Sparse vs Contiguous Adversarial Pixel Perturbations in Multimodal Models: An Empirical Analysis

TL;DR

This paper empirically evaluates the robustness of multimodal models against sparse and contiguous pixel perturbations, revealing that unimodal models are more resilient and CNN-based encoders are more vulnerable than ViT-based ones.

Contribution

First to assess the robustness of three state-of-the-art multimodal models against various sparse and contiguous pixel perturbations.

Findings

Unimodal DNNs are more robust than multimodal models.

CNN-based Image Encoders are more vulnerable than ViT-based encoders.

Achieved 99% attack success rate with less than 0.02% pixel perturbation.

Abstract

Assessing the robustness of multimodal models against adversarial examples is an important aspect for the safety of its users. We craft L0-norm perturbation attacks on the preprocessed input images. We launch them in a black-box setup against four multimodal models and two unimodal DNNs, considering both targeted and untargeted misclassification. Our attacks target less than 0.04% of perturbed image area and integrate different spatial positioning of perturbed pixels: sparse positioning and pixels arranged in different contiguous shapes (row, column, diagonal, and patch). To the best of our knowledge, we are the first to assess the robustness of three state-of-the-art multimodal models (ALIGN, AltCLIP, GroupViT) against different sparse and contiguous pixel distribution perturbations. The obtained results indicate that unimodal DNNs are more robust than multimodal models. Furthermore, models using CNN-based Image Encoder are more vulnerable than models with ViT - for untargeted attacks, we obtain a 99% success rate by perturbing less than 0.02% of the image area.