Papers
Topics
Authors
Recent
Search
2000 character limit reached

Unveiling Typographic Deceptions: Insights of the Typographic Vulnerability in Large Vision-Language Model

Published 29 Feb 2024 in cs.CV | (2402.19150v3)

Abstract: Large Vision-LLMs (LVLMs) rely on vision encoders and LLMs to exhibit remarkable capabilities on various multi-modal tasks in the joint space of vision and language. However, typographic attacks, which disrupt Vision-LLMs (VLMs) such as Contrastive Language-Image Pretraining (CLIP), have also been expected to be a security threat to LVLMs. Firstly, we verify typographic attacks on current well-known commercial and open-source LVLMs and uncover the widespread existence of this threat. Secondly, to better assess this vulnerability, we propose the most comprehensive and largest-scale Typographic Dataset to date. The Typographic Dataset not only considers the evaluation of typographic attacks under various multi-modal tasks but also evaluates the effects of typographic attacks, influenced by texts generated with diverse factors. Based on the evaluation results, we investigate the causes why typographic attacks impacting VLMs and LVLMs, leading to three highly insightful discoveries. During the process of further validating the rationality of our discoveries, we can reduce the performance degradation caused by typographic attacks from 42.07\% to 13.90\%. Code and Dataset are available in \href{https://github.com/ChaduCheng/TypoDeceptions}

Definition Search Book Streamline Icon: https://streamlinehq.com
References (44)
  1. Flamingo: a visual language model for few-shot learning. Advances in Neural Information Processing Systems, 35:23716–23736, 2022.
  2. Palm 2 technical report. arXiv preprint arXiv:2305.10403, 2023.
  3. Blended diffusion for text-driven editing of natural images. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 18208–18218, 2022.
  4. Defense-prefix for preventing typographic attacks on clip. ICCV Workshop on Adversarial Robustness In the Real World, 2023.
  5. Language models are few-shot learners. Advances in neural information processing systems, 33:1877–1901, 2020.
  6. Sparks of artificial general intelligence: Early experiments with gpt-4. arXiv preprint arXiv:2303.12712, 2023.
  7. Palm: Scaling language modeling with pathways. arXiv preprint arXiv:2204.02311, 2022.
  8. Clip-art: Contrastive pre-training for fine-grained art classification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 3956–3960, 2021.
  9. Instructblip: Towards general-purpose vision-language models with instruction tuning, 2023.
  10. Imagenet: A large-scale hierarchical image database. In Computer Vision and Pattern Recognition, 2009. CVPR 2009. IEEE Conference on, pages 248–255. IEEE, 2009.
  11. How robust is google’s bard to adversarial image attacks? arXiv preprint arXiv:2309.11751, 2023.
  12. Palm-e: An embodied multimodal language model. arXiv preprint arXiv:2303.03378, 2023.
  13. Mme: A comprehensive evaluation benchmark for multimodal large language models. arXiv preprint arXiv:2306.13394, 2023.
  14. Clip-adapter: Better vision-language models with feature adapters. International Journal of Computer Vision, pages 1–15, 2023.
  15. Multimodal neurons in artificial neural networks. Distill, 2021. https://distill.pub/2021/multimodal-neurons.
  16. From images to textual prompts: Zero-shot visual question answering with frozen large language models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 10867–10877, 2023.
  17. Scaling up visual and vision-language representation learning with noisy text supervision. In International conference on machine learning, pages 4904–4916. PMLR, 2021.
  18. Seed-bench: Benchmarking multimodal llms with generative comprehension. arXiv preprint arXiv:2307.16125, 2023a.
  19. LAVIS: A one-stop library for language-vision intelligence. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 3: System Demonstrations), pages 31–41, Toronto, Canada, 2023b. Association for Computational Linguistics.
  20. Blip: Bootstrapping language-image pre-training for unified vision-language understanding and generation. In International Conference on Machine Learning, pages 12888–12900. PMLR, 2022.
  21. Blip-2: Bootstrapping language-image pre-training with frozen image encoders and large language models. arXiv preprint arXiv:2301.12597, 2023c.
  22. Microsoft coco: Common objects in context. In Computer Vision–ECCV 2014: 13th European Conference, Zurich, Switzerland, September 6-12, 2014, Proceedings, Part V 13, pages 740–755. Springer, 2014.
  23. Improved baselines with visual instruction tuning. arXiv preprint arXiv:2310.03744, 2023a.
  24. Visual instruction tuning. arXiv preprint arXiv:2304.08485, 2023b.
  25. A multi-world approach to question answering about real-world scenes based on uncertain input. Advances in neural information processing systems, 27, 2014.
  26. David A Noever and Samantha E Miller Noever. Reading isn’t believing: Adversarial attacks on multi-modal neurons. arXiv preprint arXiv:2103.10480, 2021.
  27. OpenAI. Gpt-4 technical report. arXiv preprint arXiv:2303.08774, 2023.
  28. Training language models to follow instructions with human feedback. Advances in Neural Information Processing Systems, 35:27730–27744, 2022.
  29. Teaching clip to count to ten. arXiv preprint arXiv:2302.12066, 2023.
  30. Learning transferable visual models from natural language supervision. In Proceedings of the 38th International Conference on Machine Learning, pages 8748–8763. PMLR, 2021.
  31. Denseclip: Language-guided dense prediction with context-aware prompting. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 18082–18091, 2022.
  32. Bloom: A 176b-parameter open-access multilingual language model. arXiv preprint arXiv:2211.05100, 2022.
  33. Laion-400m: Open dataset of clip-filtered 400 million image-text pairs. arXiv preprint arXiv:2111.02114, 2021.
  34. Laion-5b: An open large-scale dataset for training next generation image-text models. Advances in Neural Information Processing Systems, 35:25278–25294, 2022.
  35. A-okvqa: A benchmark for visual question answering using world knowledge. In European Conference on Computer Vision, pages 146–162. Springer, 2022.
  36. Grad-cam: Visual explanations from deep networks via gradient-based localization. In Proceedings of the IEEE international conference on computer vision, pages 618–626, 2017.
  37. Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971, 2023.
  38. Principal component analysis. Chemometrics and intelligent laboratory systems, 2(1-3):37–52, 1987.
  39. Visual chatgpt: Talking, drawing and editing with visual foundation models. arXiv preprint arXiv:2303.04671, 2023.
  40. Lvlm-ehub: A comprehensive evaluation benchmark for large vision-language models. arXiv preprint arXiv:2306.09265, 2023.
  41. A survey on multimodal large language models. arXiv preprint arXiv:2306.13549, 2023.
  42. Tip-adapter: Training-free adaption of clip for few-shot classification. In European Conference on Computer Vision, pages 493–510. Springer, 2022.
  43. Extract free dense labels from clip. In European Conference on Computer Vision, pages 696–712. Springer, 2022.
  44. Minigpt-4: Enhancing vision-language understanding with advanced large language models. arXiv preprint arXiv:2304.10592, 2023.
Citations (4)
View on Semantic Scholar

Summary

  • The paper demonstrates that typographic modifications divert LVLM attention, leading to nearly a 30% reduction in model accuracy.
  • It introduces the TypoD dataset, which evaluates typographic vulnerabilities across key multimodal tasks like object recognition and commonsense reasoning.
  • Enhanced prompt design is shown to mitigate typographic attacks by refocusing model attention on genuine image content.

Unveiling Typographic Vulnerabilities in LVLMs

The paper "Unveiling Typographic Deceptions: Insights of the Typographic Vulnerability in Large Vision-LLMs" (arXiv ID: (2402.19150)) examines the susceptibility of Large Vision-LLMs (LVLMs) to typographic attacks. These attacks use typographic modifications within images to mislead models that integrate vision and language processing capabilities. The authors propose a comprehensive dataset to evaluate the extent of this vulnerability, providing insights into why LVLMs are affected by such attacks.

Typographic Attacks on LVLMs

Typographic attacks exploit the integration of LLMs and vision encoders in systems like CLIP and LLaVA, which are foundational to many LVLMs. The research demonstrates that typographic modifications can significantly redirect attention within these models, leading to incorrect inferences. Figure 1

Figure 1: Typographic attacks on GPT-4V, Google Bard, LLaVA-v1.5, and MiniGPT-4.

The authors tested various LVLMs, including both commercial and open-source systems, confirming the widespread vulnerability to typographic interventions, which can degrade model accuracy by nearly 30%.

The Typographic Dataset

To quantify this threat, the authors introduce the Typographic Dataset (TypoD), devised to test LVLMs across four multi-modal tasks: object recognition, visual attribute detection, enumeration, and commonsense reasoning. TypoD spans various scales and typographic factors such as font size, color, and placement within images, providing an extensive evaluation platform. Figure 2

Figure 2: Distractibility of LVLMs by typographic attacks in multi-modal tasks.

This dataset ascertains the extent to which typographic errors can divert attention in LVLMs, thus offering a foundation for understanding and mitigating such vulnerabilities.

Discoveries and Observations

The core discoveries from the research highlight the impact of typographic text on LVLM model attention:

  1. Attention Diversion: Typographic text diverts model attention away from original visual content, a phenomenon corroborated by Grad-CAM visualizations revealing focal shifts toward typographic amendments.
  2. Vulnerabilities Consistency: Models using the same vision architectures, such as CLIP, are similarly susceptible to typographic attacks, regardless of the underlying LLM used. Figure 3

    Figure 3: The illustration of different typographic factors.

  3. Impact of Prompt Design: Informative prompts can improve LVLM resilience against typographic attacks by guiding model focus towards genuine image content rather than the misleading text.

Conducting experiments with LLaVA and InstructBLIP, the results reveal that typographic effects can be mitigated if the models receive enriched prompts with detailed descriptive content of the target images.

Mitigation Strategies

To counter typographic vulnerabilities, the authors suggest leveraging enhanced prompts in both training and inference stages. By providing richer textual context that compels models to cross-reference visual data beyond primary image-text alignment, LVLMs achieve a substantive reduction in attention diversion due to typographic amendments. Figure 4

Figure 4: (a) CLIP zero-shot classification results and LLaVA's response of a typographic image. (b) Grad-CAM of CLIP with various image-matching texts.

Conclusion

The study clarifies that typographic attacks constitute a formidable challenge to LVLMs, with substantial threats demonstrated across leading models. By introducing TypoD and highlighting effective countermeasures involving prompt enhancement and attention-redirection techniques, this research directs future focus towards reinforcing LVLM robustness against such perceptual adversarial attacks. Practical deployment of these models should integrate these insights to mitigate potential real-world exploitation.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up