Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 76 tok/s

Gemini 2.5 Pro 58 tok/s Pro

GPT-5 Medium 26 tok/s Pro

GPT-5 High 25 tok/s Pro

GPT-4o 81 tok/s Pro

Kimi K2 206 tok/s Pro

GPT OSS 120B 465 tok/s Pro

Claude Sonnet 4 35 tok/s Pro

2000 character limit reached

Permuted Targeted Adversarial Attacks

Updated 23 September 2025

Permuted targeted adversarial attacks are a type of manipulation that reassigns output predictions by systematically permuting target assignments in multi-modal systems.
They utilize projected gradient descent to create imperceptible perturbations that maximize the likelihood of permuted outputs under strict norm constraints.
This approach exposes vulnerabilities in spatial and relational reasoning, emphasizing the need for robust defense strategies in structured prediction tasks.

Permuted targeted adversarial attacks constitute a class of adversarial manipulations in which an adversary deliberately reassigns output predictions or localized assignments among multiple targets within a single instance or batch. The most salient instantiation of this attack paradigm occurs in spatial localization models, such as visual grounding in multi-modal LLMs (MLLMs): rather than simply maximizing error rates or driving all outputs to a common target, the adversary permutes the association between input referents (e.g., objects, prompts) and their corresponding outputs (e.g., bounding boxes), typically orchestrating a one-to-one mapping reshuffle among objects. These attacks highlight latent vulnerabilities in the ability of modern neural architectures to maintain consistent variable binding and spatial understanding under imperceptible perturbations.

1. Definition and Core Principles

Permuted targeted adversarial attacks are designed to reorder the mapping between a set of $N$ input targets $t_i$ and their corresponding system outputs (e.g., bounding boxes $b_i$ in visual grounding). Formally, for each $i \in [N]$ , the attacker crafts a perturbation so that the model predicts $b_{\pi(i)}$ as the output for $t_i$ , where $\pi$ is a permutation of $[N]$ not equal to the identity. In practice, one common permutation is the cyclic shift, $b_{(i+1) \mod N}$ . Unlike exclusive targeted attacks, which drive all predictions toward a single fixed target, or untargeted attacks, which simply induce random errors or misclassifications, permuted targeted attacks systematically swap or shift outputs to alternate valid targets, maximizing confusion while preserving class balance.

This attack paradigm has primarily been formalized in the domain of visual grounding for MLLMs, where the objective is to relocate each referring expression's predicted bounding box to coincide with the ground-truth bounding box of a different object in the same image (Gao et al., 16 May 2024). The underlying principle generalizes to other architectures and modalities wherever structured output assignments exist.

2. Methodology and Optimization Objectives

To realize permuted targeted attacks, the adversary formulates an optimization problem which, for each object/prompt $t_i$ , maximizes the model's predicted probability for its permuted target $b_{\pi(i)}$ :

$\max_{x̂} \sum_{i=1}^N \log p_g(b_{\pi(i)} | b_{\pi(i)}^{<M}, x̂, t_i)$

$\text{subject to} \;\; ||x̂ - x||_\infty \leq \epsilon$

where $x̂$ is the adversarially perturbed image (bounded in $\ell_\infty$ norm), $t_i$ the prompt/referring expression, and $p_g$ the model's output probability for the generated bounding box sequence (Gao et al., 16 May 2024). Optimization is typically performed using projected gradient descent (PGD), with constraints that ensure the perturbation is imperceptible to humans.

The attacker iteratively adjusts the input image over $T$ steps, updating in the direction of increased log-likelihood for each permuted bounding box assignment, and projects the perturbed input back onto the allowable $\epsilon$ -ball at each iteration. In evaluation, success is measured by the fraction of permuted outputs that match their (new) permuted targets under a metric such as [email protected].

3. Experimental Characterization and Evaluation

The definitive paper of permuted targeted adversarial attacks for visual grounding in MLLMs was conducted on the MiniGPT-v2 7B model, evaluated on standardized referring expression comprehension datasets (RefCOCO, RefCOCO+, RefCOCOg) (Gao et al., 16 May 2024). For the attack:

PGD with $T=100$ iterations and step size $\alpha=1$ .
Perturbation constraint: $\epsilon=16$ in $\ell_\infty$ .
For each image, the ground-truth bounding boxes for $N$ objects were permuted using a cyclic shift.
The attack was considered successful if, after adversarial perturbation, the model predicted $b_{(i+1)\mod N}$ in response to prompt $t_i$ for all $i$ .

Experimental results revealed that, even though permuted attacks are harder than exclusive targeted attacks (all outputs forced to a single bounding box), they can still substantially reconfigure the model’s output assignment. For instance, the adversarially-induced [email protected] for the permuted assignments improved from a baseline of approximately 8.89% with no attack to 30.14% when the attack was applied. This indicates effective “permutation” of predictions, though with slightly reduced efficiency compared to collapsing all outputs to a common target.

4. Implications and Broader Impact

Permuted targeted adversarial attacks expose a critical vulnerability in high-level spatial and relational reasoning in multi-output neural systems. Because the adversary’s permutation can be systematically designed, these attacks create large, structured confusions not easily addressed by random error mitigation or spatial smoothing. Their existence demonstrates that MLLMs and related architectures can be misled into making consistent, yet systematically wrong, structured output assignments even under tiny, imperceptible input manipulations.

This has far-reaching implications for safety-critical AI systems (e.g., robotics, autonomous driving, assistive vision), especially when spatial configuration, object identification, or variable binding are essential. The results highlight the necessity for adversarial defense strategies and robustness metrics tailored not just to traditional targeted or untargeted errors, but also to structured output permutations.

5. Defensive Strategies and Robustness Evaluation

Given the specialized nature of permuted attacks, defense mechanisms must directly address the risk of systematic spatial or assignment shuffling. Potential defense approaches include:

Robust feature extraction pipelines that maintain consistency against minor spatial and content perturbations.
Cross-modal validation and consistency checks that ensure the decoded output assignments align with cross-referenced signals (e.g., linguistic, contextual, geometric) even under perturbation.
Adversarial training regimes that include permutation-based variants, possibly by augmenting the training process with input patterns designed to induce output reassignment.
Statistical monitoring of output assignment distributions to detect abnormal shuffling patterns indicative of adversarial influence.

The paper (Gao et al., 16 May 2024) specifically recommends focus on enhancing embedding robustness, adversarial training with spatial variants, and developing module-level consistency checks.

While the concept was formalized for visual grounding in MLLMs, permuted targeted adversarial attack methodology readily generalizes to other models and tasks featuring multi-entity output assignment (e.g., multi-object tracking, set-based prediction, structured sequence tagging). Permutation-based attack principles could also be incorporated into regression settings, continual learning (as in “targeted forgetting” by permutation of label or memory assignments (Umer et al., 2020)), and sequence-model tasks in both vision and language domains.

Additionally, permutations need not be restricted to simple cyclic shifts: more complex shuffling, block-wise assignment swaps, or adversarially optimized permutations maximizing downstream confusion or task-specific costs may be constructed for broader adversarial evaluation.

7. Future Directions

Future research will likely focus on:

Developing automated tools for constructing optimal permutation patterns that maximize adversarial efficacy under specific architecture and task constraints.
Extending empirical evaluations of permuted targeted attacks to other modalities and systems beyond visual grounding, including symbolic reasoning, multimodal retrieval, and structured generation tasks.
Advancing quantitative robustness metrics that specifically measure sensitivity to assignment permutation rather than classification error alone.
Designing defense mechanisms that are permutation-invariant or detect unlikely output assignment patterns, potentially leveraging relational or logical consistency as a verification handle.

These trends will be critical for understanding and mitigating vulnerabilities in next-generation AI systems with complex, multi-part structured outputs.

PDF Markdown Chat (Pro)

References (2)

Adversarial Robustness for Visual Grounding of Multimodal Large Language Models (2024)

Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks (2020)

Follow Topic

Get notified by email when new papers are published related to Permuted Targeted Adversarial Attacks.