ML Security PapersAdversarial attacks against Modern Vision-Language Models
Published on arXiv
2603.16960
Input Manipulation Attack
OWASP ML Top 10 — ML01
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
BIM, PGD, and CLIP-based spectral attacks achieve 52.6%, 53.8%, and 66.9% success rates against LLaVA-v1.5-7B, but only 6.5%, 7.7%, and 15.5% against Qwen2.5-VL-7B
We study adversarial robustness of open-source vision-language model (VLM) agents deployed in a self-contained e-commerce environment built to simulate realistic pre-deployment conditions. We evaluate two agents, LLaVA-v1.5-7B and Qwen2.5-VL-7B, under three gradient-based attacks: the Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and a CLIP-based spectral attack. Against LLaVA, all three attacks achieve substantial attack success rates (52.6%, 53.8%, and 66.9% respectively), demonstrating that simple gradient-based methods pose a practical threat to open-source VLM agents. Qwen2.5-VL proves significantly more robust across all attacks (6.5%, 7.7%, and 15.5%), suggesting meaningful architectural differences in adversarial resilience between open-source VLM families. These findings have direct implications for the security evaluation of VLM agents prior to commercial deployment.
Key Contributions
- First adversarial robustness evaluation of open-source VLM agents in realistic e-commerce deployment simulation
- Demonstrates significant vulnerability gap between LLaVA (52-67% attack success) and Qwen2.5-VL (6-15% attack success)
- Shows simple gradient-based attacks pose practical threats to VLM agent deployment
🛡️ Threat Analysis
Applies gradient-based adversarial attacks (BIM, PGD, CLIP-based spectral attack) against VLM agents at inference time to cause misclassification/incorrect outputs.