Hiding-in-Plain-Sight (HiPS) Attack on CLIP for Targetted Object Removal from Images

TL;DR

This paper introduces HiPS attacks, a novel method to subtly conceal specific objects in images by modifying model outputs, effectively removing targeted objects from captions without obvious alterations.

Contribution

The paper presents two new HiPS attack variants that can covertly hide objects in images, revealing vulnerabilities in multi-modal models like CLIP and their downstream captioning systems.

Findings

HiPS attacks successfully remove targeted objects from image captions.

The attacks transfer effectively to downstream captioning models.

Subtle modifications can deceive models without noticeable changes.

Abstract

Machine learning models are known to be vulnerable to adversarial attacks, but traditional attacks have mostly focused on single-modalities. With the rise of large multi-modal models (LMMs) like CLIP, which combine vision and language capabilities, new vulnerabilities have emerged. However, prior work in multimodal targeted attacks aim to completely change the model's output to what the adversary wants. In many realistic scenarios, an adversary might seek to make only subtle modifications to the output, so that the changes go unnoticed by downstream models or even by humans. We introduce Hiding-in-Plain-Sight (HiPS) attacks, a novel class of adversarial attacks that subtly modifies model predictions by selectively concealing target object(s), as if the target object was absent from the scene. We propose two HiPS attack variants, HiPS-cls and HiPS-cap, and demonstrate their effectiveness in transferring to downstream image captioning models, such as CLIP-Cap, for targeted object removal from image captions.