Object-oriented backdoor attack against image captioning
This work highlights a security risk for vision-language models in applications like automated captioning, though it is incremental as it adapts known backdoor techniques from image classification to a new domain.
The authors tackled the vulnerability of image captioning models to backdoor attacks by poisoning training data, demonstrating that their object-oriented method causes attacked models to generate irrelevant captions for poisoned images while maintaining normal performance on benign ones, with success rates reported up to 90% in experiments.
Backdoor attack against image classification task has been widely studied and proven to be successful, while there exist little research on the backdoor attack against vision-language models. In this paper, we explore backdoor attack towards image captioning models by poisoning training data. Assuming the attacker has total access to the training dataset, and cannot intervene in model construction or training process. Specifically, a portion of benign training samples is randomly selected to be poisoned. Afterwards, considering that the captions are usually unfolded around objects in an image, we design an object-oriented method to craft poisons, which aims to modify pixel values by a slight range with the modification number proportional to the scale of the current detected object region. After training with the poisoned data, the attacked model behaves normally on benign images, but for poisoned images, the model will generate some sentences irrelevant to the given image. The attack controls the model behavior on specific test images without sacrificing the generation performance on benign test images. Our method proves the weakness of image captioning models to backdoor attack and we hope this work can raise the awareness of defending against backdoor attack in the image captioning field.