Response to Rev. srgi

We thank Rev. for the constructive feedback. Kindly also note additional Theory/Results in Resp. to Rev. EyNB.

1. Abstract.

Thank you. We have removed now math notations:

Vision-Language Models (VLMs), e.g., CLIP, excel at zero-shot classification due to large-scale pre-training yet are vulnerable to adversarial examples. Adversarial fine-tuning robustifies zero-shot models by aligning prediction scores of individual adversaries with their clean counterparts, which typically overlooks intermediate adversarial samples along the adversarial trajectory crossing the decision boundary. Such intermediate adversaries and their vicinity offer informative representations of the decision surface, which can further be improved by sampling adversarial candidates from simplices formed by joining vertex with consecutive vertices on the adversarial trajectory. However, sampling simplices for adversaries is prohibitively costly. To train robust VLM, we overcome these limitations by Taylor expansion and formulating an upper-bound of alignment loss that depends on Jacobian/Hessian obtained at clean samples. As regions between clean and intermediate adversarial samples capture a larger decision landscape, we robustify VLM by plausible adversaries on simplices by our closed-form formulations equivalent to infinite uniform sampling of the simplex. We obtain state-of-the-art robustness across 15 datasets and diverse vision-language tasks.

2. Separate Section for Related Works & Concise Intro.

Absolutely. This is very easy to achieve.

We will provide a separate detailed related work section in the revised version, including:

• alignment schemes (plus necessary equation).
• single-modal adversarial attacks/robustness
• multimodal adversarial attacks/robustness for a better understanding.

3. More Explanations of Section 3.

• We first discuss the upper bound of the prediction alignment between clean and adversarial examples derived by Taylor expansion in Section 3.1
• In Section 3.2, we propose a theorem to avoid empirical aggregating/sampling from adversarial simplices. In other words, we provide a closed-form solution for sampling from adversarial simplices.
• The overall loss function is shown in Section 3.3.
• We further demonstrate that our method also bounds the robust risk in Section 3.4.

We will add the summary table of symbols:

4. Formatting Issues.

We apologize. We will fix Eq. 10 and one table that jumped between pages breaking formatting.

5. Code Release.

We stress that our code, model weights, and setup will be publicly available.

$\color{blue}\text{General Additional Results:}$

6. Additional results (ViT-B vs. ViT-L).

We extend our Table 3 (ImageNet), showing the average acc. across 15 datasets on ViT-B and ViT-L:

7. Additional results (Batch Size).

For completeness, we present results with two different batch sizes, 128 and 512 to show our approach performs best. The average results across 15 datasets on ViT-B are below:

Our method does not require a large batch size, but large batch size can enhance a bit all methods.

8. Additional results: Auto-Attack Results for Each Dataset.

The auto-attack results ($\epsilon$=2/255) of ViT-B corresponding to Table 2 is below:

Response to Rev. XcU1

Thank you for the constructive feedback. Kindly also note additional Theory/Results in Resp. to Rev. EyNB.

1. Compare Cost. 10x speedup.

• Below are training times for FARE, TeCoA, PMG-FT.
• The 10x speed-up is for our closed-form "infinite" sampling from adv. simplex vs. "naive" sampling (see below Sampling 300 samples per simplex vs. AdvSimplex (10 steps)).

• For the same time budget (~1.6h), AdvSimplex (5 steps) outperforms FARE by ~2% and ~4% in the clean and robust accuracy (AA)

• For 1.7x time budget, AdvSimplex (10 steps) gets ~3.5% and ~4.7% gains over FARE (clean and robust acc. (AA)).

• Our method does not use additional modules/parameters: the inference time is consistent with other VLMs.

• AdvTetrahedron uses a generalization of our Theorem 3.1 to simplices with more vertices, e.g., tetrahedron ($Q=4$ vertices). Kindly see Resp. 1 to Rev. EyNB for detailed information.

2. Why Weak Adversaries can Robustify? 2b. Clean accuracy gains. 2c. SGA does not use intermediate adv. 2d. Novelty using adv. trajectory.

[a] Set-level Guidance Attack..., Lu et al. (2023), ICCV

[b] Boosting Transferability in Vision-Language Attacks..., Gao et al.(2024), ECCV

• SGA [a] in every ascent step generates few perturbations around intermediate ${\bf v}'$ and continues ascent step from their mean ($\bf\mu\neq v'$). Thus, for the same ${\bf x}$ generated 3 traj. will differ.
• [b] forms triangles between ${\bf x}$ and consecutive 2 intermediate steps ${\bf v}\_i$ and ${\bf v}\_{i+1}$ but does not use noise. But Fig. 1b [b] shows triangles capture multiple trajectory routes.

As gradient ascent uses fixed gradient step and the decision boundary is non-linear, the adversarial path is not a perfect ascent. Intermediate adv. samples:

• may be sometimes stronger than final adv. samples

• enjoy diversity in adversarial directions.
  
  We verify this: weights $\omega\_i$ in Eq. 13 (main paper) for the final-step adversary $m$ is not always more adversarial than intermediate adversary $m-1$:

  $\omega\_m\geq\omega\_{m-1}$	$\omega\_{m-1}\geq\omega\_{m-2}$	$\omega\_{m-2}\geq\omega\_{m-3}$
  83%	79%	73%

Friendly Adversarial Training (ICML'20) notes that weak adv. help obtain robust decision boundary.

Below we also show that simplices from:

• late intermediate steps lead to greater adversarial robustness
• early intermediate steps lead to greater clean accuracy
• mid intermediate steps further boost clean+adversarial accuracy

2b. Early adversaries improve clean acc. as they are more correlated with clean ${\bf x}$ and act as sample augmentation.

2c. To validate Rev. assumption that only final adversaries matter, per ${\bf x}$ we generate 3 adv. paths as SGA (paths differ due to noise injection). We build a simplex only from final adv. points of 3 paths (AdvSimplex-SGA) per ${\bf x}$: this outperforms vanilla SGA but is worse than AdvSimplex.

2d. Our main contribution is "infinite" sampling+alignment but adv. simplex can be generated in many ways (our strategy, SGA-like strategy, etc.) Unlike SGA [a] and [b] we are the first to use adv. simplices from trajectory for robustification.

3. $\gamma$ missing in Eq. 7

See Resp. 1b to Rev. EyNB.

4. Results differ from other papers.

• [Schlarmann, 2024] reports on a sampled subset of ImageNet (5000 samples) on ViT-L in their Table 4

• We report on ViT-B in our Tables 1+2 following TeCoA and PMG settings (Mao, 2023; Wang, 2024)

  To address Rev.'s concern, we extend our Table 3 to ViT-L in Resp. 6 to Rev. srgi.

5. Compare Batch Sizes.

In paper, we use same experimental setup (BS: 512) for TeCoA, PMG, FARE and ours for fairnesss. See Resp. 7 to Rev. srgi

6. Auto-Attack for Each Dataset.

See table in Resp. 8 to Rev. srgi. We can post ViT-L AA in discussions.

7. Extend to image classification.

See Resp. 6 to Rev. td6r

8. Formatting/abstract.

See Resp 1-4 to Rev. srgi

Response to Rev. td6r

Thank you for the constructive feedback. Kindly also note additional Theory/Results in Resp. to Rev. EyNB.

1. Theoretical derivations well-grounded/experiments support claims.

Thank you. We have also a generalization of our Theorem 3.1 to simplices with more vertices, e.g., tetrahedron ($Q=4$ vertices) or pentachoron ($Q=5$ vertices).

Kindly see Resp. 1 to Rev. EyNB for details. Below we provide a list of our extensions.

Let $Q$ be the number of vertices (${\bf z}_1,\ldots,{\bf z}_Q$) for a simplex. The closed-form expression for ${\bf\Sigma}_x$ is given as:

$\mathbb{E}[{\bf pp}^T]=\frac{1}{Q(Q+1)}\bigg[\sum\_{i=1}^Q{\bf z}\_i {\bf z}\_i^T + \Bigl(\sum_{i=1}^Q {\bf z}\_i\Bigr)\Bigl(\sum_{i=1}^Q {\bf z}\_i\Bigr)^T\bigg]$.

Table below shows further gains from our extended theorem:

2. Comparison with [1]

[1] Text-guided attention is all you need for zero-shot robustness in vision-language models, NeurIPS 2024.

TGA-ZSR [1] designs text-guided attention to enhance zero-shot robustness on VLMs. We will cite [1].

Below we evaluate/compare our AdvSimplex with [1] on image-level, text-level, and bi-level adversarial attacks. The average results across 15 datasets are below:

AdvSimplex significantly outperforms other methods.

3. Sensitivity w.r.t. $\lambda$.

• $\lambda$ controls the impact of the upper bound of $\Omega({\bf x})$ when aligning adversarial predictions with clean predictions.
• Figure 4a (main paper) shows that increasing $\lambda$ enhances the adversarial robustness at the cost clean accuracy. Lowering $\lambda$ improves zero-shot clean acc. but reduces adv. robustness.
• Such a trade-off stems from the optimization the natural and boundary risks.

Average results across 15 datasets w.r.t. $\lambda$ are below:

• Uniform weighting: $\omega_i=1/(m-1)$ is const. for all $i=1,\ldots,m-1$.
• Adaptive weighting: as per Eq. 13 (main paper)

In our paper, $\lambda=0.6$ in all experiments.

4. Formatting issue.

We will fix this. It appears tables jumped between pages unintentionally.

5. Trade-off analyses between closed-form vs. sampling.

• In addition to Figure 4b, we present further results (clean accuracy, adv. robust accuracy (AA-Robust Accuracy), training time per epoch):

• Increasing the number of sampling adversaries from simplex yields gains in robustness at the substantial computational cost increase.
• Our closed-form solution effectively balances robustness and computational efficiency, providing competitive clean and robust performance at ~$10\times$ reduced computational cost.

6. Extension to image classification.

In our paper, we also have:

• Vision-text understanding. Table 7 is image-text retrieval (Flickr30k) and image captioning (Nocaps)
• Medical diagnosis. Table 8 shows results on ChestX-ray14, CheXpert and PadChest.

For more results, table below is single-modal image classification built on TRADES with Wide-ResNet-28-10 (CIFAR-10/100):

Response to Rev. EyNB

We thank Rev. for constructive feedback.

1. I checked key proofs...they appear to be correct.

Thank you.

1b. Why $\gamma$ disappears in Eq. 7? (for Rev. XcU1)

• In Eq. 5 & 6, elements after the sum can be written as $(\sqrt{\alpha}+\frac{1}{2}\sqrt{\beta})^2=\alpha+\frac{1}{4}\beta+2\cdot\frac{1}{2}\gamma$ where $\gamma=\sqrt{\alpha\beta}\;,\alpha,\beta\geq 0$.
• Use known inequality $(a+b)^p \le 2^{p-1}(a^p+b^p)$ and set $p=2$ so $(a+b)^2 \le 2^{1}(a^2+b^2)$.
• Substitute the first eq. into the inequality: $(\sqrt{\alpha}+\frac{1}{2}\sqrt{\beta})^2\le 2\alpha +2\cdot\frac{1}{4}\beta=2\alpha +\frac{1}{2}\beta$ and that is why $\gamma$ does not appear in Eq. 7.
• This result corresponds to $\bar{\bar{\Omega}}$ in Eq. 10 which is an upper bound of Eq. 6.
• Note we evaluate in supp. material (C.2) Eq. 9 includes $\gamma$ but is very costly due to operations in $\mathbb{R}^{(wh)^2}$ vs. $\mathbb{R}^{wh}$.

1c. To further showcase our work, below we have additional extensions of Theorem 3.1.

• Theorem 3.1 (extended) can be extended to higher-order simplices, e.g., tetrahedron ($Q=4$ vertices) or pentachoron ($Q=5$ vertices):

  Let $Q$ be the number of vertices (${\bf z}_1,\ldots,{\bf z}_Q$) for a simplex. The closed-form expression for ${\bf\Sigma}_x$ is given as:

  $\mathbb{E}[{\bf pp}^T]=\frac{1}{Q(Q+1)}\bigg[\sum\_{i=1}^Q{\bf z}\_i {\bf z}\_i^T + \Bigl(\sum_{i=1}^Q {\bf z}\_i\Bigr)\Bigl(\sum_{i=1}^Q {\bf z}\_i\Bigr)^T\bigg]$.

  Proof follows steps in paper, e.g., parameterizing ${\bf p}=\sum\_i^Q\alpha_n{\bf z}\_i, \\;\alpha\_i\geq 0,\\; \sum\_i^Q\alpha\_i=1$ and noting that:

  • $\mathbb{E}[\alpha_i] = \frac{1}{Q}$
  • $\mathbb{E}[\alpha_i^2] = \frac{2}{Q(Q+1)}$
  • $\mathbb{E}[\alpha_i\alpha_j] = \frac{1}{Q(Q+1)},\\;i\neq j$

  for the underlying Dirichlet distribution. Then we expand $\mathbb{E}[pp^T]$ where $p p^T = \sum\_{i,j=1}^Q \alpha\_i\alpha\_j {\bf z}\_i{\bf z}\_j^T$.

1d We have also a theoretical extension linking Theorem 3.1 above with the Hessian-vector product (HVP) needed for fast evaluation of Eq. 10.

Evaluating Hessian even with functorch is slow. In our paper, we used HPV which never evaluates Hessian explicitly. HPV computes very fast $({\bf H\_g\cdot v})$ instead.

• To take advantage of it, Theorem 3.1 includes:

  $\mathbb{E}[{\bf p}^T (H\_g\cdot{\bf p})]=\frac{1}{Q(Q+1)}\bigg[\sum\_{i=1}^Q{\bf z}\_i^T(H\_g\cdot{\bf z}\_i) + \Bigl(\sum_{i=1}^Q {\bf z}\_i\Bigr)^T\Bigl(H\_g\cdot\sum_{i=1}^Q {\bf z}\_i\Bigr)\bigg]$.

• Thus, in Eq. 10, we can substitute $\langle {\bf \Sigma}\_x, (H\_g({\bf x}))\_c\rangle^2=\Big(\mathbb{E}[{\bf p}^T ((H\_g({\bf x}))\_c\cdot{\bf p})]\Big)^2$. For a simplex with three vertices (one is $0$), this requires three HPV evaluations.

2. Alternative to Euclidean alignment in Eq. 1.

We replace $\Omega({\bf x})$ in Eq. 1 with a KL-divergence variant integrated with Theorem 3.1. To this end:

• we use a different Taylor expansion $\log g({\bf x}+{\bf\delta}\_x)-\log g({\bf x})\approx J\_{\log (g+\rho)}({\bf x}){\bf\delta}\_x + \frac{1}{2}\bigl[{\bf\delta}\_x^T(H\_{\log (g+\rho)}({\bf x}))\_c\\,{\bf\delta}\_x\bigr]_{c=1}^{C}$ where $\rho=1e^{-5}$ is added for the numberical stability of $\log$.

• then $\Omega\_{KL}({\bf x})=\frac{1}{\kappa}\sum\nolimits\_{{\bf\delta}\_x\in\Delta\_\mathcal{X}} KL\big(g({\bf x}) || g({\bf x}+{\bf\delta}\_x)\big)\approx-\sum\_{c=1}^C (g({\bf x}))\_c\cdot \Big[ \big\langle{\bf\mu}\_x, \mathcal{J}\_{\log (g+\rho)}({\bf x},c) \big\rangle+\frac{1}{2}\big\langle{\bf{\Sigma}}\_x, (H\_{\log (g+\rho)}({\bf x}))\_c \big\rangle \Big]$

  where ${\bf\mu}\_x$ is the analytical mean of simplex, and ${\bf{\Sigma}}\_x$ is from Theorem 3.1.

3. Results for extensions.

In the table above:

• AdvSimplex-KL uses our KL div. $\Omega\_{KL}({\bf x})$ instead of bounds of Euclidean $\Omega({\bf x})$.
• AdvTetrahedron uses our extended Theory 3.1 for tetrahedron ($Q=4$). We take ${\bf x}$ and additional consecutive 3 vertices instead of 2 as in AdvSimplex ($Q=3$).
• AdvSimplex-SGA uses simplex formed from the final 3 adversaries of 3 adversarial paths per sample ${\bf x}$. As SGA perturbs each intermediate adversary by noise, running gradient ascent 3x produces 3 distinct paths.
• SGA (3 adv.): we generate 3 adv. paths as in AdvSimplex-SGA and use the final 3 adversaries directly for robustification.
• SGA (standard): we use the final adversary from a single adv. path for robustification.

SGA:

Set-level Guidance Attack..., ICCV'23.