On the Adversarial Robustness of Large Vision-Language Models under Visual Token Compression
This work addresses security vulnerabilities in efficient large vision-language models, highlighting the need for compression-aware evaluation and defenses, though it is incremental as it builds on existing attack methods.
The paper tackles the problem of adversarial robustness in large vision-language models under visual token compression, showing that existing attacks overestimate robustness due to an optimization-inference mismatch, and proposes CAGE, which reduces robust accuracy by aligning perturbations with compression inference across diverse mechanisms and datasets.
Visual token compression is widely used to accelerate large vision-language models (LVLMs) by pruning or merging visual tokens, yet its adversarial robustness remains unexplored. We show that existing encoder-based attacks can substantially overestimate the robustness of compressed LVLMs, due to an optimization-inference mismatch: perturbations are optimized on the full-token representation, while inference is performed through a token-compression bottleneck. To address this gap, we propose the Compression-AliGnEd attack (CAGE), which aligns perturbation optimization with compression inference without assuming access to the deployed compression mechanism or its token budget. CAGE combines (i) expected feature disruption, which concentrates distortion on tokens likely to survive across plausible budgets, and (ii) rank distortion alignment, which actively aligns token distortions with rank scores to promote the retention of highly distorted evidence. Across diverse representative plug-and-play compression mechanisms and datasets, our results show that CAGE consistently achieves lower robust accuracy than the baseline. This work highlights that robustness assessments ignoring compression can be overly optimistic, calling for compression-aware security evaluation and defenses for efficient LVLMs.