Sparse vs Contiguous Adversarial Pixel Perturbations in Multimodal Models: An Empirical Analysis
This work addresses safety concerns for users of multimodal AI systems by evaluating their vulnerability to adversarial attacks, though it is incremental as it applies known attack methods to new models.
The paper tackled the problem of assessing the robustness of multimodal models against adversarial pixel perturbations, finding that unimodal DNNs are more robust than multimodal models, with CNN-based encoders showing a 99% success rate in untargeted attacks by perturbing less than 0.02% of the image area.
Assessing the robustness of multimodal models against adversarial examples is an important aspect for the safety of its users. We craft L0-norm perturbation attacks on the preprocessed input images. We launch them in a black-box setup against four multimodal models and two unimodal DNNs, considering both targeted and untargeted misclassification. Our attacks target less than 0.04% of perturbed image area and integrate different spatial positioning of perturbed pixels: sparse positioning and pixels arranged in different contiguous shapes (row, column, diagonal, and patch). To the best of our knowledge, we are the first to assess the robustness of three state-of-the-art multimodal models (ALIGN, AltCLIP, GroupViT) against different sparse and contiguous pixel distribution perturbations. The obtained results indicate that unimodal DNNs are more robust than multimodal models. Furthermore, models using CNN-based Image Encoder are more vulnerable than models with ViT - for untargeted attacks, we obtain a 99% success rate by perturbing less than 0.02% of the image area.