Understanding and Enhancing Encoder-based Adversarial Transferability against Large Vision-Language Models

TL;DR

This paper systematically studies the limited transferability of encoder-based adversarial attacks on large vision-language models and proposes a novel semantic-guided attack to improve transferability, revealing security vulnerabilities.

Contribution

It is the first comprehensive analysis of transferability issues in encoder-based attacks on LVLMs and introduces SGMA to enhance attack effectiveness across models.

Findings

Existing attacks have poor transferability across LVLMs.

Discovered causes include inconsistent visual grounding and redundant semantic alignment.

SGMA significantly improves attack transferability.

Abstract

Large vision-language models (LVLMs) have achieved impressive success across multimodal tasks, but their reliance on visual inputs exposes them to significant adversarial threats. Existing encoder-based attacks perturb the input image by optimizing solely on the vision encoder, rather than the entire LVLM, offering a computationally efficient alternative to end-to-end optimization. However, their transferability across different LVLM architectures in realistic black-box scenarios remains poorly understood. To address this gap, we present the first systematic study towards encoder-based adversarial transferability in LVLMs. Our contributions are threefold. First, through large-scale benchmarking over eight diverse LVLMs, we reveal that existing attacks exhibit severely limited transferability. Second, we perform in-depth analysis, disclosing two root causes that hinder the transferability: (1) inconsistent visual grounding across models, where different models focus their attention on distinct regions; (2) redundant semantic alignment within models, where a single object is dispersed across multiple overlapping token representations. Third, we propose Semantic-Guided Multimodal Attack (SGMA), a novel framework to enhance the transferability. Inspired by the discovered causes in our analysis, SGMA directs perturbations toward semantically critical regions and disrupts cross-modal grounding at both global and local levels. Extensive experiments across different victim models and tasks show that SGMA achieves higher transferability than existing attacks. These results expose critical security risks in LVLM deployment and underscore the urgent need for robust multimodal defenses.