TL;DR
This paper introduces PIP, a novel method that detects adversarial examples in large vision-language models by analyzing attention patterns elicited by irrelevant probe questions, achieving high accuracy and robustness.
Contribution
The paper presents the first approach to detect adversarial attacks on LVLMs using irrelevant probe questions and attention pattern analysis, with high detection performance.
Findings
Achieves over 98% recall in adversarial detection
Maintains high precision (>90%) under black-box attacks
Requires only one additional inference per test case
Abstract
Large Vision-Language Models (LVLMs) have demonstrated their powerful multimodal capabilities. However, they also face serious safety problems, as adversaries can induce robustness issues in LVLMs through the use of well-designed adversarial examples. Therefore, LVLMs are in urgent need of detection tools for adversarial examples to prevent incorrect responses. In this work, we first discover that LVLMs exhibit regular attention patterns for clean images when presented with probe questions. We propose an unconventional method named PIP, which utilizes the attention patterns of one randomly selected irrelevant probe question (e.g., "Is there a clock?") to distinguish adversarial examples from clean examples. Regardless of the image to be tested and its corresponding question, PIP only needs to perform one additional inference of the image to be tested and the probe question, and then…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
MethodsSoftmax · Attention Is All You Need · Support Vector Machine
