Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Complementary Text-Guided Attention for Zero-Shot Adversarial Robustness

Lu Yu, Haiyang Zhang, Changsheng Xu

Abstract

Due to the impressive zero-shot capabilities, pre-trained vision-language models (e.g., CLIP), have attracted widespread attention and adoption across various domains. Nonetheless, CLIP has been observed to be susceptible to adversarial examples. Through experimental analysis, we have observed a phenomenon wherein adversarial perturbations induce shifts in text-guided attention. Building upon this observation, we propose a simple yet effective strategy: Text-Guided Attention for Zero-Shot Robustness (TGA-ZSR). This framework incorporates two components: Local Attention Refinement Module and Global Attention Constraint Module. Our goal is to maintain the generalization of the CLIP model and enhance its adversarial robustness. Additionally, the Global Attention Constraint Module acquires text-guided attention from both the target and original models using clean examples. Its objective is to maintain model performance on clean samples while enhancing overall robustness. However, we observe that the method occasionally focuses on irrelevant or spurious features, which can lead to suboptimal performance and undermine its robustness in certain scenarios. To overcome this limitation, we further propose a novel approach called Complementary Text-Guided Attention (Comp-TGA). This method integrates two types of foreground attention: attention guided by the class prompt and reversed attention driven by the non-class prompt. These complementary attention mechanisms allow the model to capture a more comprehensive and accurate representation of the foreground. The experiments validate that TGA-ZSR and Comp-TGA yield 9.58% and 11.95% improvements respectively, in zero-shot robust accuracy over the current state-of-the-art techniques across 16 datasets.

Complementary Text-Guided Attention for Zero-Shot Adversarial Robustness

Abstract

Due to the impressive zero-shot capabilities, pre-trained vision-language models (e.g., CLIP), have attracted widespread attention and adoption across various domains. Nonetheless, CLIP has been observed to be susceptible to adversarial examples. Through experimental analysis, we have observed a phenomenon wherein adversarial perturbations induce shifts in text-guided attention. Building upon this observation, we propose a simple yet effective strategy: Text-Guided Attention for Zero-Shot Robustness (TGA-ZSR). This framework incorporates two components: Local Attention Refinement Module and Global Attention Constraint Module. Our goal is to maintain the generalization of the CLIP model and enhance its adversarial robustness. Additionally, the Global Attention Constraint Module acquires text-guided attention from both the target and original models using clean examples. Its objective is to maintain model performance on clean samples while enhancing overall robustness. However, we observe that the method occasionally focuses on irrelevant or spurious features, which can lead to suboptimal performance and undermine its robustness in certain scenarios. To overcome this limitation, we further propose a novel approach called Complementary Text-Guided Attention (Comp-TGA). This method integrates two types of foreground attention: attention guided by the class prompt and reversed attention driven by the non-class prompt. These complementary attention mechanisms allow the model to capture a more comprehensive and accurate representation of the foreground. The experiments validate that TGA-ZSR and Comp-TGA yield 9.58% and 11.95% improvements respectively, in zero-shot robust accuracy over the current state-of-the-art techniques across 16 datasets.
Paper Structure (29 sections, 25 equations, 9 figures, 20 tables)

This paper contains 29 sections, 25 equations, 9 figures, 20 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Pre-trained Vision-language Models
  4. Adversarial Robustness
  5. Zero-shot Adversarial Robustness for VLMs
  6. Methodology
  7. Preliminaries and Problem Setup
  8. Text-Guided Attention based Interpretation of Adversarial Attacks
  9. Complementary Text-Guided Attention based Interpretation of Adversarial Attacks
  10. Model Training
  11. Experiments
  12. Experimental Setup
  13. Main Results
  14. Experiments on More Attack Types
  15. Comparison with Test-Time Defense
  16. ...and 14 more sections

Figures (9)

  • Figure 1: The four rows depict the original image, its associated attention map, the generated adversarial example, and the attention map of the adversarial example. Labels in black indicate the ground truth, while those in red represent misclassified labels for the adversarial examples.
  • Figure 2: Examples of original text-guided attention for CLIP. These reveal that the attention mechanism occasionally focuses on irrelevant regions.
  • Figure 3: The framework overview of Complementary Text-Guided Attention.
  • Figure 4: Visualization of different attention mechanisms. The complementary text-guided attention fusion generates a significantly more accurate and effective attention representation, addressing the limitations of the original text-guided attention.
  • Figure 5: An overview of our TGA-ZSR framework: We generate adversarial examples and feed them into the target image encoder. To enhance the adversarial robustness of the CLIP model and maintain its generalization, we introduce text-guided attention. This involves refining the framework for adversarial examples through the Local Attention Refinement Module and constraining the model to prevent significant drift via the Global Attention Constraint Module.
  • ...and 4 more figures