalities simultaneously in a chat format are gaining increasing popularity. Despite this, there is an issue of potential attacks on these models, especially considering that many of them include open-source components. It is important to study whether the vulnerabilities of these components are inherited and how dangerous this can be when using such models in the industry. This work is dedicated to researching various types of attacks on such models and evaluating their generalization capabilities. Modern VLM models (LLaVA, BLIP, etc.) often use pre-trained parts from other models, so the main part of this research focuses on them, specifically on the CLIP architecture and its image encoder (CLIP-ViT) and various patch attack variations for it.

Figures (17)

• Figure 1: Model decision boundaries for clean and adversarial data in general (left) and for additive attacks (right).
• Figure 2: Pipeline for training patches to attack images in the CLIP model. A patch with trainable parameters is overlaid on the original image $x_i$, and then embeddings $e_i$ are calculated for the attacked images.
• Figure 3: A diagram of the occurrences of the target class in the model response. For patches with the image of a real image of a pie, both metrics turned out to be equal to 0.
• Figure 4: Perplexy for selected attacked images.
• Figure 5: The metric of attack success depends on the proportion of attacked video frames. For the Dzen dataset (top) and for the TikTok dataset (bottom). ASR1&2 and ASR1&4 denote the ratio of CLIP Score 1 exceeds CLIP Score 2 or CLIP Score 4 over given video datasets, respectively.