X-Transfer Attacks: Towards Super Transferable Adversarial Attacks on CLIP

We are grateful for your careful review of our paper. Please find our detailed responses to your questions below.

---

Q1: Choice of sampling strategies and improvement over random sampling

A1: We would like to clarify and emphasize the comparison of sampling strategies presented in Section 4.2. The results are reported as macro-averages across 9 encoders, each evaluated on 8 datasets, yielding a total of 72 evaluation points. We argue that the observed 2.3% performance gap is statistically significant, particularly in the context of large-scale benchmarking.

Our analysis demonstrates that reward-aware sampling strategies (UCB and $\epsilon$-greedy) consistently outperform reward-agnostic random sampling. This empirical evidence strongly suggests that the reward metric itself - rather than the sampling strategy choice - is the primary driver of super-transferability improvements. While we acknowledge that alternative sampling approaches may be worth exploring, our core contributions remain: (1) the efficient surrogate scaling framework and (2) the proposed reward metric.

To summarise:

• Super-transferability stems fundamentally from surrogate scaling, as evidenced by experiments with varying search space sizes ($N$).
• While sub-sampling improves computational efficiency (Fig 2a), it is not the primary driver of super transferability.
• Reward-aware sampling consistently outperforms random sampling while maintaining efficiency.

---

Q2: The dynamic reward distribution

A2: We would like to clarify that our current approach already incorporates a dynamic reward distribution that evolves throughout the adversary’s training loop. As the perturbation improves over time, it influences the loss values used as the reward signal, leading to a naturally shifting reward landscape.

We also agree with the reviewer that exploring an adaptive threat model, in which CLIP itself is updated during the adversarial process, presents an interesting direction for future research. We appreciate this insightful and constructive suggestion and will certainly pursue it in future work.

---

Q3: Iterative improvement and contribution

A3: While the adversarial objective we employ may appear simple, its design is both intentional and necessary, and its combination with UCB may seem like an incremental improvement. However, we emphasize that this formulation has led to insightful and novel findings regarding the vulnerabilities of CLIP and VLMs. The simplicity and generality of the adversarial objective are deliberate design choices, as they ensure compatibility across diverse CLIP encoders and are crucial for achieving super transferability, as demonstrated in Appendix C.4. This deliberate simplicity underscores the elegance and effectiveness of our approach.

Beyond performance, our work reveals a new and exciting phenomenon: the untargeted UAPs generated by X-Transfer are semantically interpretable, yet they do not align with human perception. Prior work has suggested that semantically interpretable perturbations that align with human understanding typically arise only from targeted objectives, whereas untargeted perturbations appear patternless. In contrast, our findings show that untargeted UAPs can also produce visually coherent patterns that are semantically rich but misaligned with human interpretation, suggesting that these perturbations explore a space distinct from all previously observed perturbation behaviors.

We believe that a simple and effective method, paired with a novel and well-supported finding, and validated through rigorous experimentation, constitutes a meaningful and impactful contribution to the field.

---

R4: Others suggestions

A4: We will incorporate these suggestions in the revision.

We sincerely appreciate your time and careful review of our work. Below, we provide detailed responses to address each of your concerns.

---

Q1: Using OpenCLIP lacks generalisability and real-world models.

A1:

(1) OpenCLIP is an open-source framework, protocol, and API for CLIP and its variants, not a model itself. It currently hosts the largest collection of open-source CLIP models, which we adopt in our experiments primarily for its convenient and unified interface. Many real-world CLIP models are already included in the OpenCLIP collection, such as MetaCLIP from Meta and SigLIP from Google, both of which are evaluated in our experiments.

(2) To address your concern regarding real-world deployment, we conducted evaluations on GPT-4o and OpenAI o1. Using the same targeted adversarial example generated via TUAP (as shown in Figure 3), we prompted the models with “Briefly describe the image.” Below are the models’ responses.

GPT4-o: The image is a digital collage blending a volcanic eruption with cyber elements. Lava flows into the ocean under a blue-toned overlay of circuit patterns and glowing text related to computer viruses, such as “Remove Files” and “Virus Inject.” It visually represents the destructive power of cyber threats.

OpenAI o1: It’s a composite image showing lava pouring into an ocean, overlaid with circuit-board patterns and words referencing computer viruses and file removal, evoking the idea of a powerful, destructive cyber threat.

We also conducted a qualitative evaluation by randomly sampling 1,000 images from the ImageNet test set and applying our TUAP to generate adversarial examples. We queried the model using the prompt “Briefly describe the image.” For this evaluation, we used OpenAI’s GPT-4o-mini model. Each request included both the textual prompt and the adversarial image (encoded in base64), and the maximum response length was set to 128 tokens. If the response contained any of the keywords in target text descriptions (e.g. “remove”, “files”, “computer”, “inject”, “computer virus”), we considered it a successful attack. The ASR based on this criterion is reported in the table below.

---

Q2: Ablation on hyperparameters

A2: The search space size, denoted as $N$, is evaluated throughout the paper, and the number of selected encoders per iteration, $k$, is specifically analysed in Section 4.2.

Results for different search space sizes, Vanilla ($N$ = 1), Base ($N$ = 16), Mid ($N$ = 32), and Large ($N$ = 64), are presented in Tables 1, 2, 13, 15, and 16. These results demonstrate that a larger search space consistently improves the ASR.

The ablation study on $k$ is shown in Figure 2(a), and the efficiency analysis is provided in Table 7. The results indicate that while varying $k$ has minimal impact on ASR, it primarily affects computational efficiency. Our choice of $k$ is 25% of $N$ is motivated by the trade-off observed in Figure 2(a) and the efficiency analysis in Table 7.

---

Q3: Theoretical explanations

A3: We believe that super transferability and CLIP’s concept fusion ability are novel topics of growing importance. As such, there are currently no established theoretical frameworks to formally characterise these phenomena. Nevertheless, our empirical results are comprehensive, providing strong support for our claims regarding super transferability. The novel observation that UAPs on CLIP exhibit semantically interpretable patterns offers valuable insight into the underlying vulnerabilities of CLIP models. We plan to investigate theoretical explanations in our future work.

---

Q4: Defences against X-Transfer

A4: Please refer to Appendix C.8, where we have presented evaluations using adversarially trained CLIP encoders.

We sincerely appreciate your review, valuable feedback, and kind recognition of our work. Below are our responses to your questions.

---

Q1: The common assumption that an ensemble is necessary.

A1: We agree that it is indeed surprising that the vanilla version of X-Transfer without an ensemble, performs comparably to several strong baselines. However, we believe that the ensemble mechanism is crucial for achieving super transferability, as it allows the method to exploit shared vulnerabilities across diverse surrogate models.

Regarding the complex setups used in prior work, we believe that they may be well-justified for the specific task those studies focused on. However, for the broader goal of super transferability, including cross-task scenarios, we find that a simple and generic adversarial objective is not only sufficient but also necessary. Notably, our experiments (Appendix C.4) demonstrate that surrogate scaling does not improve transferability when applied to the baseline (ETU), further reinforcing the motivation behind our design choices.

---

Q2: Appearance of text features in perturbation

A2: We would like to clarify that we did not use any explicit objective to introduce textual features or characters into the perturbation. Rather, these textual-like patterns emerged naturally as a byproduct of the optimisation process. The goal of X-Transfer is to exploit common vulnerabilities in CLIP encoders, and we believe our findings indeed demonstrate that these textual features reflect a shared vulnerability across CLIP variants. Understanding why such patterns emerge and how they interact with the multimodal representations of CLIP is, in our view, an interesting direction for future research.

We sincerely appreciate your thorough review and insightful comments. Please find our responses to your questions below.

Q1: Mechanism behind the cross-task transferability on VLM

A1: X-Transfer exploits a common weakness in CLIP image encoders, even when they are trained on different datasets and model architectures. Our adversarial objective is intentionally generic as it induces meaningless embeddings. Since many VLMs adopt CLIP or its variants as their image encoders, the UAPs generated by X-Transfer can therefore induce similar nonsensical embeddings in these models. This highlights a shared vulnerability across a wide range of CLIP encoders.

Q2: Theoretical analysis

A2: The focus of this work is super transferability, not MAB or UCB regret analysis.

We believe that super transferability is a novel topic, and as such, there is currently no established theoretical framework. However, our empirical results are solid and comprehensive, providing strong support for our claims on super transferability. The geometry-based theoretical analysis of transferability between classifiers (Tramèr et al., 2017), as well as the ACL23 work mentioned by the reviewer, could serve as valuable starting points for future theoretical investigations into super transferability.

Q3: X-TransferBench and supplementary material

A3: The sample code is included in the accompanying ZIP file. We will adopt the MIT License in the published version. Please refer to Figure 2(a) for the correlation with ASR.

Q4: Choice sampling method and generic adversarial objective

A4: Our main contribution lies in the MAB-based dynamic selection framework and the design of a reward metric. The sampling method itself is not the primary factor in achieving super transferability. It is the reward metric that plays a critical role (see Section 4.2). In Section 3.3, we stated that while UCB is our default choice due to its simplicity, we also emphasised that other sampling strategies (including Thompson sampling) are plausible and fully compatible with our framework.

The generic objective (Eq. 3-5) is essential to ensure compatibility across different architectures, embedding sizes, and pre-training objectives of surrogate models. While the objectives may appear simple, they are crucial for achieving super transferability, see Appendix C.4 and Table 11.

Q5: New experiments (TUAP, step size, other and newer models, randomised smoothing, and search space)

A5:

(1) We tested 5 additional TUAPs (average ASR 77.6%) with targets sampled from the AdvBench and compared their performance with the 10 TUAPs (average ASR 75.8%). The results are consistent.

(2) We follow existing works and set the $\epsilon$ to 12/255. The step size is a typo. It is our choice of hyperparameters, not baselines. This does not affect our analyses since $\epsilon$ is the factor in ensuring the fair comparison for $L_\infty$ perturbations.

(3) Please find the results below for ALIGN, Florence and newer models. Note MetaCLIP-v1.2 ViT-H/14 was released in Dec 2024, and SigLIP-v2 ViT-B-16 was released in Feb 2025.

While we cannot guarantee complete effectiveness against newer models, we believe our work offers novel insights into CLIP/VLM vulnerabilities and makes valuable contributions to the community. These findings provide important foundations for developing safer, more robust models in the future.

(4) We tested our UAP against the smoothed ImageNet classifier provided by Cohen et al., 2019. As expected, the classifier demonstrates robustness to $L_\infty$ and $L_2$ perturbations, consistent with its certified guarantees. However, it is not robust to our patch-based UAP, as these perturbations lie outside the certified radius. This finding highlights an important gap and, we believe, serves as a strong motivation for future works.

(5) We evaluated the generalisation capability of our method by testing with a ViT-only base search space (average ASR of 69.3%) and comparing it to the original mixed-architecture base search space (average ASR of 69.2%). The results show no significant difference.

Q6: Others

A6: We will fix the typo, add more examples of Fig 3, and add references to related works mentioned by the reviewer.