Saved in:
Bibliographic Details
Main Authors: Hu, Anjun, Gu, Jindong, Pinto, Francesco, Kamnitsas, Konstantinos, Torr, Philip
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2403.12693
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911803518222336
author Hu, Anjun
Gu, Jindong
Pinto, Francesco
Kamnitsas, Konstantinos
Torr, Philip
author_facet Hu, Anjun
Gu, Jindong
Pinto, Francesco
Kamnitsas, Konstantinos
Torr, Philip
contents Foundation models pre-trained on web-scale vision-language data, such as CLIP, are widely used as cornerstones of powerful machine learning systems. While pre-training offers clear advantages for downstream learning, it also endows downstream models with shared adversarial vulnerabilities that can be easily identified through the open-sourced foundation model. In this work, we expose such vulnerabilities in CLIP's downstream models and show that foundation models can serve as a basis for attacking their downstream systems. In particular, we propose a simple yet effective adversarial attack strategy termed Patch Representation Misalignment (PRM). Solely based on open-sourced CLIP vision encoders, this method produces adversaries that simultaneously fool more than 20 downstream models spanning 4 common vision-language tasks (semantic segmentation, object detection, image captioning and visual question-answering). Our findings highlight the concerning safety risks introduced by the extensive usage of public foundational models in the development of downstream systems, calling for extra caution in these scenarios.
format Preprint
id arxiv_https___arxiv_org_abs_2403_12693
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle As Firm As Their Foundations: Can open-sourced foundation models be used to create adversarial examples for downstream tasks?
Hu, Anjun
Gu, Jindong
Pinto, Francesco
Kamnitsas, Konstantinos
Torr, Philip
Computer Vision and Pattern Recognition
Foundation models pre-trained on web-scale vision-language data, such as CLIP, are widely used as cornerstones of powerful machine learning systems. While pre-training offers clear advantages for downstream learning, it also endows downstream models with shared adversarial vulnerabilities that can be easily identified through the open-sourced foundation model. In this work, we expose such vulnerabilities in CLIP's downstream models and show that foundation models can serve as a basis for attacking their downstream systems. In particular, we propose a simple yet effective adversarial attack strategy termed Patch Representation Misalignment (PRM). Solely based on open-sourced CLIP vision encoders, this method produces adversaries that simultaneously fool more than 20 downstream models spanning 4 common vision-language tasks (semantic segmentation, object detection, image captioning and visual question-answering). Our findings highlight the concerning safety risks introduced by the extensive usage of public foundational models in the development of downstream systems, calling for extra caution in these scenarios.
title As Firm As Their Foundations: Can open-sourced foundation models be used to create adversarial examples for downstream tasks?
topic Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2403.12693