I am going to split my critique up into two sections. The first will be a high-level critique of the paper, and the second will be specifics about sections. Whilst the critique is long, this is only because I believe the paper has interesting results that could be improved, not because I think there are any fundamental failings in the paper. To the contrary, I think the paper contains valuable insights for the broader adversarial attack community.

High Level:

Originality

My high-level critique of this work concerns its originality. In particular, the CLIP Score attack and VLLM response attack seem very similar to the two attacks presented in Dong et al.[1]. In particular, Dong et al. also present a method based on CLIP embeddings (albeit they align to a target image not a target textual embedding) and an end to end technique. They also demonstrate that these methods transfer to black-box models. Zhao et al. [2] also demonstrate black-box adversarial attacks of a similar nature to those presented in this work (although they do not attack frontier models).

Firstly, these works should be mentioned and treated in the related works, but they are not ([1] is however mentioned at the end of the introduction).

Despite this critique, I believe this paper still has valuable contributions. In particular, making a technique successful in machine learning often comes down to small tweaks or "tricks". The authors demonstrate, that through the specific techniques they use, they are able to get what appears to be stronger transfer than [1].

I would recommend two concrete changes on this front however:

1. Soften or remove claims of novelty about your techniques. For example, you state "we develop a novel attack for VLLMs designed to find image perturbations by targeting adversarially chosen text embeddings." Given what I have seen, I do not think it is fair to say your technique is entirely novel. An alternative framing would be to say something like "building on prior works that have displayed some transferability <cite>, we enhance transferability by doing <x>".
2. Running baselines using prior works ([1] in particular) and seeing how adding your tricks (ensembling, data augmentation) would be very valuable.

Experiments

In all of the experiments I do not understand the exact algorithm you are using. You say you use an ensemble of surrogate models that includes CLIP models and full VLLMs. This leads me to assume that the adversaries are created using a mixture of the CLIP score attack and VLLM response attack methods (e.g. you accumulate loss from both and then take a gradient step). Is this correct?

If this is correct, then why did you not show ablation studies of using each technique individually? This would seem to me to be very important. If you find that using both techniques at the same time was what increased transferability, that would be a very useful to know. Additionally, if this is correct or not, language should be added to make the experimental setup more clear.

Apologies in advance if I have missed something here.

Definition of adversarial attack

Secondly, the paper uses a broad definition of adversarial attacks to VLLMs. For example, in the related works you compare to Schaeffer et al. Their paper concerns transferable jailbreaking attacks. In contrast this paper concerns adversarial attacks that change how the model perceives an image, as opposed to attacks that convey some hidden instruction to the model. In fact, your formulation in equation (1) is good (although I have some critiques of it below) and clearly does not cover the case of jailbreaking or prompt injection attacks. Making this distinction clearer in the introduction and related works would be valuable,

Section level critique

Section 2 - related works

• You state "in this paper, we take a new perspective: We investigate how visual perturbations can induce targeted misinterpretations in proprietary VLLMs such as GPT-4o." As mentioned above, I don' think this is an entirely new perspective, and thus should be removed.
• Like I said above, a more thorough treatment of [1] and [2] is required.

Section 3 - generating transferable attacks for VLLMs

• The problem setup in equation (1) seems slightly off. The requirement is only that the two outputs are not equal, but this would be satisfied by simply flipping a single token (which does not match my internal definition of what I think an adversarial attack to be). For example, this could occur simply if I was sampling with some entropy.
• Nit - above equation (5) I think tilda x_a should be tilda t_a? That is tilda t_a is introduced in (5) without a definition.

Section 4 - experiments

• See above concerning my question of method.
• For each experiment, I would like to see for each epsilon budget how a random perturbation of that size affects the model performance. It may be in all cases that the ASR remains 0, in which case I think this is still valuable to include but can be put in the Appendix. If not, then this is a useful baseline to compare your method against.
• For table 5, it would be nice to see some example questions, model responses with and without adversarial perturbations.
• Nit - should be "after generating" not "after generate" in line 302.
• Section 4.3. Claims here need to made more narrow. You state "This benchmark not only provides a standardized framework for assessing VLLM capabilities in safety critical domains." This is evaluating a certain subset of safety critical domains. Not all possible VLLM safety critical domains (e.g. it does not tell me much about how useful the VLLM could be used as an agent to assist me in some nefarious task). This is ok, just the claim should be made more narrow.
• I think the safety benchmark is very interesting. Writing could be enhanced by referencing real world situations in which a failure on this benchmark would lead to bad things.

Other Nits

• Line 335 "thereby making transferable attacks more less effective on Claude’s models", should be "more OR less"
• Line 392 "Each question ends with 'Please answer with yes or no'" - The quotation mark is backwards.

References:

[1] - Dong, Yinpeng, et al. "How Robust is Google's Bard to Adversarial Image Attacks?." arXiv preprint arXiv:2309.11751 (2023). [2] - Zhao, Yunqing, et al. "On evaluating adversarial robustness of large vision-language models." Advances in Neural Information Processing Systems 36 (2024).

My main concern is that the proposed attack lacks novelty as in [1], the authors introduced a transfer-based attack strategy by matching image-text features. Many of the conclusions drawn like the vulnerability of VLMs to adversarial attacks-specifically on the vision modality of these models- and the transferability of these attacks are already well-explored in the existing literature, which the authors fail to acknowledge adequately [1,2]. Throughout this paper, there is a notable lack of consistency and cohesion across sections. Furthermore, the VLLM SafeBench tool is introduced without any prior context, emerging only within the experimental results. The experimental design is disorganized, with unclear settings. Overall, the paper lacks clarity, cohesion, and originality.

1. Zhao, Yunqing, et al. "On evaluating adversarial robustness of large vision-language models."
2. Yin, Ziyi, et al. "Vlattack: Multimodal adversarial attacks on vision-language tasks via pre-trained models."

1. Provide some adversarial examples (visually)? If we just randomly perturbed the images, it can also cause the misclassification. So it can not prove the efficiency of the proposed method.

2. The paper use ε=32/255 (%) to measure the perturbation. If the perturbation is too much, it is not stealthy. we can see that when the 32/255, it can get some good results. But this perturbation is a bit large and it will affect the stealthies.

3. The paper claims to achieves good attack performance on both untargeted and targeted attack settings. For targeted attack setting, the results are only provided by ImageNet-1K image classification. More experiments would be better.

4. The proposed two attack methods: CLIP score attack and VLLM response attack, are good, however not novel. The intuition has been proposed by other works, and the author applied to the adversarial attack domain.

The paper only provides the experiments results to demonstrate the transferability of proposed two attacks and tricks. It is better to explain more about the reason of transferability.

It looks like that proposed attacks depend on the positive and negative textual prompts in equation (2). It is better to do some explainations or experiments to show the influence of textual prompts.

There are some typos, e.g., the confusing use of t_a^~ and x_a^~ in line 223 and equation (5).

There are no comparison methods in the main results. It is difficult to understand the advantage of proposed attacks.