Robust CLIP: Unsupervised Adversarial Fine-Tuning of Vision Embeddings for Robust Large Vision-Language Models

TL;DR

This paper introduces an unsupervised adversarial fine-tuning method to enhance the robustness of CLIP vision encoders, significantly improving resistance to attacks in large vision-language models without retraining downstream tasks.

Contribution

It presents a novel unsupervised adversarial fine-tuning approach to make CLIP vision encoders robust against adversarial attacks, applicable across various downstream tasks.

Findings

Robust CLIP models resist adversarial attacks effectively.

Stealth attacks become infeasible with the robust CLIP.

No retraining needed for downstream vision-language models.

Abstract

Multi-modal foundation models like OpenFlamingo, LLaVA, and GPT-4 are increasingly used for various real-world tasks. Prior work has shown that these models are highly vulnerable to adversarial attacks on the vision modality. These attacks can be leveraged to spread fake information or defraud users, and thus pose a significant risk, which makes the robustness of large multi-modal foundation models a pressing problem. The CLIP model, or one of its variants, is used as a frozen vision encoder in many large vision-language models (LVLMs), e.g. LLaVA and OpenFlamingo. We propose an unsupervised adversarial fine-tuning scheme to obtain a robust CLIP vision encoder, which yields robustness on all vision down-stream tasks (LVLMs, zero-shot classification) that rely on CLIP. In particular, we show that stealth-attacks on users of LVLMs by a malicious third party providing manipulated images are no longer possible once one replaces the original CLIP model with our robust one. No retraining or fine-tuning of the down-stream LVLMs is required. The code and robust models are available at https://github.com/chs20/RobustVLM