Multimodal Large Language Models (MLLMs) that integrate text and other modalities (especially vision) have achieved unprecedented performance in various multimodal tasks. However, due to the unsolved adversarial robustness problem of vision models, MLLMs can have more severe safety and security risks by introducing the vision inputs. In this work, we study the adversarial robustness of Google's Bard, a competitive chatbot to ChatGPT that released its multimodal capability recently, to better understand the vulnerabilities of commercial MLLMs. By attacking white-box surrogate vision encoders or MLLMs, the generated adversarial examples can mislead Bard to output wrong image descriptions with a 22% success rate based solely on the transferability. We show that the adversarial examples can also attack other MLLMs, e.g., a 26% attack success rate against Bing Chat and a 86% attack success rate against ERNIE bot. Moreover, we identify two defense mechanisms of Bard, including face detection and toxicity detection of images. We design corresponding attacks to evade these defenses, demonstrating that the current defenses of Bard are also vulnerable. We hope this work can deepen our understanding on the robustness of MLLMs and facilitate future research on defenses. Our code is available at https://github.com/thu-ml/Attack-Bard.

翻译：多模态大语言模型（MLLMs）通过整合文本与其他模态（尤其是视觉），在各种多模态任务中取得了前所未有的性能。然而，由于视觉模型尚未解决的对抗鲁棒性问题，引入视觉输入可能使MLLMs面临更严重的安全风险。本研究针对谷歌Bard（一款近期发布多模态功能的ChatGPT竞品聊天机器人）的对抗鲁棒性展开分析，以深化对商业MLLMs脆弱性的理解。通过攻击白盒替代性视觉编码器或MLLMs，仅凭迁移性即可使生成的对抗样本以22%的成功率误导Bard输出错误的图像描述。实验表明，这些对抗样本同样能攻击其他MLLMs，例如对Bing Chat的攻击成功率达26%，对文心一言的攻击成功率达86%。此外，我们识别出Bard的两类防御机制（人脸检测与图像毒性检测），并设计相应攻击以规避这些防御，证明Bard现有防御手段同样存在脆弱性。期望本研究能深化对MLLMs鲁棒性的理解，推动后续防御研究。代码已开源：https://github.com/thu-ml/Attack-Bard。