Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models

Qingyuan Zeng; Zhenzhong Wang; Yiu Ming Cheung; Min Jiang

Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models

Qingyuan Zeng, Zhenzhong Wang, Yiu Ming Cheung, Min Jiang^*

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

Abstract

While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem. To efficiently solve the optimization problem, a three-stage process Ask, Attend, Attack, called AAA, is proposed to coordinate with the solver. Ask guides attackers to create target texts that satisfy the specific semantics. Attend identifies the crucial regions of the image for attacking, thus reducing the search space for the subsequent Attack. Attack uses an evolutionary algorithm to attack the crucial regions, where the attacks are semantically related to the target texts of Ask, thus achieving targeted attacks without semantic loss. Experimental results on transformer-based and CNN+RNN-based image-to-text models confirmed the effectiveness of our proposed AAA.

Original language	English
Title of host publication	38th Conference on Neural Information Processing Systems, NeurIPS 2024
Editors	A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, C. Zhang
Publisher	Neural Information Processing Systems Foundation
ISBN (Electronic)	9798331314385
Publication status	Published - Dec 2024
Event	38th Conference on Neural Information Processing Systems, NeurIPS 2024 - Vancouver Convention Center , Vancouver, Canada Duration: 9 Dec 2024 → 15 Dec 2024 https://neurips.cc/Conferences/2024 https://openreview.net/group?id=NeurIPS.cc/2024 https://proceedings.neurips.cc/paper_files/paper/2024

Publication series

Name	Advances in Neural Information Processing Systems
Publisher	Neural information processing systems foundation
Volume	37
ISSN (Print)	1049-5258

Name	NeurIPS Proceedings

Conference

Conference	38th Conference on Neural Information Processing Systems, NeurIPS 2024
Country/Territory	Canada
City	Vancouver
Period	9/12/24 → 15/12/24
Internet address	https://neurips.cc/Conferences/2024 https://openreview.net/group?id=NeurIPS.cc/2024 https://proceedings.neurips.cc/paper_files/paper/2024

Access to Document

https://proceedings.neurips.cc/paper_files/paper/2024/file/befcb9fa78d078b6a06cf6f2ecf3a70d-Paper-Conference.pdf

Cite this

Zeng, Q., Wang, Z., Cheung, Y. M., & Jiang, M. (2024). Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, & C. Zhang (Eds.), 38th Conference on Neural Information Processing Systems, NeurIPS 2024 (Advances in Neural Information Processing Systems; Vol. 37), (NeurIPS Proceedings). Neural Information Processing Systems Foundation. https://proceedings.neurips.cc/paper_files/paper/2024/file/befcb9fa78d078b6a06cf6f2ecf3a70d-Paper-Conference.pdf

Zeng, Qingyuan ; Wang, Zhenzhong ; Cheung, Yiu Ming et al. / Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models. 38th Conference on Neural Information Processing Systems, NeurIPS 2024. editor / A. Globerson ; L. Mackey ; D. Belgrave ; A. Fan ; U. Paquet ; J. Tomczak ; C. Zhang. Neural Information Processing Systems Foundation, 2024. (Advances in Neural Information Processing Systems). (NeurIPS Proceedings).

@inproceedings{78e7eb4b6bae45079091c1ff80c6bed8,

title = "Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models",

abstract = "While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem. To efficiently solve the optimization problem, a three-stage process Ask, Attend, Attack, called AAA, is proposed to coordinate with the solver. Ask guides attackers to create target texts that satisfy the specific semantics. Attend identifies the crucial regions of the image for attacking, thus reducing the search space for the subsequent Attack. Attack uses an evolutionary algorithm to attack the crucial regions, where the attacks are semantically related to the target texts of Ask, thus achieving targeted attacks without semantic loss. Experimental results on transformer-based and CNN+RNN-based image-to-text models confirmed the effectiveness of our proposed AAA.",

author = "Qingyuan Zeng and Zhenzhong Wang and Cheung, {Yiu Ming} and Min Jiang",

note = "This work was supported in part by the National Natural Science Foundation of China under Grant No. 62276222 and the Public Technology Service Platform Project of Xiamen City, Grant No.3502Z20231043. Publisher Copyright: {\textcopyright} 2024 Neural information processing systems foundation. All rights reserved.; 38th Conference on Neural Information Processing Systems, NeurIPS 2024 ; Conference date: 09-12-2024 Through 15-12-2024",

year = "2024",

month = dec,

language = "English",

series = "Advances in Neural Information Processing Systems",

publisher = "Neural Information Processing Systems Foundation",

editor = "A. Globerson and L. Mackey and D. Belgrave and A. Fan and U. Paquet and J. Tomczak and C. Zhang",

booktitle = "38th Conference on Neural Information Processing Systems, NeurIPS 2024",

url = "https://neurips.cc/Conferences/2024, https://openreview.net/group?id=NeurIPS.cc/2024, https://proceedings.neurips.cc/paper_files/paper/2024",

}

Zeng, Q, Wang, Z, Cheung, YM & Jiang, M 2024, Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models. in A Globerson, L Mackey, D Belgrave, A Fan, U Paquet, J Tomczak & C Zhang (eds), 38th Conference on Neural Information Processing Systems, NeurIPS 2024. Advances in Neural Information Processing Systems, vol. 37, NeurIPS Proceedings, Neural Information Processing Systems Foundation, 38th Conference on Neural Information Processing Systems, NeurIPS 2024, Vancouver, Canada, 9/12/24. <https://proceedings.neurips.cc/paper_files/paper/2024/file/befcb9fa78d078b6a06cf6f2ecf3a70d-Paper-Conference.pdf>

Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models. / Zeng, Qingyuan; Wang, Zhenzhong; Cheung, Yiu Ming et al.
38th Conference on Neural Information Processing Systems, NeurIPS 2024. ed. / A. Globerson; L. Mackey; D. Belgrave; A. Fan; U. Paquet; J. Tomczak; C. Zhang. Neural Information Processing Systems Foundation, 2024. (Advances in Neural Information Processing Systems; Vol. 37), (NeurIPS Proceedings).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models

AU - Zeng, Qingyuan

AU - Wang, Zhenzhong

AU - Cheung, Yiu Ming

AU - Jiang, Min

N1 - This work was supported in part by the National Natural Science Foundation of China under Grant No. 62276222 and the Public Technology Service Platform Project of Xiamen City, Grant No.3502Z20231043. Publisher Copyright: © 2024 Neural information processing systems foundation. All rights reserved.

PY - 2024/12

Y1 - 2024/12

N2 - While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem. To efficiently solve the optimization problem, a three-stage process Ask, Attend, Attack, called AAA, is proposed to coordinate with the solver. Ask guides attackers to create target texts that satisfy the specific semantics. Attend identifies the crucial regions of the image for attacking, thus reducing the search space for the subsequent Attack. Attack uses an evolutionary algorithm to attack the crucial regions, where the attacks are semantically related to the target texts of Ask, thus achieving targeted attacks without semantic loss. Experimental results on transformer-based and CNN+RNN-based image-to-text models confirmed the effectiveness of our proposed AAA.

AB - While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem. To efficiently solve the optimization problem, a three-stage process Ask, Attend, Attack, called AAA, is proposed to coordinate with the solver. Ask guides attackers to create target texts that satisfy the specific semantics. Attend identifies the crucial regions of the image for attacking, thus reducing the search space for the subsequent Attack. Attack uses an evolutionary algorithm to attack the crucial regions, where the attacks are semantically related to the target texts of Ask, thus achieving targeted attacks without semantic loss. Experimental results on transformer-based and CNN+RNN-based image-to-text models confirmed the effectiveness of our proposed AAA.

UR - https://proceedings.neurips.cc/paper_files/paper/2024/hash/befcb9fa78d078b6a06cf6f2ecf3a70d-Abstract-Conference.html

UR - http://www.scopus.com/inward/record.url?scp=105000496037&partnerID=8YFLogxK

M3 - Conference proceeding

AN - SCOPUS:105000496037

T3 - Advances in Neural Information Processing Systems

BT - 38th Conference on Neural Information Processing Systems, NeurIPS 2024

A2 - Globerson, A.

A2 - Mackey, L.

A2 - Belgrave, D.

A2 - Fan, A.

A2 - Paquet, U.

A2 - Tomczak, J.

A2 - Zhang, C.

PB - Neural Information Processing Systems Foundation

T2 - 38th Conference on Neural Information Processing Systems, NeurIPS 2024

Y2 - 9 December 2024 through 15 December 2024

ER -

Zeng Q, Wang Z, Cheung YM, Jiang M. Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models. In Globerson A, Mackey L, Belgrave D, Fan A, Paquet U, Tomczak J, Zhang C, editors, 38th Conference on Neural Information Processing Systems, NeurIPS 2024. Neural Information Processing Systems Foundation. 2024. (Advances in Neural Information Processing Systems). (NeurIPS Proceedings).

Ask, Attend, Attack: An Effective Decision-Based Black-Box Targeted Attack for Image-to-Text Models

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this