Breaking the Illusion: Consensus-Based Generative Mitigation of Adversarial Illusions in Multi-Modal Embeddings

TL;DR

This work addresses adversarial illusions that disrupt cross-modal alignment in multi-modal embeddings by proposing a post-hoc, task-agnostic defense that reconstructs perturbed inputs via generative priors and aggregates multiple reconstructions through consensus. By projecting inputs back onto the natural data manifold and leveraging stochastic sampling, the method substantially lowers illusion success rates and improves cross-modal alignment for both perturbed and unperturbed inputs, with minimal computational overhead. The approach is model- and task-agnostic and demonstrated to be robust against attackers even when they attempt to optimize through the defense, marking a practical path toward reliable cross-modal understanding in vision-language systems.

Abstract

Multi-modal foundation models align images, text, and other modalities in a shared embedding space but remain vulnerable to adversarial illusions (Zhang et al., 2025), where imperceptible perturbations disrupt cross-modal alignment and mislead downstream tasks. To counteract the effects of adversarial illusions, we propose a task-agnostic mitigation mechanism that reconstructs the input from the attacker's perturbed input through generative models, e.g., Variational Autoencoders (VAEs), to maintain natural alignment. To further enhance our proposed defense mechanism, we adopt a generative sampling strategy combined with a consensus-based aggregation scheme over the outcomes of the generated samples. Our experiments on the state-of-the-art multi-modal encoders show that our approach substantially reduces the illusion attack success rates to near-zero and improves cross-modal alignment by 4% (42 to 46) and 11% (32 to 43) in unperturbed and perturbed input settings respectively, providing an effective and model-agnostic defense against adversarial illusions.

Figures (6)

• Figure 1: Overview of our consensus-based generative sampling mitigation framework. Our mitigation scheme has two main components: a generative sampling and a consensus-based aggregation. The generative sampling mechanism adopts a generative model to reconstruct several variants of the input image. The consensus-based aggregation mechanism aggregates the decisions for the generated samples, e.g., based on majority voting. The red arrows describe the illusion attack, where the adversary attempts to maximize the cosine similarity between the embedding of the perturbed image and the embedding of the target text (i.e., "a man in a prison cell" in this example).
• Figure 2: Effect of sampling size on reconstruction robustness for and mitigation methods. Dotted lines show baseline without attack/mitigation for Top-1/Top-5 accuracy. Increasing the number of generated samples during the generative sampling stage improves both Top-1 and Top-5 accuracy for original and perturbed images, with performance stabilizing beyond $10$ generated samples.
• Figure 3: Distribution of cosine similarities between perturbed embeddings and target labels across attack iterations. These results guide the selection of a cosine similarity threshold of $0.8$.
• Figure 4: Distribution of loop numbers for attacks with and without our mitigation. Incorporating our mitigation increases attack costs. With our mitigation, the attack is unsuccessful for all images after $3000$ rounds.
• Figure 5: Distribution of cosine similarities between perturbed embeddings and target labels. Attacks with our mitigation yield low cosine values, whereas attacks without it reach the maximum similarity threshold.