VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models

Ziyi Yin; Muchao Ye; Tianrong Zhang; Jiaqi Wang; Han Liu; Jinghui Chen; Ting Wang; Fenglong Ma

doi:10.1609/aaai.v38i7.28499

VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models

Ziyi Yin, Muchao Ye, Tianrong Zhang, Jiaqi Wang, Han Liu, Jinghui Chen, Ting Wang, Fenglong Ma

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the “pre-training & finetuning” learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQATTACK model, which can iteratively generate both image and text perturbations with the designed modules: the large language model (LLM)-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQATTACK in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in the “pre-training & fine-tuning” paradigm on VQA tasks. The source code can be found in the link https://github.com/ericyinyzy/VQAttack.

Original language	English (US)
Title of host publication	Technical Tracks 14
Editors	Michael Wooldridge, Jennifer Dy, Sriraam Natarajan
Publisher	Association for the Advancement of Artificial Intelligence
Pages	6755-6763
Number of pages	9
Edition	7
ISBN (Electronic)	1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 1577358872, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879, 9781577358879
DOIs	https://doi.org/10.1609/aaai.v38i7.28499
State	Published - Mar 25 2024
Event	38th AAAI Conference on Artificial Intelligence, AAAI 2024 - Vancouver, Canada Duration: Feb 20 2024 → Feb 27 2024

Publication series

Name	Proceedings of the AAAI Conference on Artificial Intelligence
Number	7
Volume	38
ISSN (Print)	2159-5399
ISSN (Electronic)	2374-3468

Conference

Conference	38th AAAI Conference on Artificial Intelligence, AAAI 2024
Country/Territory	Canada
City	Vancouver
Period	2/20/24 → 2/27/24

All Science Journal Classification (ASJC) codes

Artificial Intelligence

Access to Document

10.1609/aaai.v38i7.28499

Cite this

Yin, Z., Ye, M., Zhang, T., Wang, J., Liu, H., Chen, J., Wang, T., & Ma, F. (2024). VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models. In M. Wooldridge, J. Dy, & S. Natarajan (Eds.), Technical Tracks 14 (7 ed., pp. 6755-6763). (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 38, No. 7). Association for the Advancement of Artificial Intelligence. https://doi.org/10.1609/aaai.v38i7.28499

Yin, Ziyi ; Ye, Muchao ; Zhang, Tianrong et al. / VQAttack : Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models. Technical Tracks 14. editor / Michael Wooldridge ; Jennifer Dy ; Sriraam Natarajan. 7. ed. Association for the Advancement of Artificial Intelligence, 2024. pp. 6755-6763 (Proceedings of the AAAI Conference on Artificial Intelligence; 7).

@inproceedings{078e8ecdee56444fa117c9761f2854db,

title = "VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models",

abstract = "Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the “pre-training & finetuning” learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQATTACK model, which can iteratively generate both image and text perturbations with the designed modules: the large language model (LLM)-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQATTACK in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in the “pre-training & fine-tuning” paradigm on VQA tasks. The source code can be found in the link https://github.com/ericyinyzy/VQAttack.",

author = "Ziyi Yin and Muchao Ye and Tianrong Zhang and Jiaqi Wang and Han Liu and Jinghui Chen and Ting Wang and Fenglong Ma",

note = "Publisher Copyright: Copyright {\textcopyright} 2024, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 38th AAAI Conference on Artificial Intelligence, AAAI 2024 ; Conference date: 20-02-2024 Through 27-02-2024",

year = "2024",

month = mar,

day = "25",

doi = "10.1609/aaai.v38i7.28499",

language = "English (US)",

series = "Proceedings of the AAAI Conference on Artificial Intelligence",

publisher = "Association for the Advancement of Artificial Intelligence",

number = "7",

pages = "6755--6763",

editor = "Michael Wooldridge and Jennifer Dy and Sriraam Natarajan",

booktitle = "Technical Tracks 14",

edition = "7",

}

Yin, Z, Ye, M, Zhang, T, Wang, J, Liu, H, Chen, J, Wang, T & Ma, F 2024, VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models. in M Wooldridge, J Dy & S Natarajan (eds), Technical Tracks 14. 7 edn, Proceedings of the AAAI Conference on Artificial Intelligence, no. 7, vol. 38, Association for the Advancement of Artificial Intelligence, pp. 6755-6763, 38th AAAI Conference on Artificial Intelligence, AAAI 2024, Vancouver, Canada, 2/20/24. https://doi.org/10.1609/aaai.v38i7.28499

VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models. / Yin, Ziyi; Ye, Muchao; Zhang, Tianrong et al.
Technical Tracks 14. ed. / Michael Wooldridge; Jennifer Dy; Sriraam Natarajan. 7. ed. Association for the Advancement of Artificial Intelligence, 2024. p. 6755-6763 (Proceedings of the AAAI Conference on Artificial Intelligence; Vol. 38, No. 7).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - VQAttack

T2 - 38th AAAI Conference on Artificial Intelligence, AAAI 2024

AU - Yin, Ziyi

AU - Ye, Muchao

AU - Zhang, Tianrong

AU - Wang, Jiaqi

AU - Liu, Han

AU - Chen, Jinghui

AU - Wang, Ting

AU - Ma, Fenglong

PY - 2024/3/25

Y1 - 2024/3/25

N2 - Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the “pre-training & finetuning” learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQATTACK model, which can iteratively generate both image and text perturbations with the designed modules: the large language model (LLM)-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQATTACK in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in the “pre-training & fine-tuning” paradigm on VQA tasks. The source code can be found in the link https://github.com/ericyinyzy/VQAttack.

AB - Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the “pre-training & finetuning” learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQATTACK model, which can iteratively generate both image and text perturbations with the designed modules: the large language model (LLM)-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQATTACK in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in the “pre-training & fine-tuning” paradigm on VQA tasks. The source code can be found in the link https://github.com/ericyinyzy/VQAttack.

UR - http://www.scopus.com/inward/record.url?scp=85189521952&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85189521952&partnerID=8YFLogxK

U2 - 10.1609/aaai.v38i7.28499

DO - 10.1609/aaai.v38i7.28499

M3 - Conference contribution

AN - SCOPUS:85189521952

T3 - Proceedings of the AAAI Conference on Artificial Intelligence

SP - 6755

EP - 6763

BT - Technical Tracks 14

A2 - Wooldridge, Michael

A2 - Dy, Jennifer

A2 - Natarajan, Sriraam

PB - Association for the Advancement of Artificial Intelligence

Y2 - 20 February 2024 through 27 February 2024

ER -

Yin Z, Ye M, Zhang T, Wang J, Liu H, Chen J et al. VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models. In Wooldridge M, Dy J, Natarajan S, editors, Technical Tracks 14. 7 ed. Association for the Advancement of Artificial Intelligence. 2024. p. 6755-6763. (Proceedings of the AAAI Conference on Artificial Intelligence; 7). doi: 10.1609/aaai.v38i7.28499

VQAttack: Transferable Adversarial Attacks on Visual Question Answering via Pre-trained Models

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this