LAMP: Learning Universal Adversarial Perturbations for Multi-Image Tasks via Pre-trained Models

Multimodal Large Language Models (MLLMs) have achieved remarkable performance across vision-language tasks. Recent advancements allow these models to process multiple images as inputs. However, the vulnerabilities of multi-image MLLMs remain unexplored. Existing adversarial attacks focus on single-image settings and often assume a white-box threat model, which is impractical in many real-world scenarios. This paper introduces LAMP, a black-box method for learning Universal Adversarial Perturbations (UAPs) targeting multi-image MLLMs. LAMP applies an attention-based constraint that prevents the model from effectively aggregating information across images. LAMP also introduces a novel cross-image contagious constraint that forces perturbed tokens to influence clean tokens, spreading adversarial effects without requiring all inputs to be modified. Additionally, an index-attention suppression loss enables a robust position-invariant attack. Experimental results show that LAMP outperforms SOTA baselines and achieves the highest attack success rates across multiple vision-language tasks and models.

Key Contributions

• First adversarial attack explicitly targeting multi-image MLLMs, transferable across models and tasks without requiring knowledge of downstream architectures.
• Attention-based UAP learning via Pompeiu-Hausdorff distance on self-attention weights, keeping the pre-trained MLLM frozen during optimization.
• Novel 'contagious' cross-image objective enabling perturbed visual tokens to infect clean tokens, plus index-attention suppression loss for position-invariant attacks.

🛡️ Threat Analysis

Details

Similar Papers