Table of Contents
Fetching ...

On the Adversarial Robustness of Large Vision-Language Models under Visual Token Compression

Xinwei Zhang, Hangcheng Liu, Li Bai, Hao Wang, Qingqing Ye, Tianwei Zhang, Haibo Hu

TL;DR

The paper tackles adversarial robustness of LVLMs under visual token compression, uncovering an optimization-inference mismatch where attacks optimize over full token space while inference uses a compressed subset. It introduces CAGE, a compression-aligned attack combining Expected Feature Disruption and Rank Distortion Alignment to target survivor tokens without knowing the deployed budget. Across multiple compression methods and datasets, CAGE consistently outperforms encoder-based baselines, revealing more severe robustness degradation under realistic compression. The work highlights the need for compression-aware robustness evaluation and offers partial defenses, emphasizing the practical impact for efficient, secure LVLM deployments.

Abstract

Visual token compression is widely used to accelerate large vision-language models (LVLMs) by pruning or merging visual tokens, yet its adversarial robustness remains unexplored. We show that existing encoder-based attacks can substantially overestimate the robustness of compressed LVLMs, due to an optimization-inference mismatch: perturbations are optimized on the full-token representation, while inference is performed through a token-compression bottleneck. To address this gap, we propose the Compression-AliGnEd attack (CAGE), which aligns perturbation optimization with compression inference without assuming access to the deployed compression mechanism or its token budget. CAGE combines (i) expected feature disruption, which concentrates distortion on tokens likely to survive across plausible budgets, and (ii) rank distortion alignment, which actively aligns token distortions with rank scores to promote the retention of highly distorted evidence. Across diverse representative plug-and-play compression mechanisms and datasets, our results show that CAGE consistently achieves lower robust accuracy than the baseline. This work highlights that robustness assessments ignoring compression can be overly optimistic, calling for compression-aware security evaluation and defenses for efficient LVLMs.

On the Adversarial Robustness of Large Vision-Language Models under Visual Token Compression

TL;DR

The paper tackles adversarial robustness of LVLMs under visual token compression, uncovering an optimization-inference mismatch where attacks optimize over full token space while inference uses a compressed subset. It introduces CAGE, a compression-aligned attack combining Expected Feature Disruption and Rank Distortion Alignment to target survivor tokens without knowing the deployed budget. Across multiple compression methods and datasets, CAGE consistently outperforms encoder-based baselines, revealing more severe robustness degradation under realistic compression. The work highlights the need for compression-aware robustness evaluation and offers partial defenses, emphasizing the practical impact for efficient, secure LVLM deployments.

Abstract

Visual token compression is widely used to accelerate large vision-language models (LVLMs) by pruning or merging visual tokens, yet its adversarial robustness remains unexplored. We show that existing encoder-based attacks can substantially overestimate the robustness of compressed LVLMs, due to an optimization-inference mismatch: perturbations are optimized on the full-token representation, while inference is performed through a token-compression bottleneck. To address this gap, we propose the Compression-AliGnEd attack (CAGE), which aligns perturbation optimization with compression inference without assuming access to the deployed compression mechanism or its token budget. CAGE combines (i) expected feature disruption, which concentrates distortion on tokens likely to survive across plausible budgets, and (ii) rank distortion alignment, which actively aligns token distortions with rank scores to promote the retention of highly distorted evidence. Across diverse representative plug-and-play compression mechanisms and datasets, our results show that CAGE consistently achieves lower robust accuracy than the baseline. This work highlights that robustness assessments ignoring compression can be overly optimistic, calling for compression-aware security evaluation and defenses for efficient LVLMs.
Paper Structure (32 sections, 15 equations, 5 figures, 12 tables, 1 algorithm)

This paper contains 32 sections, 15 equations, 5 figures, 12 tables, 1 algorithm.

Figures (5)

  • Figure 1: Comparison between the existing attack and our attack. Darker red indicates tokens with stronger adversarial perturbation. While the existing attack (A) perturbs all visual tokens (all tokens are red), CAGE (B) concentrates the distortion on the surviving tokens (only survivors are red).
  • Figure 2: Average token-level feature gap under VEAttack over 100 samples. We rank vision tokens by adversarial(ADV) attention and plot the average feature gap ($1-\text{cosine}$) over the top-$K$ tokens. The curve shows that the gap is large on a small number of high-attention tokens and gradually decreases as lower-ranked tokens are included.
  • Figure 3: Overview of CAGE.
  • Figure 4: Conditional robust accuracy ($\mathrm{CRA}$) vs. deployment token budget. We report $\mathrm{CRA}$ under the baseline attack and CAGE across three datasets. While $\mathrm{CRA}$ under baseline attack generally increases as the token budget shrinks, CAGE exhibits non-monotonic behavior, indicating that conditional robustness does not vary monotonically with compression.
  • Figure 5: Attention-based adversarial detection via the top-k CLS-to-token attention mass.