Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
41 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models (2402.11083v1)

Published 16 Feb 2024 in cs.CV

Abstract: Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the pre-training & finetuning'' learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQAttack model, which can iteratively generate both image and text perturbations with the designed modules: the LLM-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQAttack in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in thepre-training & fine-tuning'' paradigm on VQA tasks. Source codes will be released.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (41)
  1. VQA: Visual Question Answering. In ICCV, 2425–2433. IEEE Computer Society.
  2. VLMo: Unified Vision-Language Pre-Training with Mixture-of-Modality-Experts. In NeurIPS.
  3. Universal Sentence Encoder for English. In EMNLP (Demonstration), 169–174. Association for Computational Linguistics.
  4. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In NAACL-HLT (1), 4171–4186. Association for Computational Linguistics.
  5. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In ICLR. OpenReview.net.
  6. FDA: Feature Disruptive Attack. In ICCV, 8068–8078. IEEE.
  7. Explaining and Harnessing Adversarial Examples. In ICLR (Poster).
  8. Gradient-based Adversarial Attacks against Text Transformers. In EMNLP (1), 5747–5757. Association for Computational Linguistics.
  9. Enhancing Adversarial Example Transferability With an Intermediate Level Attack. In ICCV, 4732–4741. IEEE.
  10. Transferable Perturbations of Deep Feature Distributions. In ICLR. OpenReview.net.
  11. Perturbing Across the Feature Hierarchy to Improve Standard and Strict Blackbox Attack Transferability. In NeurIPS.
  12. Categorical Reparameterization with Gumbel-Softmax. In ICLR (Poster). OpenReview.net.
  13. BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. In IEEE Symposium on Security and Privacy, 2043–2059. IEEE.
  14. Is BERT Really Robust? A Strong Baseline for Natural Language Attack on Text Classification and Entailment. In AAAI, 8018–8025. AAAI Press.
  15. RobotVQA - A Scene-Graph- and Deep-Learning-based Visual Question Answering System for Robot Manipulation. In IROS, 9667–9674. IEEE.
  16. ViLT: Vision-and-Language Transformer Without Convolution or Region Supervision. In ICML, volume 139 of Proceedings of Machine Learning Research, 5583–5594. PMLR.
  17. Contextualized Perturbation for Textual Adversarial Attack. In NAACL-HLT, 5053–5069. Association for Computational Linguistics.
  18. TextBugger: Generating Adversarial Text Against Real-world Applications. In NDSS. The Internet Society.
  19. Align before Fuse: Vision and Language Representation Learning with Momentum Distillation. In NeurIPS, 9694–9705.
  20. BERT-ATTACK: Adversarial Attack Against BERT Using BERT. In EMNLP (1), 6193–6202. Association for Computational Linguistics.
  21. Summary of chatgpt/gpt-4 research and perspective towards the future of large language models. arXiv preprint arXiv:2304.01852.
  22. Enhancing Cross-Task Black-Box Transferability of Adversarial Examples With Dispersion Reduction. In CVPR, 937–946. Computer Vision Foundation / IEEE.
  23. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR (Poster). OpenReview.net.
  24. Efficient Estimation of Word Representations in Vector Space. In ICLR (Workshop Poster).
  25. A Self-supervised Approach for Adversarial Robustness. In CVPR, 259–268. Computer Vision Foundation / IEEE.
  26. OpenAI. 2023. GPT-4 Technical Report. CoRR, abs/2303.08774.
  27. Glove: Global Vectors for Word Representation. In EMNLP, 1532–1543. ACL.
  28. Towards VQA Models That Can Read. In CVPR, 8317–8326. Computer Vision Foundation / IEEE.
  29. Dual-Key Multimodal Backdoors for Visual Question Answering. In CVPR, 15354–15364. IEEE.
  30. SemAttack: Natural Textual Attacks via Different Semantic Spaces. In NAACL-HLT (Findings), 176–205. Association for Computational Linguistics.
  31. Skip connections matter: On the transferability of adversarial examples generated with resnets. arXiv preprint arXiv:2002.05990.
  32. Improving Transferability of Adversarial Examples With Input Diversity. In CVPR, 2730–2739. Computer Vision Foundation / IEEE.
  33. R&R: Metric-guided Adversarial Sentence Generation. In AACL/IJCNLP (Findings), 438–452. Association for Computational Linguistics.
  34. Fooling Vision and Language Models Despite Localization and Attention Mechanism. In CVPR, 4951–4961. Computer Vision Foundation / IEEE Computer Society.
  35. Vision-Language Pre-Training with Triple Contrastive Learning. In CVPR, 15650–15659. IEEE.
  36. LeapAttack: Hard-Label Adversarial Attack on Text via Gradient-Based Optimization. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2307–2315.
  37. TextHoaxer: budgeted hard-label adversarial attacks on text. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, 3877–3884.
  38. A Visual Dialog Augmented Interactive Recommender System. In KDD, 157–165. ACM.
  39. Medical Visual Question Answering via Conditional Reasoning. In ACM Multimedia, 2345–2354. ACM.
  40. Towards Adversarial Attack on Vision-Language Pre-training Models. In ACM Multimedia, 5005–5013. ACM.
  41. Transferable Adversarial Perturbations. In ECCV (14), volume 11218 of Lecture Notes in Computer Science, 471–486. Springer.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (8)
  1. Ziyi Yin (28 papers)
  2. Muchao Ye (11 papers)
  3. Tianrong Zhang (5 papers)
  4. Jiaqi Wang (218 papers)
  5. Han Liu (340 papers)
  6. Jinghui Chen (50 papers)
  7. Ting Wang (213 papers)
  8. Fenglong Ma (66 papers)
Citations (1)
View on Semantic Scholar