Adversarial Robustness of Vision in Open Foundation Models

TL;DR

This paper evaluates the adversarial robustness of open foundation vision models, revealing that robustness varies independently of standard performance and highlighting vulnerabilities in current models under attack.

Contribution

It provides the first empirical assessment of adversarial robustness for LLaVA-1.5-13B and Llama 3.2 Vision models using PGD attacks on VQA tasks.

Findings

Llama 3.2 Vision shows smaller accuracy drops under attack than LLaVA.

Adversarial robustness does not directly correlate with standard benchmark accuracy.

Vision models remain vulnerable to adversarial perturbations affecting performance.

Abstract

With the increase in deep learning, it becomes increasingly difficult to understand the model in which AI systems can identify objects. Thus, an adversary could aim to modify an image by adding unseen elements, which will confuse the AI in its recognition of an entity. This paper thus investigates the adversarial robustness of LLaVA-1.5-13B and Meta's Llama 3.2 Vision-8B-2. These are tested for untargeted PGD (Projected Gradient Descent) against the visual input modality, and empirically evaluated on the Visual Question Answering (VQA) v2 dataset subset. The results of these adversarial attacks are then quantified using the standard VQA accuracy metric. This evaluation is then compared with the accuracy degradation (accuracy drop) of LLaVA and Llama 3.2 Vision. A key finding is that Llama 3.2 Vision, despite a lower baseline accuracy in this setup, exhibited a smaller drop in performance under attack compared to LLaVA, particularly at higher perturbation levels. Overall, the findings confirm that the vision modality represents a viable attack vector for degrading the performance of contemporary open-weight VLMs, including Meta's Llama 3.2 Vision. Furthermore, they highlight that adversarial robustness does not necessarily correlate directly with standard benchmark performance and may be influenced by underlying architectural and training factors.