Defending Multimodal Fusion Models against Single-Source Adversaries

TL;DR

This paper reveals that multimodal neural networks are vulnerable to adversarial attacks on a single modality, and proposes a robust fusion strategy that detects and mitigates such attacks, significantly improving robustness across various tasks.

Contribution

The paper introduces a novel adversarially robust fusion method that enhances single-source robustness in multimodal models without sacrificing performance on clean data.

Findings

Standard multimodal models are vulnerable to single-source adversarial attacks.

The proposed method improves robustness by detecting and ignoring inconsistent modalities.

Significant performance gains on multiple tasks demonstrate effectiveness.

Abstract

Beyond achieving high performance across many vision tasks, multimodal models are expected to be robust to single-source faults due to the availability of redundant information between modalities. In this paper, we investigate the robustness of multimodal neural networks against worst-case (i.e., adversarial) perturbations on a single modality. We first show that standard multimodal fusion models are vulnerable to single-source adversaries: an attack on any single modality can overcome the correct information from multiple unperturbed modalities and cause the model to fail. This surprising vulnerability holds across diverse multimodal tasks and necessitates a solution. Motivated by this finding, we propose an adversarially robust fusion strategy that trains the model to compare information coming from all the input sources, detect inconsistencies in the perturbed modality compared to the other modalities, and only allow information from the unperturbed modalities to pass through. Our approach significantly improves on state-of-the-art methods in single-source robustness, achieving gains of 7.8-25.2% on action recognition, 19.7-48.2% on object detection, and 1.6-6.7% on sentiment analysis, without degrading performance on unperturbed (i.e., clean) data.