Pay Less Attention to Function Words for Free Robustness of Vision-Language Models

TL;DR

This paper introduces Function-word De-Attention (FDA), a novel method that reduces the vulnerability of vision-language models to adversarial attacks by de-emphasizing function words in cross-modal attention.

Contribution

The paper proposes FDA, a new attention mechanism that improves robustness of VLMs against adversarial attacks while maintaining performance, validated through extensive experiments.

Findings

FDA reduces attack success rate by up to 53% on tested models.

FDA maintains high performance with only 0.2-0.6% accuracy drops.

FDA demonstrates scalability, generalization, and zero-shot robustness.

Abstract

To address the trade-off between robustness and performance for robust VLM, we observe that function words could incur vulnerability of VLMs against cross-modal adversarial attacks, and propose Function-word De-Attention (FDA) accordingly to mitigate the impact of function words. Similar to differential amplifiers, our FDA calculates the original and the function-word cross-attention within attention heads, and differentially subtracts the latter from the former for more aligned and robust VLMs. Comprehensive experiments include 2 SOTA baselines under 6 different attacks on 2 downstream tasks, 3 datasets, and 3 models. Overall, our FDA yields an average 18/13/53% ASR drop with only 0.2/0.3/0.6% performance drops on the 3 tested models on retrieval, and a 90% ASR drop with a 0.3% performance gain on visual grounding. We demonstrate the scalability, generalization, and zero-shot performance of FDA experimentally, as well as in-depth ablation studies and analysis. Code is available at https://github.com/michaeltian108/FDA.