Hidden Logos in Web-Scale Data Disrupt Large Vision Language Models

• The evaluation is limited to CLIP models. However, there exist multiple other VLMs, e.g., Llava, BLIP-2, LLama 3, etc. Other models should also be evaluated to support the hypothesis and findings that large-scale VLMs contain such spurious correlations between logos. Currently, this hypothesis is only empirically proofed for CLIP models, which are trained in a contrastive way. Other training methods might not lead to the same spurious correlations.
• The evaluation only uses a single metric (success rate of label swap). However, using relative metrics would provide more fine-grained insights into the biasing effect. For example, even if a logo does not change the predicted label, it might still sharply increase the model's confidence in the correlated class. Moreover, from an adversarial perspective, the label flip rate, counting the share of correct predictions that are corrupted by the logo, would be an interesting metric. Maybe check out metrics like the Relative Bias introduced by [4], which might be adjusted to this paper's setting and offer a more fine-grained evaluation.
• While phrasing spurious correlations from an adversarial perspective is intriguing, the paper should be better placed in the domain of adversarial attacks against ML systems, particularly in the context of backdoor attacks [2] and adversarial patches [3], since both concepts are closely related. Research in adversarial ML could also motivate additional evaluation metrics, such as label flipping rate, confidence reduction (untargeted adv. examples), etc.
• The paper explores no origins of this phenomenon. It would be interesting to see how, e.g., logos of sports clubs are represented in the training data to understand where their spurious correlations originate from. Probably, there is the tendency that certain logos are primarily placed with positive/negative captions.
• Overall, the contributions of the paper are limited. The effect of the spurious correlations between logos and unrelated concepts is intriguing, but the paper only provides a limited empirical evaluation of this phenomenon (see previous weaknesses). The paper introduces no novel general insights into the topic of spurious correlations (novel metrics, general mitigation methods, exploration of the origins, etc.), limiting its impact on this line of research.

Marginal Weaknesses / Opportunities to Improve

• Formally introduce the abbreviation VLM once. It already appears in the abstract, but once explicitly written, "Vision-Language Models (VLM)" would be clearer to the reader. Also, once introduced, use it consistently. In L116f, the paper again uses vision-language models as a term instead of its abbreviation.
• P in Eq. 2 should be defined once. It probably stands for the probability, but it is not entirely clear to me what exactly is measured here. Is it the average number of cases in which the model assigns the highest confidence to concept T (hard label prediction), or does the equation compare the average softmax probability scores for this concept?
• Instead of using line plots, bar charts would be a better visual representation given that there are only two points on the x-axis.

[2] Gu et al., BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain, Preprint (but highly cited) [3] Brown et al., Adversarial Patch. NeurIPS 2017 [4] Struppek et al., Exploiting Cultural Biases via Homoglyphs in Text-to-Image Synthesis, JAIR 2023

Overall, I like the general direction of the paper and think there is much potential about it. So I encourage the author's to keep up their research, extend the experiments and metrics, and to put more efforts into exploring the reasons behind this phenomenon.

• Studying spurious correlations is important, but the paper fails to motivate the problem for VLMs.
• Lack of comprehensive ablations: The paper makes several design choices: logo-placement on borders, cropping logos, masking (thus introducing an empty patch), choosing top patches, using CLIP to evaluate. All such choices might be painting a picture that might need take careful curation.
• No limitations section.
• Though this study is a preliminary exploration into this area, directions on how to pursue it further would be appreciated. For example, how to detect and prevent spurious logo correlations when the attacker is a non-expert, in case of melding a logo into the image, such as milk cartons with chinese characters. Another area to give directions could be suggestions to training more robust VLMs instead of evading logos, as some logos and their occurrence is indeed informative (e.g., ISO standards, hallmarks, USDA organic).

Originality

Q1: Novelty compared with prior works.

Generally speaking, this paper studies a specific instance of logo-based spurious correlations. As Section 2 discussed, there are prior works studying other specific instances of shortcuts, such as the Chinese watermark. The main justification is that "their technique requires a prior knowledge of the nature of possible spurious correlations" and that this paper "develops a semi-automatic process for uncovering spurious logos". The argument here can be improved. It's unclear to me what kind of "prior knowledge" is required by the prior work. Isn't knowing that logos can be one of the shortcuts also a prior knowledge?

Quality

Q2: False positives in the proposed dataset.

In Section 3.1.1, the proposed dataset is created by setting the noise level (i.e., FPR, if I understand correctly) at 2%. It would be necessary and interesting to show some examples of such FPRs. More importantly, it seems that such FPs are not removed from the dataset. Does this mean the dataset contains 2% of data that is technically not spurious logos? If so, how would you eliminate it or justify the impact on future evaluations?

Q3: The mitigation strategy is not robust and holds strong assumptions of the attacker.

The cropping technique has several assumptions of the attacker: the logo is only added once to one of the four corners, the logo has a small size that will not appear in most of the crops, etc. Since the attacker can easily attach the logo to all four corners and the center, with different sizes, it would be hard for this technique to mitigate. I'm not very confident in this technique, given that cropping-based defense in the adversarial ML literature has been proven ineffective for a long time. Although the notion of adversarial noise does not apply to the threat model here, the fact that the attacker can arbitrarily transform (e.g., rescale, rotate, etc.) was not considered. Such transformations are potential evasion strategies of the proposed defense, including the masking one. Generally speaking, for a defense to be recognized as effective (or robust), a reasonable amount of effort is needed to show that it's hard for the attacker to evade the defense.

Another point missing (and worth discussing) is how the generic problem of shortcuts is mitigated in prior works. It would be interesting to see if there are any prior inference-time techniques that can be used for the logo setting.

Q4: The study of logo-based spurious correlation as an attack can be deeper.

This is a minor point, but I am slightly concerned that the current study of putting the logo at a few positions with a fixed size is ad-hoc and could not fully explore the potential of logo-based shortcuts. Thinking about the attack's perspective, the attacker can essentially put the logo at any location, any size, and any angle. This leads to the notion of a logo's robustness regarding the shortcut. This is somewhat similar to the "spuriousity metric" used in the paper, but the latter is unclear (see clarity) and only averaged over different data. Note that I'm not saying the study of logo-based shortcuts is insufficient; the evaluation is interesting, but framing it as an attack would need a deeper investigation.

Clarity

Q5: Regarding the spuriousity metric

In L213-215, it's unclear how the "prediction rate of T" is computed -- what is the definition of $P(M(\cdot))$? I think the root problem here is that the output space of $M$ is not defined.

Q6: Misc

• L195, "noise level" may be confusing, a better term is FPR is I understand correctly.
• It seems that the last row in Figure 7 does not work. All logos have the same effect as the no-logo baseline.

Significance

As mentioned above, I'm positive about the study's impact, but its current form may not be as impactful when fitting into the attack & defense perspective.

• Limited Scope of Logos: While the study covers a range of logos, it primarily focuses on logos that are pasted onto images. This approach may overlook more complex scenarios where logos are naturally integrated into the visual context, potentially limiting the generalizability of the findings.
• Why the three scenarios: The authors consider three scenarios, i.e., content moderation, general purpose classification, and negative adjective association. Why consider these three scenarios? Are there containing other potential scenarios?
• Potential Dataset Bias: While I appreciate that the authors have included multiple datasets for evaluation, I am concerned about the potential overlap between these datasets and the VLM model's training data. If these datasets were part of the model’s training, how might this affect the reported results? And what if not? It would be beneficial if the authors could explore this point in greater depth.
• Dynamic Nature of Logos: The paper acknowledges that the associations between logos and visual concepts can change over time due to evolving marketing campaigns and public perceptions. However, it does not propose a method to address this dynamic nature, which could affect the long-term applicability of the findings.