AdvCLIP: Downstream-agnostic Adversarial Examples in Multimodal Contrastive Learning

TL;DR

AdvCLIP introduces a novel universal adversarial attack framework targeting cross-modal contrastive models like CLIP, demonstrating effective cross-task attacks and highlighting the need for new defenses.

Contribution

This work presents the first downstream-agnostic adversarial attack framework for multimodal contrastive models, utilizing a topology-based generative network to generate universal adversarial patches.

Findings

AdvCLIP achieves high attack success across multiple datasets and tasks.

The attack significantly reduces the similarity scores in feature space.

Existing defenses are insufficient against AdvCLIP, indicating a need for new methods.

Abstract

Multimodal contrastive learning aims to train a general-purpose feature extractor, such as CLIP, on vast amounts of raw, unlabeled paired image-text data. This can greatly benefit various complex downstream tasks, including cross-modal image-text retrieval and image classification. Despite its promising prospect, the security issue of cross-modal pre-trained encoder has not been fully explored yet, especially when the pre-trained encoder is publicly available for commercial use. In this work, we propose AdvCLIP, the first attack framework for generating downstream-agnostic adversarial examples based on cross-modal pre-trained encoders. AdvCLIP aims to construct a universal adversarial patch for a set of natural images that can fool all the downstream tasks inheriting the victim cross-modal pre-trained encoder. To address the challenges of heterogeneity between different modalities and unknown downstream tasks, we first build a topological graph structure to capture the relevant positions between target samples and their neighbors. Then, we design a topology-deviation based generative adversarial network to generate a universal adversarial patch. By adding the patch to images, we minimize their embeddings similarity to different modality and perturb the sample distribution in the feature space, achieving unviersal non-targeted attacks. Our results demonstrate the excellent attack performance of AdvCLIP on two types of downstream tasks across eight datasets. We also tailor three popular defenses to mitigate AdvCLIP, highlighting the need for new defense mechanisms to defend cross-modal pre-trained encoders.