Large vision-language models (VLMs) such as GPT-4 have achieved unprecedented performance in response generation, especially with visual inputs, enabling more creative and adaptable interaction than large language models such as ChatGPT. Nonetheless, multimodal generation exacerbates safety concerns, since adversaries may successfully evade the entire system by subtly manipulating the most vulnerable modality (e.g., vision). To this end, we propose evaluating the robustness of open-source large VLMs in the most realistic and high-risk setting, where adversaries have only black-box system access and seek to deceive the model into returning the targeted responses. In particular, we first craft targeted adversarial examples against pretrained models such as CLIP and BLIP, and then transfer these adversarial examples to other VLMs such as MiniGPT-4, LLaVA, UniDiffuser, BLIP-2, and Img2Prompt. In addition, we observe that black-box queries on these VLMs can further improve the effectiveness of targeted evasion, resulting in a surprisingly high success rate for generating targeted responses. Our findings provide a quantitative understanding regarding the adversarial vulnerability of large VLMs and call for a more thorough examination of their potential security flaws before deployment in practice. Code is at https://github.com/yunqing-me/AttackVLM.

翻译：大型视觉-语言模型（VLMs）如GPT-4在响应生成方面取得了前所未有的性能，特别是在视觉输入的支持下，实现了比ChatGPT等大型语言模型更具创造性和适应性的交互。然而，多模态生成加剧了安全担忧，因为攻击者可能通过巧妙操纵最脆弱的模态（如视觉）来成功逃避整个系统。为此，我们提出在最现实且高风险的情境下评估开源大型VLMs的鲁棒性，其中攻击者仅具有黑盒系统访问权限，并试图欺骗模型返回目标响应。具体而言，我们首先针对预训练模型（如CLIP和BLIP）构造目标对抗样本，然后将这些对抗样本迁移至其他VLMs（如MiniGPT-4、LLaVA、UniDiffuser、BLIP-2和Img2Prompt）。此外，我们观察到对这些VLMs的黑盒查询可进一步提高目标逃避的有效性，从而在生成目标响应方面取得令人惊讶的高成功率。我们的研究结果为大型VLMs的对抗脆弱性提供了定量理解，并呼吁在部署前对其潜在安全缺陷进行更彻底的审查。代码地址：https://github.com/yunqing-me/AttackVLM。