AnyAttack: Self-supervised Generation of Targeted Adversarial Attacks for Vision-Language Models

Despite the proposed method's effectiveness, there are several areas where this paper could see improvements, including the presentation clarity,experiment setting and theoretical analysis:

1. Figure clarity:In Figure 2 pre-training stage, L_pre is used, however this loss is not explained in figure caption or main text. I guess it refer to contrastive loss. Please explain here for clarity.

2. Experiment setting may not fair: The comparsion between SASD-WS not fair. Anyattack are trained on LAION-400M while SASD-WS is trained on the significantly smaller ImageNet dataset. The difference in the scale and diversity of the training datasets likely contributes to the performance gap. The author should conduct necessary experiment to make a fair comparsion.

3. The improved performance seems mostly come from the ensemble-based approach [1]. This reliance on an ensemble approach may reduce the effectiveness of the proposed AnyAttack, as the Bi-loss and cos-loss without the auxillary model does not consistently outperform existing methods. Furthermore, since the incorporation of auxiliary models contributed significantly to the overall performance, the authors should provide a more detailed explanation of this in Section 3.2.1. and disclose the hyperparameters used for the ensemble to improve clarity and soundess.

4. lack of theoretical analysis: the paper does not provide a formal theoretical foundation analysis on proposed method.

[1] Liu, Y., Chen, X., Liu, C., & Song, D. (2017). Delving into transferable adversarial examples and black-box attacks. In 5th International Conference on Learning Representations (ICLR).

1. The paper contains several writing errors. For instance, in Figure 1 (b), “Our AnyAttack” is incorrectly written as “Our AnyAttak”. Additionally, in line 270, “FINE-TUNING STAGE” should not be formulated as a sub-subsection, to maintain consistency with the “Pre-training Stage” in line 236. Furthermore, the l∞ norm constraint should be included under “Implementation Details”, rather than “Metric”.
2. The improvement primarily stems from the simple ensembling of encoders, which lacks technique contribution. Additionally, the variant AnyAttack-Cos appears to underperform compared to the baseline method SASD-WS-Cos in both multi-modal classification and image captioning tasks, failing to demonstrate the superiority of the decoder-based approach over previous methods based on adversarial noise optimization.
3. In section 4.5, the effect of transferability to commercial VLMs is presented only through visualizations, without any quantitative metrics. This lack of quantitative indicators reduces the persuasiveness of the results.

• The overall design of the approach is relatively simple, which raises concerns about its level of innovation.
• Additionally, a fundamental premise of machine learning or deep learning is that the data or information adheres to a fixed distribution, though it could also be a complex combination of multiple distributions. However, I do not believe adversarial noise follows any specific distribution, which makes it doubtful whether a neural network can effectively learn adversarial noise. I would like the authors to clarify the rationale here.
• The fine-tuning process requires an external dataset, which may introduce information leakage, making the test results potentially unfair. Moreover, using an external dataset similar to the test data typically yields better results.
• In the context of adversarial attacks, "transferability" has a specific meaning: adversarial samples generated on a surrogate model should be able to attack a target model directly. It is unclear if the paper’s use of "transferability" aligns with this definition, and there is insufficient experimental evidence supporting this claim.

1. The technical contribution primarily combines existing techniques - contrastive learning and adversarial attacks - without evident innovations. The main novelty appears to be applying these known methods at scale to VLMs. The authors don't justify why their approach works better than existing methods beyond empirical results.

2. For the evaluation of commercial models (Gemini, Sonnet, and Copilot), this paper fails to provide specific success rates, number of attack attempts, or detailed attack configurations for these systems. Moreover, the authors overlooked testing on several leading commercial VLMs like GPT-4V, GPT-4o, and Claude 3 Sonnet, which are widely considered more capable than the tested models.

3. The paper lacks some ablation studies exploring the impact, e.g., the choice of the contrastive loss function, architecture decisions, and the effect of the K-augmentation strategy.