Quantifying and Enhancing Multi-modal Robustness with Modality Preference

Thank you for your valuable feedback and insightful comments! We respond to some concerns below:

1. Consider the stronger white-box Auto Attack? It is suggested to add the experiment results about Auto Attack in Section 4.

Thank you for your advice. In our research, we employed the Fast Gradient Method (FGM) and Projected Gradient Descent with $\ell_2$-norm (PGD-$\ell_2$) to assess model robustness. Due to their scalability and effectiveness, these methods can be readily adapted for multi-modal settings, enabling the generation of both uni-modal and multi-modal attacks. However, the Auto Attack, a complex attack method that combines four distinct attacks, is primarily designed for uni-modal models with a single input and output, making its application to multi-modal settings challenging. Meanwhile, there has been a lack of targeted research on conducting these effective attacks with multiple inputs in the past. We have made some attempts during response, but we still cannot well implement Auto Attack for multiple inputs. Meanwhile, we want to explain that, the conducted experiments in the paper cover various attacks (e.g., multi-modal co-attack, missing condition and uni-modal attack), which are mostly considered by the previous work for multi-modal robustness, and the results can be used to validate the method effectiveness. Even so, we will also conduct research on how to build complex attack like Auto Attack, but in the setting of multiple inputs, in future work. Thanks again for such a valuable suggestion!

2. Table 1 only consider single-mode attacks (#a,#v). Is the method proposed in this paper effective when co-attacks (both modality attacks) exist?

Thank you for your comment. In fact, the adversarial results in Table 1 is actually the multi-modal attack, where both of the modalities are perturbed. This multi-modal attack will be more effective than each single-modality attack of the same size. Moreover, we also report results about additional multi-modal attacks. First, we apply the Multi-modal Embedding Attack (MEA) method [1], where the co-attack is designed based on the alteration of the joint representation rather than the prediction. Second, we also apply two multi-modal attack methods, introducing Multi-modal Gaussian Noise (MGN) and randomly Multi-modal Pixel Missing (MPM). These experiments indicate that except for existing multi-modal attacks (FGM, PGD-$\ell_2$), our method can also resist various types of multi-modal attacks.

[1] J. Zhang, Q. Yi, and J. Sang, “Towards adversarial attack on vision- language pre-training models,” in Proceedings of the 30th ACM International Conference on Multimedia, 2022, pp. 5005–5013.

Thank you for your valuable feedback and insightful comments! We respond to some concerns below:

1. Different multi-modal fusion backbones

Thank you for your advice. In our study, we focus on intermediate fusion by employing the widely used MultiModal Transfer Module (MMTM) [1] and conducting experiments on the Kinetic-Sounds dataset. The results from these experiments indicate that our method is well-suited for more multi-modal fusion strategies.

[1] H. R. Vaezi Joze, A. Shaban, M. L. Iuzzolino, and K. Koishida, “Mmtm: Multimodal transfer module for cnn fusion,” in Conference on Computer Vision and Pattern Recognition(CVPR), 2020.

2. Different modalities can employ various backbones

Thank you for pointing it out. We carry out experiments with different backbones on the Kinetic-Sounds dataset, specifically by replacing the audio backbone with a Transformer. The results, detailed in the table below, empirically validate our approach's effectiveness across different backbone architectures.

3. State-of-the-art multi-modal robustness approaches

Thank you for your suggestion. We compare our method with two recently proposed methods; Robust Multi-Task Learning (RMTL) [1] and Uni-Modal Ensemble with Missing Modality Adaptation (UME-MMA) [2]. For RMTL, we apply the idea of multi-task learning to obtain a robust multi-modal model, which includes full-modal tasks, and modality-specific tasks. We apply these attacks on the Kinetic-Sounds dataset and report the result to show the effectiveness of our method.

[1] M. Ma, J. Ren, L. Zhao, D. Testuggine, and X. Peng, “Are multi-modal transformers robust to missing modality?” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 18 177–18 186.

[2] S. Li, C. Du, Y. Zhao, Y. Huang, and H. Zhao, “What makes for robust multi-modal models in the face of missing modalities?” arXiv preprint arXiv:2310.06383, 2023.

4. Extended to three modalities? More explanations and experiments are needed.

Thank you for your suggestions. In this study, our analysis discusses the universal situation of two modalities, and can also be extended to the scenario with more than two modalities. To consider more modalities, the key is to introduce the margin of these modalities’s representation. Suppose we have $l$ different modality, the input of the $m$-th modality is $\boldsymbol{x}^{(m)}$, define the representation margin $\zeta_{j}^{(m)}(\boldsymbol{x}^{(m)})$, and the corresponding Lipschitz constant $\tau_j^{(m)}$. Thus, our bound can be extended to the following formulation.

$

\begin{aligned} \min_{\boldsymbol{x}'} \left| \left|\boldsymbol{x} - \boldsymbol{x}'\right| \right|_2 \geq \frac{ \sum _{m=1}^l c_j^{(m)} \zeta_j^{(m)}(\boldsymbol{x}^{(m)}) + \beta_j}{\sqrt{ \sum _{m=1}^l (c_j^{(m)} \tau_j^{(m)})^2 }} \\ where \quad j \neq y \quad s.t. \quad \sum _{m=1}^l c_j^{(m)} \zeta_j^{(m)}(\boldsymbol{x}'^{(m)}) + \beta_j = 0. \end{aligned}

$

Thus, our approach can analyze the robustness of more than two modalities. We conducted experiments on the UCF101 dataset using three modalities: RGB, Optical Flow, and RGB Frame Difference. These experiments were performed both from scratch and with an ImageNet-pretrained ResNet18. The outcomes demonstrate the effectiveness of our method in enhancing multi-modal robustness.

Thank you for your valuable feedback and insightful comments! We respond to some concerns below:

1. Missing implementation details: What are the backbones used in the experiment? Apply to different backbones?

Thank you for your comments.

a. As shown in Section 4.1 in the manuscript, we present that we use the widely used backbone ResNet18 as the uni-modal encoder, for Audio, Vision, and Optical Flow modalities. Then, the uni-modal representation is concatenated to form the multi-modal joint representation. We have updated the experiment section to clarify this setting.

b. We conduct experiments on different backbones, including ResNet34 (Vision, V+Audio, A), and ResNet18 (Vision, V) + Transformer (Audio, A) on the Kinetic-Sounds dataset. These experiments show the improvement and the flexibility of our method across different backbones.

2. The exact role of introducing model-specific weights $a$ is somewhat unclear to me. How will it be used to guide the orthogonal classifier of each modality? Also, it remains unclear to me how the proposed eventually gets the prediction result upon different modalities' classifiers.

Thank you for your comments. The modality-specific weights can help the model identify the importance of each modality. As shown in Equation 8:

$

\begin{aligned} \tilde{h}_k(\boldsymbol{x}) = a_k^{(1)} \tilde{W} _{k\cdot}^{(1)} \phi^{(1)} (\boldsymbol{x}^{(1)}) + a_k^{(2)}\tilde{W} _{k\cdot}^{(2)} \phi^{(2)} (\boldsymbol{x}^{(2)}) + \tilde{b}_k, \end{aligned}

$

The $\tilde{h} _k(\boldsymbol{x})$ denote the logits score of $k$-th class. Since the valuable information between modalities is different, the weight $\boldsymbol{a}^{(m)}$ can lead the model to focus on the more reliable modalities. Integrating these weights can enhance the model's ability to effectively utilize the most valuable information from each modality. And the orthogonal $\tilde{W} _{k\cdot}^{(m)}$ for each modality, is approximated through the weight normalization method [1]. After we obtain the classifier, we can further get the logits score using the equation above and further obtain the prediction result. We have improved our presentation in Section 3.4 to explain the design more precisely.

[1] L. Huang, X. Liu, B. Lang, A. Yu, Y. Wang, and B. Li, “Orthogonal weight normalization: Solution to optimization over multiple dependent stiefel manifolds in deep neural networks,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 32, no. 1, 2018.

3. Evidences that back-up the theoretical results, such as plotting the vulnerability indicator (eta) values, and visualizing the perturbation radius over modalities.

Thank you for your suggestions. As shown in Figure 3 in the manuscript, we demonstrate how the ratio of the vulnerability indicator ($\eta$) varies in our method. As shown in Figure 3(a), in AT method, there is also a large imbalance on vulnerable indicators, which is alleviated by our proposed CRMT method. Furthermore, to clearly explain this phenomenon, in revised Section B.4.1, we provide the heat map of the indicator $\eta$ to represent the robustness of each uni-modality, where the smaller indicator means the modality is more robust. Meanwhile, we also provide the uni-modal perturbation radius to further verify this modality preference, where we list the percentage of safe samples that can always resist this size of perturbation. It can be seen that in the Kinetic-Sounds dataset, the audio modality is definitely more vulnerable than the vision modality, thus explaining the phenomenon in Figure 1 in the manuscript.

4. Apply method to multiple modalities larger than 2.

Thank you for your suggestion. We apply the experiments on UCF101 with three modalities (RGB, Optical Flow (OF), and RGB Frame Difference (FD)), with two training strategies, training from scratch and with ImageNet-pretrained ResNet18. The following results show that our method can be well extended to multiple modalities.

5. The selection criterion in choosing datasets for the experiment.

In this study, we analyze the robustness through the perturbation radius, where the perturbation inside this radius can be always defended. Hence, our methods have no special requirements for certain modalities. Following previous studies in multi-modal learning [1,2], we apply the universally used Kinetic-Sounds, UCF101, and VGG-Sounds datasets. Our method can also extend to more modalities like the text to enhance the robustness.

[1] J. Chen and C. M. Ho, “Mm-vit: Multi-modal video transformer for compressed video action recognition,” in Proceedings of the IEEE/CVF winter conference on applications of computer vision, 2022, pp. 1910–1921.

[2] X. Peng, Y. Wei, A. Deng, D. Wang, and D. Hu, “Balanced multimodal learning via on-the-fly gradient modulation,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 8238–8247.

6. Are the provided theoretical results applicable to vision-text data? Any empirical evidence?

Thank you for your suggestion. We apply experiments on a vision-text dataset Food101, which inputs an image-text pair for classification. We employ a Vision Transformer (ViT) as our image encoder and BERT as our text encoder, subsequently concatenating their outputs to achieve a unified joint representation. To evaluate robustness, we apply multiple attacks including modality missing and descent-based attacks (FGM and PGD-$\ell_2$). It is important to note that attacks like the Fast Gradient Method (FGM) and Projected Gradient Descent with $\ell_2$ norm (PGD-$\ell_2$) are typically applied to continuous data. Given that text represents discontinuous data, we focus on implementing these attack methods on the image modality. Our results reveal that the text modality is more critical than the image modality, as its absence significantly impacts model performance. Concentrating on the $\ell_2$-norm, we achieve enhanced robustness under both FGM and PGD-$\ell_2$ attacks. Our method demonstrates a notable performance increase in scenarios where text is absent, though there is a slight decline in performance when the image modality is missing. This could be attributed to the huge performance difference among text and image. This is a very interesting and challenging issue in building a robust model for both modalities, which we will focus on in the upcoming work. Thanks again for such a valuable suggestion!

7. Could the proposed method be incorporated into the pretrained multi-modal model (e.g., CLIP or BLIP)?

CLIP and BLIP stand out as highly effective multi-modal models, with their robustness gaining considerable attention in recent studies. Notably, the CLIP models also prefer certain modalities, such as text [1]. Hence, it is expected to first analyze the potential influence of such preference within CLIP with our proposed approach. However, there is a slight difference in that CLIP (also BLIP) employs contrastive loss across modalities instead of discriminative learning over joint representation. In future work, we will attempt to theoretically analyze the potential influence of this, thanks again for the precious suggestion, which undoubtedly helps to improve the potential value of this work.

[1] Z. Liu, C. Xiong, Y. Lv, Z. Liu, and G. Yu, “Universal vision-language dense retrieval: Learning a unified representation space for multi-modal retrieval,” in The Eleventh International Conference on Learning Representations, 2022.

Thanks for your valuable feedback and insightful comments! We respond to some concerns below:

1. Transformer adopted training from scratch and did not consider any pretraining strategies.

Thank you for your advice on our work. To validate it, we conduct experiments using the ImageNet-pretrained Transformer on the Kinetic-Sounds dataset. Experimental results demonstrate that our method can also perform well with pretraining.

2. How does the method generalize to other fusion mechanisms, besides late fusion.

Thank you for your comments. In this manuscript, our analysis mainly focuses on the representative fusion strategy, late fusion, which is widely used in multi-modal research [1,2]. Meanwhile, our method are adaptable to other fusion mechanisms, where the modality-specific representations could interact earlier in the process. Previously, we defined the margin as $\zeta^{(m)}_j(\boldsymbol{x}^{(m)})$, where $j$ is the nearest class to calculate the margin, and the margin is only determined by uni-modal input $\boldsymbol{x}^{(m)}$. To adapt our method for these scenarios including intermediate fusion, we can redefine the representation margin as $\zeta^{(m)}_j(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)})$, indicating that both modalities' input influence the margin. This modification allows us to extend the framework to measure multi-modal perturbations in a more integrated manner. Additionally, we can adapt the definition of the Lipschitz constant in our theoretical analysis here to measure how the multi-modal perturbation influences the margin:

$

\begin{aligned} |\zeta_j^{(m)}(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)}) - \zeta_j^{(m)}(\boldsymbol{x}'^{(1)}, \boldsymbol{x}'^{(2)})| \le \tau_j^{(m1)}\left|\left| \boldsymbol{x}^{(1)} - \boldsymbol{x}'^{(1)} \right|\right|_2 + \tau_j^{(m2)}\left|\left| \boldsymbol{x}^{(2)} - \boldsymbol{x}'^{(2)} \right| \right|_2 \end{aligned}

$

where $\tau_j^{(m1)}$ represents the Lipschitz constant of modality $m$ from modality $1$. This constant can reflect how the alteration in modality $1$ influences the margin in modality $m$. Then following the proof in the manuscript, we can observe that:

$

\begin{aligned} c_j^{(1)} |\zeta_{j}^{(1)}(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)}) - \zeta_{j}^{(1)}(\boldsymbol{x}'^{(1)}, \boldsymbol{x}'^{(2)})|+ c_j^{(2)} |\zeta_{j}^{(2)}(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)}) - \zeta_{j}^{(2)}(\boldsymbol{x}'^{(1)}, \boldsymbol{x}'^{(2)})| \\ \leq (c_j^{(1)} \tau_j^{(11)} + c_j^{(2)} \tau_j^{(21)})\left|\left|\boldsymbol{x}^{(1)} - \boldsymbol{x}'^{(1)}\right|\right|_2 + (c_j^{(1)} \tau_j^{(12)} + c_j^{(2)} \tau_j^{(22)})\left|\left|\boldsymbol{x}^{(2)} - \boldsymbol{x}'^{(2)}\right|\right|_2 . \end{aligned}

$

Thus, we can obtain the perturbation bound in this setting:

$

\begin{aligned} & \min_{\boldsymbol{x}'} \left|\left|\boldsymbol{x} - \boldsymbol{x}'\right|\right|_2 \geq \frac{c_j^{(1)} \zeta_j^{(1)}(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)}) + c_j^{(2)} \zeta_j^{(2)}(\boldsymbol{x}^{(1)}, \boldsymbol{x}^{(2)})+ \beta_j}{\sqrt{(c_j^{(1)} \tau_j^{(11)} + c_j^{(2)} \tau_j^{(21)})^2 +(c_j^{(1)} \tau_j^{(12)} + c_j^{(2)} \tau_j^{(22)})^2 }} \\ whe&re \quad j \neq y \quad s.t. \quad c_j^{(1)} \zeta_j^{(1)}(\boldsymbol{x}'^{(1)}, \boldsymbol{x}'^{(2)}) + c_j^{(2)} \zeta_j^{(2)}(\boldsymbol{x}'^{(1)}, \boldsymbol{x}'^{(2)}) + \beta_j = 0. \end{aligned}

$

The idea of the proof is similar to the one in Section A.1 in the Appendix.

Additionally, we present an experiment where our method is applied to intermediate fusion using the widely adopted MultiModal Transfer Module (MMTM) [3] on the Kinetic-Sounds dataset. The results demonstrate that our approach can enhance the robustness of intermediate fusion mechanisms.

[1] Y. Huang, J. Lin, C. Zhou, H. Yang, and L. Huang, “Modality competition: What makes joint training of multi-modal network fail in deep learning?(provably),” arXiv preprint arXiv:2203.12221, 2022.

[2] Y. Huang, C. Du, Z. Xue, X. Chen, H. Zhao, and L. Huang, “What makes multi-modal learning better than single (provably),” Advances in Neural Information Processing Systems, vol. 34, 2021.

[3] H. R. Vaezi Joze, A. Shaban, M. L. Iuzzolino, and K. Koishida, “Mmtm: Multimodal transfer module for cnn fusion,” in Conference on Computer Vision and Pattern Recognition (CVPR), 2020.