Saved in:
Bibliographic Details
Main Authors: Zhang, Yanzhe, Yu, Tao, Yang, Diyi
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2411.02391
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915302412910592
author Zhang, Yanzhe
Yu, Tao
Yang, Diyi
author_facet Zhang, Yanzhe
Yu, Tao
Yang, Diyi
contents Autonomous agents powered by large vision and language models (VLM) have demonstrated significant potential in completing daily computer tasks, such as browsing the web to book travel and operating desktop software, which requires agents to understand these interfaces. Despite such visual inputs becoming more integrated into agentic applications, what types of risks and attacks exist around them still remain unclear. In this work, we demonstrate that VLM agents can be easily attacked by a set of carefully designed adversarial pop-ups, which human users would typically recognize and ignore. This distraction leads agents to click these pop-ups instead of performing their tasks as usual. Integrating these pop-ups into existing agent testing environments like OSWorld and VisualWebArena leads to an attack success rate (the frequency of the agent clicking the pop-ups) of 86% on average and decreases the task success rate by 47%. Basic defense techniques, such as asking the agent to ignore pop-ups or including an advertisement notice, are ineffective against the attack.
format Preprint
id arxiv_https___arxiv_org_abs_2411_02391
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Attacking Vision-Language Computer Agents via Pop-ups
Zhang, Yanzhe
Yu, Tao
Yang, Diyi
Computation and Language
Autonomous agents powered by large vision and language models (VLM) have demonstrated significant potential in completing daily computer tasks, such as browsing the web to book travel and operating desktop software, which requires agents to understand these interfaces. Despite such visual inputs becoming more integrated into agentic applications, what types of risks and attacks exist around them still remain unclear. In this work, we demonstrate that VLM agents can be easily attacked by a set of carefully designed adversarial pop-ups, which human users would typically recognize and ignore. This distraction leads agents to click these pop-ups instead of performing their tasks as usual. Integrating these pop-ups into existing agent testing environments like OSWorld and VisualWebArena leads to an attack success rate (the frequency of the agent clicking the pop-ups) of 86% on average and decreases the task success rate by 47%. Basic defense techniques, such as asking the agent to ignore pop-ups or including an advertisement notice, are ineffective against the attack.
title Attacking Vision-Language Computer Agents via Pop-ups
topic Computation and Language
url https://arxiv.org/abs/2411.02391