Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2024
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2403.12693 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866911803518222336 |
|---|---|
| author | Hu, Anjun Gu, Jindong Pinto, Francesco Kamnitsas, Konstantinos Torr, Philip |
| author_facet | Hu, Anjun Gu, Jindong Pinto, Francesco Kamnitsas, Konstantinos Torr, Philip |
| contents | Foundation models pre-trained on web-scale vision-language data, such as CLIP, are widely used as cornerstones of powerful machine learning systems. While pre-training offers clear advantages for downstream learning, it also endows downstream models with shared adversarial vulnerabilities that can be easily identified through the open-sourced foundation model. In this work, we expose such vulnerabilities in CLIP's downstream models and show that foundation models can serve as a basis for attacking their downstream systems. In particular, we propose a simple yet effective adversarial attack strategy termed Patch Representation Misalignment (PRM). Solely based on open-sourced CLIP vision encoders, this method produces adversaries that simultaneously fool more than 20 downstream models spanning 4 common vision-language tasks (semantic segmentation, object detection, image captioning and visual question-answering). Our findings highlight the concerning safety risks introduced by the extensive usage of public foundational models in the development of downstream systems, calling for extra caution in these scenarios. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2403_12693 |
| institution | arXiv |
| publishDate | 2024 |
| record_format | arxiv |
| spellingShingle | As Firm As Their Foundations: Can open-sourced foundation models be used to create adversarial examples for downstream tasks? Hu, Anjun Gu, Jindong Pinto, Francesco Kamnitsas, Konstantinos Torr, Philip Computer Vision and Pattern Recognition Foundation models pre-trained on web-scale vision-language data, such as CLIP, are widely used as cornerstones of powerful machine learning systems. While pre-training offers clear advantages for downstream learning, it also endows downstream models with shared adversarial vulnerabilities that can be easily identified through the open-sourced foundation model. In this work, we expose such vulnerabilities in CLIP's downstream models and show that foundation models can serve as a basis for attacking their downstream systems. In particular, we propose a simple yet effective adversarial attack strategy termed Patch Representation Misalignment (PRM). Solely based on open-sourced CLIP vision encoders, this method produces adversaries that simultaneously fool more than 20 downstream models spanning 4 common vision-language tasks (semantic segmentation, object detection, image captioning and visual question-answering). Our findings highlight the concerning safety risks introduced by the extensive usage of public foundational models in the development of downstream systems, calling for extra caution in these scenarios. |
| title | As Firm As Their Foundations: Can open-sourced foundation models be used to create adversarial examples for downstream tasks? |
| topic | Computer Vision and Pattern Recognition |
| url | https://arxiv.org/abs/2403.12693 |