Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
38 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

One Prompt Word is Enough to Boost Adversarial Robustness for Pre-trained Vision-Language Models (2403.01849v1)

Published 4 Mar 2024 in cs.CV, cs.AI, and cs.LG

Abstract: Large pre-trained Vision-LLMs (VLMs) like CLIP, despite having remarkable generalization ability, are highly vulnerable to adversarial examples. This work studies the adversarial robustness of VLMs from the novel perspective of the text prompt instead of the extensively studied model weights (frozen in this work). We first show that the effectiveness of both adversarial attack and defense are sensitive to the used text prompt. Inspired by this, we propose a method to improve resilience to adversarial attacks by learning a robust text prompt for VLMs. The proposed method, named Adversarial Prompt Tuning (APT), is effective while being both computationally and data efficient. Extensive experiments are conducted across 15 datasets and 4 data sparsity schemes (from 1-shot to full training data settings) to show APT's superiority over hand-engineered prompts and other state-of-the-art adaption methods. APT demonstrated excellent abilities in terms of the in-distribution performance and the generalization under input distribution shift and across datasets. Surprisingly, by simply adding one learned word to the prompts, APT can significantly boost the accuracy and robustness (epsilon=4/255) over the hand-engineered prompts by +13% and +8.5% on average respectively. The improvement further increases, in our most effective setting, to +26.4% for accuracy and +16.7% for robustness. Code is available at https://github.com/TreeLLi/APT.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (73)
  1. Understanding and Improving Fast Adversarial Training. In Advances in Neural Information Processing Systems, page 12, 2020.
  2. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In Proceedings of the 35th International Conference on Machine Learning, pages 274–283. PMLR, 2018. ISSN: 2640-3498.
  3. Exploring Visual Prompts for Adapting Large-Scale Models, 2022. arXiv:2203.17274 [cs].
  4. ObjectNet: A large-scale bias-controlled dataset for pushing the limits of object recognition models. In Advances in Neural Information Processing Systems. Curran Associates, Inc., 2019.
  5. On the Opportunities and Risks of Foundation Models, 2022. arXiv:2108.07258 [cs].
  6. Food-101–mining discriminative components with random forests. In Computer Vision–ECCV 2014: 13th European Conference, Zurich, Switzerland, September 6-12, 2014, Proceedings, Part VI 13, pages 446–461. Springer, 2014.
  7. a-la-carte prompt tuning (apt): Combining distinct data via composable prompting. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14984–14993, 2023.
  8. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57, 2017. ISSN: 2375-1207.
  9. Visual Prompting for Adversarial Robustness. In ICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 1–5, 2023.
  10. Adversarial Robustness: From Self-Supervised Pre-Training to Fine-Tuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 699–708, 2020.
  11. Describing textures in the wild. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 3606–3613, 2014.
  12. Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks. In Proceedings of the 37th International Conference on Machine Learning, page 11, 2020.
  13. RobustBench: a standardized adversarial robustness benchmark. In Thirty-fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track (Round 2), 2021.
  14. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009.
  15. Parameter-efficient fine-tuning of large-scale pre-trained language models. Nature Machine Intelligence, 5(3):220–235, 2023. Number: 3 Publisher: Nature Publishing Group.
  16. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
  17. Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In 2004 conference on computer vision and pattern recognition workshop, pages 178–178. IEEE, 2004.
  18. Large-Scale Adversarial Training for Vision-and-Language Representation Learning. In Advances in Neural Information Processing Systems, pages 6616–6628. Curran Associates, Inc., 2020.
  19. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations, 2015.
  20. Deep Residual Learning for Image Recognition. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, Las Vegas, NV, USA, 2016. IEEE.
  21. Eurosat: A novel dataset and deep learning benchmark for land use and land cover classification. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 12(7):2217–2226, 2019.
  22. Using Pre-Training Can Improve Model Robustness and Uncertainty. In Proceedings of the 36th International Conference on Machine Learning, pages 2712–2721. PMLR, 2019. ISSN: 2640-3498.
  23. The Many Faces of Robustness: A Critical Analysis of Out-of-Distribution Generalization. In International Conference on Computer Vision, page 10, 2021.
  24. Parameter-efficient transfer learning for nlp. In International Conference on Machine Learning, pages 2790–2799. PMLR, 2019.
  25. Improving Adversarial Robustness of Masked Autoencoders via Test-time Frequency-domain Prompting. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 1600–1610, 2023.
  26. Adversarial Attacks on Foundational Vision Models, 2023. arXiv:2308.14597 [cs].
  27. Scaling Up Visual and Vision-Language Representation Learning With Noisy Text Supervision. In Proceedings of the 38th International Conference on Machine Learning, pages 4904–4916. PMLR, 2021. ISSN: 2640-3498.
  28. Robust Pre-Training by Adversarial Contrastive Learning. In Advances in Neural Information Processing Systems, pages 16199–16210. Curran Associates, Inc., 2020.
  29. Make Some Noise: Reliable and Efficient Single-Step Adversarial Training. In Advances in Neural Information Processing Systems, 2022.
  30. Adversarial Self-Supervised Contrastive Learning. In Advances in Neural Information Processing Systems, pages 2983–2994. Curran Associates, Inc., 2020.
  31. 3d object representations for fine-grained categorization. In Proceedings of the IEEE international conference on computer vision workshops, pages 554–561, 2013.
  32. Fine-Tuning can Distort Pretrained Features and Underperform Out-of-Distribution. 2022.
  33. BLIP: Bootstrapping Language-Image Pre-training for Unified Vision-Language Understanding and Generation. In Proceedings of the 39th International Conference on Machine Learning, pages 12888–12900. PMLR, 2022. ISSN: 2640-3498.
  34. Understanding and combating robust overfitting via input loss landscape analysis and regularization. Pattern Recognition, 136:109229, 2023a.
  35. Data augmentation alone can improve adversarial training. In The Eleventh International Conference on Learning Representations, 2023b.
  36. Oodrobustbench: benchmarking and analyzing adversarial robustness under distribution shift. arXiv preprint arXiv:2310.12793, 2023.
  37. Being comes from not-being: Open-vocabulary text-to-motion generation with wordless training. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 23222–23231, 2023.
  38. Exploring versatile generative language model via parameter-efficient transfer learning. arXiv preprint arXiv:2004.03829, 2020.
  39. Pre-train, Prompt, and Predict: A Systematic Survey of Prompting Methods in Natural Language Processing, 2021. arXiv:2107.13586 [cs].
  40. Prompt generation networks for efficient adaptation of frozen vision transformers. arXiv preprint arXiv:2210.06466, 2022.
  41. Rethinking the Effect of Data Augmentation in Adversarial Contrastive Learning. In The Eleventh International Conference on Learning Representations, 2023.
  42. Understanding and mitigating overfitting in prompt tuning for vision-language models. IEEE Transactions on Circuits and Systems for Video Technology, 2023.
  43. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations, 2018.
  44. Fine-grained visual classification of aircraft. arXiv preprint arXiv:1306.5151, 2013.
  45. Understanding Zero-shot Adversarial Robustness for Large-Scale Models. In The Eleventh International Conference on Learning Representations, 2023.
  46. Automated flower classification over a large number of classes. In 2008 Sixth Indian conference on computer vision, graphics & image processing, pages 722–729. IEEE, 2008.
  47. Lanit: Language-driven image-to-image translation for unlabeled data. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 23401–23411, 2023.
  48. Cats and dogs. In 2012 IEEE conference on computer vision and pattern recognition, pages 3498–3505. IEEE, 2012.
  49. Sgva-clip: Semantic-guided visual adapting of vision-language models for few-shot image classification. IEEE Transactions on Multimedia, 2023.
  50. Large ai models in health informatics: Applications, challenges, and the future. IEEE Journal of Biomedical and Health Informatics, 2023.
  51. Learning Transferable Visual Models From Natural Language Supervision. In Proceedings of the 38th International Conference on Machine Learning, pages 8748–8763. PMLR, 2021. ISSN: 2640-3498.
  52. Do ImageNet Classifiers Generalize to ImageNet? In Proceedings of the 36th International Conference on Machine Learning, page 12, 2019.
  53. Overfitting in adversarially robust deep learning. In Proceedings of the 37th International Conference on Machine Learning, page 12, 2020.
  54. On the Adversarial Robustness of Multi-Modal Foundation Models, 2023. arXiv:2308.10741 [cs].
  55. Adversarial Training for Free! In Advances in Neural Information Processing Systems, 2019.
  56. Ucf101: A dataset of 101 human actions classes from videos in the wild. arXiv preprint arXiv:1212.0402, 2012.
  57. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014.
  58. Convolutional neural networks for medical image analysis: Full training or fine tuning? IEEE Transactions on Medical Imaging, 35(5):1299–1312, 2016.
  59. Galip: Generative adversarial clips for text-to-image synthesis. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14214–14223, 2023.
  60. Robustness May Be at Odds with Accuracy. In International Conference on Learning Representations, 2019.
  61. Better Diffusion Models Further Improve Adversarial Training, 2023. arXiv:2302.04638 [cs].
  62. Fast is better than free: Revisiting adversarial training. In International Conference on Learning Representations, 2020.
  63. Adversarial Weight Perturbation Helps Robust Generalization. In Advances in Neural Information Processing Systems, pages 2958–2969, 2020.
  64. Sun database: Large-scale scene recognition from abbey to zoo. In 2010 IEEE computer society conference on computer vision and pattern recognition, pages 3485–3492. IEEE, 2010.
  65. Defending Multimodal Fusion Models Against Single-Source Adversaries. pages 3340–3349, 2021.
  66. How transferable are features in deep neural networks? In Advances in Neural Information Processing Systems, 2014.
  67. Prompting and tuning: A two-stage unsupervised domain adaptive person re-identification method on vision transformer backbone. Tsinghua Science and Technology, 28(4):799–810, 2023.
  68. Theoretically Principled Trade-off between Robustness and Accuracy. In International Conference on Machine Learning, pages 7472–7482. PMLR, 2019. ISSN: 2640-3498.
  69. Neural prompt search. arXiv preprint arXiv:2206.04673, 2022.
  70. On Evaluating Adversarial Robustness of Large Vision-Language Models, 2023. arXiv:2305.16934 [cs].
  71. Conditional Prompt Learning for Vision-Language Models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 16816–16825, 2022a.
  72. Learning to Prompt for Vision-Language Models. International Journal of Computer Vision, 130(9):2337–2348, 2022b.
  73. Zegclip: Towards adapting clip for zero-shot semantic segmentation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 11175–11185, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Lin Li (329 papers)
  2. Haoyan Guan (7 papers)
  3. Jianing Qiu (24 papers)
  4. Michael Spratling (15 papers)
Citations (9)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets