Robustness in Both Domains: CLIP Needs a Robust Text Encoder

Dear Reviewer qiLf,

Thanks for your time reviewing our paper. We are happy you found our paper exceptionally well written. We answer to your comments as follows:

P1: “A standard CLIP evaluation would involve a much wider suite of benchmarks (e.g. VTAB etc.)”

We agree that CLIP models should be evaluated on a wide suite of tasks. Thank you for suggesting the VTAB benchmark. We report in Table 9 (appendix) the performance of our models and baselines across several zero-shot classification tasks, many of which are part of the VTAB benchmark. Additionally, we have evaluated the models on the remaining VTAB subtasks and report averaged performance over the categories “natural”, “specialized”, and “structured” in Table A below. We observe that in clean evaluation, robust models sacrifice performance on “natural” and “specialized” (a trade-off between clean and robust performance is expected [1]). On “structured” the behavior is mixed - sometimes even outperforming the non-robust models. In the adversarial evaluation ($\epsilon=\frac{2}{255}$), we observe that the non-robust models are completely vulnerable, while our robust models maintain much better performance when attacked. We will add these interesting results to the appendix of the manuscript.

Table A: Clean and adversarial evaluation on VTAB.

P2: “The evaluation on different model scales could also be more extensive”

Please note that Tables 2,3,4 and 9 include evaluations in all ViT-L, H and g sizes. We even finetuned the text encoder of the ViT-bigG 3B parameter model and evaluated it on text-to-image generation. We agree that it would be nice to evaluate models larger than this, but our compute budget does not allow for larger sizes, this is indeed a limitation as we mention in lines 283-284.

P3: “Have the authors considered how LEAF might perform against token-level attacks, which aim to preserve semantics while changing the embedding?”

While token-level attacks can also be realistic, recent studies show that token-level attacks often change the semantics of the sentence, leading to invalid attacks [2,3,4]. Moreover, [5] show that token-level defenses are not effective for character-level adversarial attacks and vice-versa. For completeness, we have evaluated the performance of our CLIP models in zero-shot text classification, under the token-level TextFooler attack [6].

Table B: Adversarial accuracy in AG-News and SST-2 under the TextFooler attack.

Our results are in line with the findings of [5]: Character-level defenses are not effective for token-level adversarial attacks.

P4: Could you elaborate on the need for semantic constraints during training? If a new language/task is employed, should the constraints change?

Thanks for bringing up this very interesting point. We believe that the semantic constraints we employ are general enough and should not change from task to task. In fact, the same constraints used during training provided a good performance in a wide range of tasks (text classification, text-to-image retrieval, text-to-image generation and text embedding inversion). Moreover, in Fig. 11, we report the loss with and without constraints. Training with constraints, also generalizes to reduce the unconstrained loss.

The case of changing languages is an interesting area for future work. Since the constraints we employ during training are based on the English dictionary, the performance on datasets in other languages might not be so good. However, since the model is able to generalize and be robust to unconstrained attacks, we believe that robustness will (to some extent) generalize from language to language.

Thanks again for your suggestions. We will incorporate the new experiments and discussions in the revised version of the manuscript. If you have further comments, we will be happy to answer. If our comments addressed your concerns, we would appreciate a raise in the rating.

Best regards,

Authors.

References

[1] Dimitris Tsipras et al., Robustness May Be at Odds with Accuracy, ICLR 2019

[2] John Morris et al., Reevaluating adversarial examples in natural language. In Findings of the Association for Computational Linguistics: EMNLP 2020.

[3] Salijona Dyrmishi et al., How do humans perceive adversarial text? a reality check on the validity and naturalness of word-based adversarial attacks. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2023.

[4] Bairu Hou et al., Textgrad: Advancing robustness evaluation in NLP by gradient-driven optimization. In International Conference on Learning Representations (ICLR), 2023.

[5] Elias Abad Rocamora et al., Revisiting Character-level Adversarial Attacks for Language Models, International Conference on Machine Learning, 2024.

[6] Di Jin et al., Is bert really robust? a strong baseline for natural language attack on text classification and entailment. AAAI Conference on Artificial Intelligence, 2020.

Dear Reviewer qWrN,

We appreciate the time dedicated to reviewing our paper. We are happy that you describe our method (LEAF) as elegant and easy-to-reuse, and that you find our evaluation diverse and effective. We address your concerns in the following:

P1: “The core contribution is adapting FARE to text, with the primary novelty being a faster attack; the methodological lift remains incremental.”

The methodological lift includes a new efficient training-time attack and a principled constrained objective for the discrete text modality. Moreover, our study is the first demonstration of dual-domain robustness in CLIP. Our experiments reveal enhanced robustness to character-level attacks in several tasks and improved interpretability of robust models via embedding inversion.

P2: “The approach handles only character-level perturbations; broader attacks (token-level, syntactic, semantic) remain unexplored.”

Robustness in the text domain can be studied through many threat models. As mentioned in lines 94-97, token-level attacks often alter the semantics of the sentence [1,2,3]. Moreover, [8] show that token-level defenses are not effective against character-level attacks and vice-versa. To keep our insights clear, we decided to focus on character-level attacks. Nevertheless, for completeness, we have evaluated the zero-shot text adversarial accuracy of our CLIP models, with the Textfooler token-level adversarial attack [7] in the AG-News and SST-2 datasets.

Table A: Adversarial accuracy in AG-News and SST-2 under the TextFooler attack.

Our results are in line with the findings of [8]: Character-level defenses are not effective for token-level adversarial attacks. We hope that our work can foster additional studies that enhance the robustness of CLIP under different threat models, e.g. token-level or syntactic attacks.

P3: “Text and image encoders are finetuned separately, leaving effectiveness under joint attacks untested.”

As a proof of concept, we have tested the performance of our models when both the image and text are perturbed in text-to-image retrieval.

Starting with the k=1 text perturbations for the ViT-L/14 models from Table 3 in the main paper, we perturb the images with APGD for 100 iterations with $\epsilon=2/255$ and $\epsilon = 4/255$. We show text-to-image retrieval on 1k samples from MS-COCO. Specifically, we maximize the distance of the image embeddings under perturbations to the original image. The attack follows a similar setup as CoAttack [6], where the text attack follows the image attack. The clean column here represents the performance of the model when no modality is attacked. In this setup again, our LEAF trained models are the most robust, highlighting the importance of dual modality robustness.

Table B: BiModal attack robustness evaluation for MS-COCO retrieval at $k=1$ and $\epsilon\in \{2, \}4/255$.

P4: “Stronger, state-of-the-art generation architectures such as Stable Diffusion 3 (SD3) or Flux.1 are not evaluated”

Models like SD3 or FLUX.1 cannot be fully benefited from our approach, since in addition to CLIP text encoders, they employ the encoder-decoder model T5-XXL for obtaining text embeddings. Nevertheless, it is still possible to attack their CLIP text encoders and replace them for our fine-tuned ones, while keeping T5-XXL untouched. We have replicated our text-to-image generation experiments with FLUX.1-dev. Due to the high quality of the generated images (1024x1024), we limit our evaluation to the first 100 images in the MS-COCO dataset.

Table C: Text-to-image and image-to-image CLIP scores for the FLUX.1-dev model with the original (CLIP) and finetuned (LEAF) text encoder.

Our results show that even when only attacking one text encoder, FLUX.1-dev is still vulnerable to adversarial attacks. When replacing the CLIP-ViT-L text encoder with our LEAF counterpart, the image generation quality is improved for higher values of $k$. Unfortunately, we cannot include image links with our rebuttal. We will include attack examples and generations in the revised version of the manuscript.

We hope our work can motivate the study of the robustness of other architectures like encoder-decoder models, such as T5-XXL.

P5: “In Table 14-16, were the same adversarial captions used for baseline and LEAF models? If they were generated independently, can you clarify how fairness in comparison is maintained?”

Fairness relies on the adversarial captions being optimized independently for every model from the same original caption. This procedure yields the adversarial perturbation that maximally degrades the performance of each model. This is a standard practice both in the image and text adversarial robustness communities [4,5]. Attacks optimized over one model and applied to others can also be tested, these are known as transfer attacks. We have tested the adversarial captions optimized over CLIP on LEAF and vice versa for the SD1.5 model.

Table D: Transfer attacks for SD-1.5. We measure the text-to-image CLIPScore. Rows denote target models and columns denote source models.

We observe that, as expected, when the source is equal to the target, the generated image quality is degraded the most. Our text encoder improves the generation quality in all cases except when the Source is LEAF and $k=1$, where CLIP obtains 0.04 points more than LEAF in this advantageous setup.

P6: “have you evaluated LEAF’s effect on intended typographic prompts, such as rare text content (“a ST00P sign”)? Does enforcing adversarial robustness inadvertently harm those cases?”

Thanks for the suggestion. As a preliminary test, we have crafted 100 perturbations from the first 100 COCO captions. To take it to the extreme, we have replaced every “i” for a “1”, every “e” for a “3”, every “o” for a “0” and every “a” for an “@”.

For example, the first COCO caption turns into “A w0m@n st@nds 1n th3 d1n1ng @r3@ @t th3 t@bl3.”

Table E: SD1.5 text-to-image generation performance under visually-similar character replacements.

We observe that while the image generation quality with both encoders is quite low, using LEAF provides an improvement of 0.62 points in CLIPScore T2I and 2.77 in CLIPScore I2I.

Thanks again for your review and suggestions. The added experiments will be included in the revised version of our manuscript. We remain available in case you have additional comments. If you are satisfied with our answers, we would appreciate an increase in the rating.

Best regards,

Authors

References

[1] John Morris et al., Reevaluating adversarial examples in natural language. In Findings of the Association for Computational Linguistics: EMNLP 2020.

[2] Salijona Dyrmishi et al., How do humans perceive adversarial text? a reality check on the validity and naturalness of word-based adversarial attacks. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2023.

[3] Bairu Hou et al., Textgrad: Advancing robustness evaluation in NLP by gradient-driven optimization. In International Conference on Learning Representations (ICLR), 2023.

[4] Francesco Croce, RobustBench: a standardized adversarial robustness benchmark, arXiv preprint arXiv:2010.09670, 2020.

[5] John Morris et al., TextAttack: A Framework for Adversarial Attacks, Data Augmentation, and Adversarial Training in NLP, EMNLP 2020.

[6] Jiaming Zhang et al., Towards adversarial attack on vision-language pre-training models., ACM MM2022

[7] Di Jin et al., Is bert really robust? a strong baseline for natural language attack on text classification and entailment. AAAI Conference on Artificial Intelligence, 2020.

[8] Elias Abad Rocamora et al., Revisiting Character-level Adversarial Attacks for Language Models, International Conference on Machine Learning, 2024.

Dear Reviewer fLS5,

Thanks for your time reviewing our paper. We appreciate your appraisal of the practicality and applicability of our training method in CLIP-like models. We answer your points regarding the weaknesses of our work as follows:

P1: “token-level attacks—which may better reflect real-world adversarial scenarios—are not addressed due to their potential to alter semantics”

Thanks for highlighting this point. We agree that token-level attacks are prone to altering semantics, this is the reason why we decided to focus on character-level attacks. Moreover, [2] show that token-level defenses are not effective for character-level adversarial attacks and vice-versa.

We are unsure about which of the two threat models better captures real world scenarios. Both character-level and token-level attacks can be deemed realistic, the first simulates typos/small changes in the input and the second simulates replacement by synonyms. To complete the analysis, we have evaluated the performance of our CLIP models in zero-shot text classification using the token-level TextFooler attack [1].

Table A: Adversarial accuracy in AG-News and SST-2 under the TextFooler attack.

Our results are in line with the findings of [2]: Character-level defenses are not effective for token-level adversarial attacks.

P2: Your evaluation does not consider joint multimodal adversarial attacks

As a proof of concept, we have tested the performance of our models when both the image and text are perturbed in text-to-image retrieval.

Starting with the k=1 text perturbations for the ViT-L/14 models from Table 3 in the main paper, we perturb the images with APGD for 100 iterations with $\epsilon= 2/255$ and $\epsilon=4/255$. We show text-to-image retrieval on 1k samples from MS-COCO. Specifically, we maximize the embedding distance of the image encoder under perturbation to the original image (can be interpreted as an untargeted adversarial attack). The attack follows a similar setup as CoAttack [3], where the text attack follows the image attack. The clean column here represents the performance of the model when no modality is attacked. In this setup again, our LEAF trained models are the most robust, highlighting the importance of dual modality robustness.

Table B: BiModal attack robustness evaluation for MS-COCO retrieval at $k=1$ and $\epsilon\in \{2, \}4/255$.

Thanks for your review. We remain available in case you have additional comments, we will be happy to answer.

Best regards,

Authors.

References

[1] Di Jin et al., Is bert really robust? a strong baseline for natural language attack on text classification and entailment. AAAI Conference on Artificial Intelligence, 2020.

[2] Elias Abad Rocamora et al., Revisiting Character-level Adversarial Attacks for Language Models, International Conference on Machine Learning, 2024.

[3] Jiaming Zhang et al., Towards adversarial attack on vision-language pre-training models., ACM MM2022

Dear Reviewer owKp,

Thanks for your time reviewing our paper. We appreciate your recognition of the clarity and comprehensiveness of our writing and experiments. We summarize and address your comments as follows:

P1: “A concise summary or an intuitive explanation of the attack mechanism in simpler terms could further improve readability.”

Thank you for bringing up this point. Our attack is described in Algorithms 1 and 2 in the appendix. Additionally, Fig. 2 portrays a practical example using $\rho=6$. Let us provide an intuition of the overall procedure:

1. Sample $\rho$ positions within the sentence.
2. Replace/Insert a whitespace in those positions.
3. Evaluate the loss of the model on the $\rho$ sentences and select the one with the highest loss.
4. Sample $\rho$ characters from the vocabulary.
5. Replace the sampled characters in the position selected in step 3.
6. Evaluate the loss of the model on the $\rho$ sentences and select the one with the highest loss.
7. Go to step 1 until $k$ perturbations are done.

Note that this is the most basic version of our attack: without constraints. To constrain the attack, we filter out the changes producing new words after steps 2 and 5. We hope this intuition eases the understanding of our method. We will clarify the mechanism of our attack in the revised version of the manuscript.

P2: “Real-world adversarial scenarios may also involve a wider range of semantic manipulations (e.g., token-level or phrase-level perturbations”

While token-level attacks can also be realistic, recent studies show that token-level attacks often change the semantics of the sentence, leading to invalid attacks [1,2,3]. We highlight this motivation in lines 94-96. Moreover, [4] show that token-level defenses are not effective for character-level attacks and vice-versa. Following these studies, we decided to tackle character-level robustness.

For completeness, we have evaluated the performance of our CLIP models in zero-shot text classification using the token-level TextFooler attack [5].

Table A: Adversarial accuracy in AG-News and SST-2 under the TextFooler attack.

Our results are in line with the findings of [4]: Character-level defenses are not effective for token-level adversarial attacks. We hope that our work can foster additional studies that enhance the robustness of CLIP under different threat models, e.g. token-level or syntactic attacks.

P3: The experimental evaluation is limited to CLIP-based models

Thanks for highlighting this point. We believe our evaluation in CLIP-based models is well-representative of the multimodality field. While our training method shows promise for other applications / models where robustness in the text domain is needed, CLIP-like architectures are widely employed in many applications as described in lines 16-21. To complete our analysis with additional architectures, we fine-tune BERT-base on SST-2 for 1 epoch with LEAF. We measure the Charmer adversarial accuracy at $k=1$ and the token-level adversarial accuracy with TextFooler. This is equivalent to the experimental setup in Table 4 in [4].

Table B: Adversarial finetuning of BERT-base on SST-2.

In line with the results of [4], we observe that adversarial training with character-level attacks does not improve the robustness in the token level. Regarding character-level robustness, we observe that LEAF obtains almost 5 points less in adversarial accuracy with respect to training with Charmer, but preserves a clean accuracy 4 points higher.

We appreciate your comments, which help us improve the quality of our work. If you have additional comments, we will be happy to answer. If our answers addressed your points, we would appreciate an increase in the rating.

Best regards,

Authors

References

[1] John Morris et al., Reevaluating adversarial examples in natural language. In Findings of the Association for Computational Linguistics: EMNLP 2020.

[2] Salijona Dyrmishi et al., How do humans perceive adversarial text? a reality check on the validity and naturalness of word-based adversarial attacks. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2023.

[3] Bairu Hou et al., Textgrad: Advancing robustness evaluation in NLP by gradient-driven optimization. In International Conference on Learning Representations (ICLR), 2023.

[4] Elias Abad Rocamora et al., Revisiting Character-level Adversarial Attacks for Language Models, International Conference on Machine Learning, 2024.

[5] Di Jin et al., Is bert really robust? a strong baseline for natural language attack on text classification and entailment. AAAI Conference on Artificial Intelligence, 2020.