Table of Contents
Fetching ...

Less Is More -- Until It Breaks: Security Pitfalls of Vision Token Compression in Large Vision-Language Models

Xiaomei Zhang, Zhaoxi Zhang, Leo Yu Zhang, Yanjun Zhang, Guanhong Tao, Shirui Pan

TL;DR

The paper reveals that visual token compression, while boosting LVLM efficiency, can introduce stealthy robustness vulnerabilities that manifest only under compressed inference. It presents Compression-Aware Attack (CAA) and its black-box extension Transfer CAA (T-CAA), which manipulate token-importance rankings to cause failures when compression is active, while preserving non-compressed performance. Extensive experiments across LVLMs, benchmarks, and compression schemes demonstrate a pronounced efficiency-security trade-off and limited defenses. The work underscores the need for security-conscious compression designs and provides open-source code to foster safer deployment and further research.

Abstract

Visual token compression is widely adopted to improve the inference efficiency of Large Vision-Language Models (LVLMs), enabling their deployment in latency-sensitive and resource-constrained scenarios. However, existing work has mainly focused on efficiency and performance, while the security implications of visual token compression remain largely unexplored. In this work, we first reveal that visual token compression substantially degrades the robustness of LVLMs: models that are robust under uncompressed inference become highly vulnerable once compression is enabled. These vulnerabilities are state-specific; failure modes emerge only in the compressed setting and completely disappear when compression is disabled, making them particularly hidden and difficult to diagnose. By analyzing the key stages of the compression process, we identify instability in token importance ranking as the primary cause of this robustness degradation. Small and imperceptible perturbations can significantly alter token rankings, leading the compression mechanism to mistakenly discard task-critical information and ultimately causing model failure. Motivated by this observation, we propose a Compression-Aware Attack to systematically study and exploit this vulnerability. CAA directly targets the token selection mechanism and induces failures exclusively under compressed inference. We further extend this approach to more realistic black-box settings and introduce Transfer CAA, where neither the target model nor the compression configuration is accessible. We further evaluate potential defenses and find that they provide only limited protection. Extensive experiments across models, datasets, and compression methods show that visual token compression significantly undermines robustness, revealing a previously overlooked efficiency-security trade-off.

Less Is More -- Until It Breaks: Security Pitfalls of Vision Token Compression in Large Vision-Language Models

TL;DR

The paper reveals that visual token compression, while boosting LVLM efficiency, can introduce stealthy robustness vulnerabilities that manifest only under compressed inference. It presents Compression-Aware Attack (CAA) and its black-box extension Transfer CAA (T-CAA), which manipulate token-importance rankings to cause failures when compression is active, while preserving non-compressed performance. Extensive experiments across LVLMs, benchmarks, and compression schemes demonstrate a pronounced efficiency-security trade-off and limited defenses. The work underscores the need for security-conscious compression designs and provides open-source code to foster safer deployment and further research.

Abstract

Visual token compression is widely adopted to improve the inference efficiency of Large Vision-Language Models (LVLMs), enabling their deployment in latency-sensitive and resource-constrained scenarios. However, existing work has mainly focused on efficiency and performance, while the security implications of visual token compression remain largely unexplored. In this work, we first reveal that visual token compression substantially degrades the robustness of LVLMs: models that are robust under uncompressed inference become highly vulnerable once compression is enabled. These vulnerabilities are state-specific; failure modes emerge only in the compressed setting and completely disappear when compression is disabled, making them particularly hidden and difficult to diagnose. By analyzing the key stages of the compression process, we identify instability in token importance ranking as the primary cause of this robustness degradation. Small and imperceptible perturbations can significantly alter token rankings, leading the compression mechanism to mistakenly discard task-critical information and ultimately causing model failure. Motivated by this observation, we propose a Compression-Aware Attack to systematically study and exploit this vulnerability. CAA directly targets the token selection mechanism and induces failures exclusively under compressed inference. We further extend this approach to more realistic black-box settings and introduce Transfer CAA, where neither the target model nor the compression configuration is accessible. We further evaluate potential defenses and find that they provide only limited protection. Extensive experiments across models, datasets, and compression methods show that visual token compression significantly undermines robustness, revealing a previously overlooked efficiency-security trade-off.
Paper Structure (53 sections, 17 equations, 18 figures, 14 tables, 1 algorithm)

This paper contains 53 sections, 17 equations, 18 figures, 14 tables, 1 algorithm.

Figures (18)

  • Figure 1: Compression-induced safety risk in autonomous driving. For clean inputs, both the compressed and uncompressed models attend to critical cues and make safe decisions. Under adversarial input (bottom), the uncompressed model remains correct, whereas compression discards critical visual cues and produces an unsafe “Yes” response, leading to a severe accident.
  • Figure 2: LVLM inference with vision token compression. Multimodal input $(I,T)$ enters the LLM. At compression layer $\mathcal{C}^{(\tilde{l})}$, the module evaluates token importance ($F_s$) and retains tokens based on retention rate $r^{(\tilde{l})}$ to produce the compressed sequence $\tilde{V}^{(\tilde{l})}$, which forms the input for the subsequent layer $V^{(\tilde{l}+1)}$. The bottom row shows the visual token count.
  • Figure 3: Robustness gap under different token retention rates on LLaVA and Qwen-VL. The solid curves (compressed, retention rate $< 1$) consistently lie above the dashed baseline (uncompressed), demonstrating that the introduction of compression incurs additional robustness degradation.
  • Figure 4: Effect of token importance ranking on robustness under compressed inference. The shaded region highlights the significant performance recovery achieved by restoring correct rankings.
  • Figure 5: Ranking stability under random $\ell_\infty$-bounded noise with different budgets. Global stability is measured using Kendall's $\tau$ and Spearman's $\rho$. Local stability is evaluated via Top-100 preservation and Bottom-100 infiltration rate.
  • ...and 13 more figures