GAD-VLP: Geometric Adversarial Detection for Vision-Language Pre-Trained Models

Thank you for taking the time to review our paper and providing valuable feedback. Below, you will find our responses to your questions:

A1:

To the best of our knowledge, this is the first study to evaluate the detectability of adversarial images for VLPs, addressing a notable gap in the existing literature. We believe that demonstrating effective detectability using existing methods in the context of a new problem provides valuable insights to the community. Our rigorous experiments validate this novel finding, which we believe holds equal significance to proposing a new technique.

---

A2:

In Section 4.1, we specifically analyze how geometric values such as LID and k-NN behave differently in unimodal and multimodal settings, using this distinction as a key motivation for applying these metrics to VLPs. In unimodal models, adversarial examples typically alter embeddings in a relatively localized and lower-dimensional space. By contrast, VLPs’ multimodal nature introduces more complex interactions between vision and language embeddings, resulting in adversarial examples that occupy distinct, higher-dimensional subspaces. Our findings, supported by Figure 2, show that VLP embeddings exhibit greater separability between clean and adversarial data when compared to unimodal embeddings. For example, in CLIP, the k-NN distances of adversarial embeddings are more distinctly separated from clean embeddings than those in traditional classifiers, making these geometric metrics particularly effective for VLPs. Similarly, the sensitivity of LID to perturbations is amplified in multimodal spaces due to their inherently higher dimensionality, as discussed in Section 4.1.

---

A3:

The models we selected for evaluation—such as CLIP, ALBEF, and TCL—were chosen because they are frequently studied in the existing literature on adversarial attacks and defenses for VLPs [1-4].

[1] Zhang, Jiaming, Qi Yi, and Jitao Sang. "Towards adversarial attack on vision-language pre-training models." Proceedings of the 30th ACM International Conference on Multimedia. 2022.

[2] Lu, Dong, et al. "Set-level guidance attack: Boosting adversarial transferability of vision-language pre-training models." Proceedings of the IEEE/CVF International Conference on Computer Vision. 2023.

[3] He, Bangyan, et al. "Sa-attack: Improving adversarial transferability of vision-language pre-training models via self-augmentation." arXiv preprint arXiv:2312.04913 (2023).

[4] Han, Dongchen, et al. "Ot-attack: Enhancing adversarial transferability of vision-language models via optimal transport optimization." arXiv preprint arXiv:2312.04403 (2023).

---

A4:

SGA is designed primarily to improve the transferability of adversarial examples between different models, rather than directly increasing the ASR for a given model. Specifically, SGA enhances the ASR when adversarial examples generated for one VLP are transferred to another.

A4:

The attacks proposed after Co-Attack primarily focused on improving transferability. Additionally, both referenced papers utilize PGD-based attacks. As noted in [1]: "Unless specified, during adversarial training, we generate $L_{\infty} = 1/255$ bounded attacks using a 2-step PGD attack with step size $\alpha = 1/255$." Furthermore, Tables 2 and 3 in [2] confirm the use of PGD attacks.

[1] Mao, Chengzhi, et al. "Understanding zero-shot adversarial robustness for large-scale models." arXiv preprint arXiv:2212.07016 (2022).

[2] Schlarmann, Christian, and Matthias Hein. "On the adversarial robustness of multi-modal foundation models." Proceedings of the IEEE/CVF International Conference on Computer Vision. 2023.

---

A5:

We believe the reviewer's concern is related to 3, where the attacker adaptively makes the adversarial embedding close to clean image embedding to evade the binary detector with LID. We have addressed this in point A3.

Thank you for taking the time to review our paper and providing valuable feedback. Below, you will find our responses to your questions:

A1:

To the best of our knowledge, this is the first study to evaluate the detectability of adversarial images for VLPs, addressing a notable gap in the existing literature. We believe that demonstrating effective detectability using existing methods in the context of a new problem provides valuable insights to the community. Our rigorous experiments validate this novel finding, which we believe holds equal significance to proposing a new technique.

---

A2:

The setup for evaluation of the attack success rate is based on the top-1, and top-5 for image-retrieval tasks. We believe this is standard for this task. We appreciate it if the reviewer could make a more specific suggestion regarding alternatives.

---

A3:

Thank you for your helpful suggestion. To address this, we have expanded our experimental setup to include adaptive attacks targeting the LID and $k$-NN detection methods. Specifically, we generate attacks designed to optimize for bypassing the detection metrics (LID and k-NN) as follows:

$L_{adaptive}(Z,Z^{'}) = L_{main}(Z,Z^{'}) + \alpha * S(Z^{'})$

Where $S(Z^{'})$ is the function LID or $k$-NN function that computes the score for adversarial embeddings $Z^{'}$ with reference to the clean embeddings $Z$, we put $\alpha= 0.5$ in our experiments. KNN and LID are both robust when detecting adaptive attacks for CLIP and reasonably effective for ALBEF and TCL. The increase in detection rates against adaptive k-NN attacks can be explained by the dynamics of attack generation. Adaptive attacks targeting the k-NN-based defense incorporate constraints that optimize perturbations around the k-NN structure. The incorporation of the multimodal encoder during attack generation modifies the data distribution, increasing the distinguishability of perturbed samples. This could cause perturbed samples to shift more significantly in the feature space, making them easier to detect. The results are presented in the table below, with additional datasets detailed in subtables a and b of Table 6 in the updated draft (Section A.5 in the Appendix).

Table 1: Effect of k-NN adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

Table 2: Effect of LID adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

A3:

Thank you for your helpful suggestion. To address this, we have expanded our experimental setup to include adaptive attacks targeting the LID and $k$-NN detection methods. Specifically, we generate attacks designed to optimize for bypassing the detection metrics (LID and k-NN) as follows:

$L_{adaptive}(Z,Z^{'}) = L_{main}(Z,Z^{'}) + \alpha * S(Z^{'})$

Where $S(Z^{'})$ is the function LID or $k$-NN function that computes the score for adversarial embeddings $Z^{'}$ with reference to the clean embeddings $Z$, we put $\alpha= 0.5$ in our experiments. KNN and LID are both robust when detecting adaptive attacks for CLIP and reasonably effective for ALBEF and TCL. The increase in detection rates against adaptive k-NN attacks can be explained by the dynamics of attack generation. Adaptive attacks targeting the k-NN-based defense incorporate constraints that optimize perturbations around the k-NN structure. The incorporation of the multimodal encoder during attack generation modifies the data distribution, increasing the distinguishability of perturbed samples. This could cause perturbed samples to shift more significantly in the feature space, making them easier to detect. The results are presented in the table below, with additional datasets detailed in subtables a and b of Table 6 in the updated draft (Section A.5 in the Appendix).

Table 2: Effect of k-NN adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

Table 3: Effect of LID adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

---

A4:

In practice, the defender may adjust the threshold to determine adversarial vs. clean-based applications. This is a classical trade-off for adversarial detection. To ensure the best possible adversarial detection, defenders have to set harsh limits on the threshold that will lead to an increase in FPR. The defender could also reduce unnecessary rejection by relaxing the threshold, which could lead to a decrease in TPR. This threshold value can be determined based on application.

We report AUROC as the main metric so that the trade-off does not impact it. AUROC indicates a higher probability that the score for an adversarial example is higher than the clean one. This metric is independent of the threshold set by a defender. It can fairly assess the detection performance regardless of the threshold. As such, we believe focusing on AUROC is more important than selecting a threshold and then reporting optimized TPR/FPR.

The reported FPR95 corresponds to a 95% TPR, and FPR can be reduced by fine-tuning detection thresholds. However, reducing FPR shouldn’t come at the cost of lower adversarial detection rates. In critical fields like healthcare or autonomous systems, prioritizing a high TPR is essential, as the cost of allowing adversarial examples is much higher than rejecting valid inputs.

Thank you for taking the time to review our paper and providing valuable feedback. Below, you will find our responses to your questions:

A1:

The theoretical analysis for LID, KNN, and similar methods [1-4] has demonstrated the detectability of adversarial examples under specific assumptions. In this work, we provide evidence that these assumptions also hold for adversarial examples against VLPs. We believe this contribution is valuable, as it extends and builds upon the existing theoretical framework.

[1] Ma, Xingjun, et al. "Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality." International Conference on Learning Representations. 2018.

[2] Cohen, Gilad, Guillermo Sapiro, and Raja Giryes. "Detecting adversarial samples using influence functions and nearest neighbors." Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020.

[3] Feinman, Reuben, et al. "Detecting adversarial samples from artifacts." arXiv preprint arXiv:1703.00410 (2017).

[4] Lee, Kimin, et al. "A simple unified framework for detecting out-of-distribution samples and adversarial attacks." Advances in neural information processing systems 31 (2018).

---

A2:

Thanks for your point. Please find the time cost on the CLIP model (using the RN50 encoder) for each method with the CIFAR-10 dataset using an NVIDIA H100 GPU in the table below (based on seconds). We believe analyzing each query within a range of 0.33 to 5.46 seconds is efficient and practical. Also,our framework is significantly more efficient compared to re-training or fine-tuning CLIP for robustness. For example, linear-probe CLIP [1] takes approximately 13 minutes, CoOp [2] requires 14 hours and 40 minutes, and CLIP-Adapter [3] takes about 50 minutes on a n a single NVIDIA GeForce RTX 3090 GPU [4] .

Table 1: Computational cost (seconds) for different methods of GAD-VLP framework on CIFAR-10 with CLIPCNN

[1] Radford, Alec, et al. "Learning transferable visual models from natural language supervision." International conference on machine learning. PMLR, 2021.

[2] Zhou, Kaiyang, et al. "Learning to prompt for vision-language models." International Journal of Computer Vision 130.9 (2022): 2337-2348.

[3] Gao, P., Geng, S., Zhang, R., Ma, T., Fang, R., Zhang, Y., Li, H., Qiao, Y.: Clip-adapter: Better vision-language models with feature adapters. arXiv preprint arXiv:2110.04544 (2021).

[4] Zhang, Renrui, et al. "Tip-adapter: Training-free adaption of clip for few-shot classification." European conference on computer vision. Cham: Springer Nature Switzerland, 2022.

A3:

Thank you for your suggestion. We evaluated the attack success rates specifically for image-retrieval tasks across four models and two widely-used datasets. The results, based on IR@1, are provided in the table below. Additional types of attacks and results for both IR@1 and IR@5 can be found in Tables 7 and 8 of the updated draft (Section A.6 in the Appendix).

Table 3: ASR (IR@1) for the Image-Retrieval Task with Flickr30k in aligned VLPs and fused VLPs .

Thank you for taking the time to review our paper and providing valuable feedback. Below, you will find our responses to your questions:

A1:

Thank you for your helpful suggestion. To address this, we have expanded our experimental setup to include adaptive attacks targeting the LID and $k$-NN detection methods. Specifically, we generate attacks designed to optimize for bypassing the detection metrics (LID and k-NN) as follows:

$L_{adaptive}(Z,Z^{'}) = L_{main}(Z,Z^{'}) + \alpha * S(Z^{'})$

Where $S(Z^{'})$ is the function LID or $k$-NN function that computes the score for adversarial embeddings $Z^{'}$ with reference to the clean embeddings $Z$, we put $\alpha= 0.5$ in our experiments. KNN and LID are both robust when detecting adaptive attacks for CLIP and reasonably effective for ALBEF and TCL. The increase in detection rates against adaptive k-NN attacks can be explained by the dynamics of attack generation. Adaptive attacks targeting the k-NN-based defense incorporate constraints that optimize perturbations around the k-NN structure. The incorporation of the multimodal encoder during attack generation modifies the data distribution, increasing the distinguishability of perturbed samples. This could cause perturbed samples to shift more significantly in the feature space, making them easier to detect. The results are presented in the table below, with additional datasets detailed in subtables a and b of Table 6 in the updated draft (Section A.5 in the Appendix).

Table 1: Effect of k-NN adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

Table 2: Effect of LID adaptive Attacks in GAD-VLP for Image-Retrieval task with Flickr30k.

---

A2:

The techniques used for detection are from prior works, which limits the technical novelty of the paper.

To the best of our knowledge, this is the first study to evaluate the detectability of adversarial images for VLPs, addressing a notable gap in the existing literature. We believe that demonstrating effective detectability using existing methods in the context of a new problem provides valuable insights to the community. Our rigorous experiments validate this novel finding, which we believe holds equal significance to proposing a new technique.

We thank the reviewer for evaluating the revised version and for their valuable feedback.

Regarding the statement in paper [A]:

"Computing the LID term involves determining the $k$-nearest neighbors when calculating $r_i(x)$. Minimizing the gradient of the distance to the current $k$-nearest neighbors does not accurately represent the optimal direction for adjusting the $k$-nearest neighbors."

To address the challenges associated with normal adaptive attacks, we adopted an alternative approach to demonstrate the robustness of our framework. Specifically, we used distinct batches of samples: one for detection and another for generating adversarial points. For instance, in the calculation of $S(Z')$, we employed a batch different from that used for $S(Z)$ during detection. The table below, which shows the AUC detection rate for the TCL model and the adaptive uni-attack, further illustrates the robustness achieved by our framework in this context.