ATAC: Augmentation-Based Test-Time Adversarial Correction for CLIP

TL;DR

ATAC is a simple, efficient test-time defense method that improves CLIP's robustness against adversarial attacks by correcting embedding drift using augmentation-induced vectors, outperforming previous methods.

Contribution

Proposes ATAC, a novel augmentation-based test-time correction method operating in CLIP's embedding space, significantly enhancing adversarial robustness with minimal computational cost.

Findings

ATAC surpasses state-of-the-art robustness by nearly 50% on average.

It maintains high robustness in extreme and adaptive attack scenarios.

The method requires minimal additional computation.

Abstract

Despite its remarkable success in zero-shot image-text matching, CLIP remains highly vulnerable to adversarial perturbations on images. As adversarial fine-tuning is prohibitively costly, recent works explore various test-time defense strategies; however, these approaches still exhibit limited robustness. In this work, we revisit this problem and propose a simple yet effective strategy: Augmentation-based Test-time Adversarial Correction (ATAC). Our method operates directly in the embedding space of CLIP, calculating augmentation-induced drift vectors to infer a semantic recovery direction and correcting the embedding based on the angular consistency of these latent drifts. Across a wide range of benchmarks, ATAC consistently achieves remarkably high robustness, surpassing that of previous state-of-the-art methods by nearly 50\% on average, all while requiring minimal computational overhead. Furthermore, ATAC retains state-of-the-art robustness in unconventional and extreme settings and even achieves nontrivial robustness against adaptive attacks. Our results demonstrate that ATAC is an efficient method in a novel paradigm for test-time adversarial defenses in the embedding space of CLIP. Code is available at: https://github.com/kylin0421/ATAC