On the Adversarial Robustness of Multi-Modal Foundation Models

TL;DR

This paper demonstrates that imperceivable adversarial attacks on multi-modal foundation models can mislead honest users, highlighting the need for robust defenses against such attacks in deployed systems.

Contribution

The paper reveals a new security vulnerability in multi-modal foundation models caused by imperceivable image attacks affecting output accuracy.

Findings

Imperceivable attacks can alter model captions misleading users.

Malicious content can exploit these attacks to guide users to harmful sites.

Countermeasures are necessary for safe deployment of multi-modal models.

Abstract

Multi-modal foundation models combining vision and language models such as Flamingo or GPT-4 have recently gained enormous interest. Alignment of foundation models is used to prevent models from providing toxic or harmful output. While malicious users have successfully tried to jailbreak foundation models, an equally important question is if honest users could be harmed by malicious third-party content. In this paper we show that imperceivable attacks on images in order to change the caption output of a multi-modal foundation model can be used by malicious content providers to harm honest users e.g. by guiding them to malicious websites or broadcast fake information. This indicates that countermeasures to adversarial attacks should be used by any deployed multi-modal foundation model.