Table of Contents
Fetching ...

Transferable Adversarial Attacks on Black-Box Vision-Language Models

Kai Hu, Weichen Yu, Li Zhang, Alexander Robey, Andy Zou, Chengming Xu, Haoqi Hu, Matt Fredrikson

TL;DR

The paper addresses the vulnerability of Vision-Language Large Models (VLLMs) to transferable adversarial attacks from open-source surrogates to proprietary black-box systems. It proposes a transfer-based framework that optimizes perturbations across an ensemble of CLIP-based and other surrogates, enhanced by a Visual Contrastive Loss and data augmentations to produce targeted, transferable perturbations. The authors demonstrate high targeted attack success rates on GPT-4o, Claude, and Gemini across object recognition, image captioning, and visual question answering, while also showing universal perturbations that generalize across images. The work highlights a pressing safety concern for multimodal AI deployments and motivates the development of robust defenses and alignment techniques to mitigate such vulnerabilities in real-world systems.

Abstract

Vision Large Language Models (VLLMs) are increasingly deployed to offer advanced capabilities on inputs comprising both text and images. While prior research has shown that adversarial attacks can transfer from open-source to proprietary black-box models in text-only and vision-only contexts, the extent and effectiveness of such vulnerabilities remain underexplored for VLLMs. We present a comprehensive analysis demonstrating that targeted adversarial examples are highly transferable to widely-used proprietary VLLMs such as GPT-4o, Claude, and Gemini. We show that attackers can craft perturbations to induce specific attacker-chosen interpretations of visual information, such as misinterpreting hazardous content as safe, overlooking sensitive or restricted material, or generating detailed incorrect responses aligned with the attacker's intent. Furthermore, we discover that universal perturbations -- modifications applicable to a wide set of images -- can consistently induce these misinterpretations across multiple proprietary VLLMs. Our experimental results on object recognition, visual question answering, and image captioning show that this vulnerability is common across current state-of-the-art models, and underscore an urgent need for robust mitigations to ensure the safe and secure deployment of VLLMs.

Transferable Adversarial Attacks on Black-Box Vision-Language Models

TL;DR

The paper addresses the vulnerability of Vision-Language Large Models (VLLMs) to transferable adversarial attacks from open-source surrogates to proprietary black-box systems. It proposes a transfer-based framework that optimizes perturbations across an ensemble of CLIP-based and other surrogates, enhanced by a Visual Contrastive Loss and data augmentations to produce targeted, transferable perturbations. The authors demonstrate high targeted attack success rates on GPT-4o, Claude, and Gemini across object recognition, image captioning, and visual question answering, while also showing universal perturbations that generalize across images. The work highlights a pressing safety concern for multimodal AI deployments and motivates the development of robust defenses and alignment techniques to mitigate such vulnerabilities in real-world systems.

Abstract

Vision Large Language Models (VLLMs) are increasingly deployed to offer advanced capabilities on inputs comprising both text and images. While prior research has shown that adversarial attacks can transfer from open-source to proprietary black-box models in text-only and vision-only contexts, the extent and effectiveness of such vulnerabilities remain underexplored for VLLMs. We present a comprehensive analysis demonstrating that targeted adversarial examples are highly transferable to widely-used proprietary VLLMs such as GPT-4o, Claude, and Gemini. We show that attackers can craft perturbations to induce specific attacker-chosen interpretations of visual information, such as misinterpreting hazardous content as safe, overlooking sensitive or restricted material, or generating detailed incorrect responses aligned with the attacker's intent. Furthermore, we discover that universal perturbations -- modifications applicable to a wide set of images -- can consistently induce these misinterpretations across multiple proprietary VLLMs. Our experimental results on object recognition, visual question answering, and image captioning show that this vulnerability is common across current state-of-the-art models, and underscore an urgent need for robust mitigations to ensure the safe and secure deployment of VLLMs.
Paper Structure (28 sections, 9 equations, 13 tables, 1 algorithm)