Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CaptionFool: Universal Image Captioning Model Attacks

Swapnil Parekh

Abstract

Image captioning models are encoder-decoder architectures trained on large-scale image-text datasets, making them susceptible to adversarial attacks. We present CaptionFool, a novel universal (input-agnostic) adversarial attack against state-of-the-art transformer-based captioning models. By modifying only 7 out of 577 image patches (approximately 1.2% of the image), our attack achieves 94-96% success rate in generating arbitrary target captions, including offensive content. We further demonstrate that CaptionFool can generate "slang" terms specifically designed to evade existing content moderation filters. Our findings expose critical vulnerabilities in deployed vision-language models and underscore the urgent need for robust defenses against such attacks. Warning: This paper contains model outputs which are offensive in nature.

CaptionFool: Universal Image Captioning Model Attacks

Abstract

Image captioning models are encoder-decoder architectures trained on large-scale image-text datasets, making them susceptible to adversarial attacks. We present CaptionFool, a novel universal (input-agnostic) adversarial attack against state-of-the-art transformer-based captioning models. By modifying only 7 out of 577 image patches (approximately 1.2% of the image), our attack achieves 94-96% success rate in generating arbitrary target captions, including offensive content. We further demonstrate that CaptionFool can generate "slang" terms specifically designed to evade existing content moderation filters. Our findings expose critical vulnerabilities in deployed vision-language models and underscore the urgent need for robust defenses against such attacks. Warning: This paper contains model outputs which are offensive in nature.
Paper Structure (26 sections, 2 equations, 5 figures, 4 tables, 1 algorithm)

This paper contains 26 sections, 2 equations, 5 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Image Captioning models
  4. Adversarial Attacks
  5. Adversarial attacks on Image Captioning models
  6. Adversarial attacks to cause racism/offensive perturbations
  7. Racism Filters
  8. Datasets
  9. MS COCO
  10. Flickr
  11. Offensive Datasets
  12. Methodology
  13. Threat Model
  14. Components
  15. Vision Transformers
  16. ...and 11 more sections

Figures (5)

  • Figure 1: UAP attack example
  • Figure 2: UAP algorithm overview
  • Figure 3: Pre-training model architecture and objectives of BLIP (same parameters have the same color)
  • Figure 4: Patch-level attacks with 3, 5, and 7 patches perturbed. Target prompt words shown in bold.
  • Figure 5: Sparse patch attacks with 30k (20%), 40k (27%), and 50k (35%) pixels perturbed. Target prompt words shown in bold.