Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why does Blip2VisionModel not receive the prompt as input? #5

Open
RylanSchaeffer opened this issue Feb 20, 2024 · 7 comments
Open

Why does Blip2VisionModel not receive the prompt as input? #5

RylanSchaeffer opened this issue Feb 20, 2024 · 7 comments

Comments

@RylanSchaeffer
Copy link

As best as I can tell, the Blip2VisionModel doesn't receive the prompt as input:

Attack-Bard/surrogates/Blip2.py

Lines 51 to 53 in 5e9618a

# inputs["input_ids"] = self.prompt.repeat(batch_size, 1)
inputs["input_ids"] = self.labels.repeat(batch_size, 1).to(self.device)
inputs["labels"] = self.labels.repeat(batch_size, 1).to(self.device)

Why is this? Could someone please clarify?
@huanranchen
Copy link
Collaborator

Hi!
This is because we only use the VisionEncoder of Blip2. Blip2 consists of a vision encoder and a text decoder, the prompt will be only used by text decoder. Here we perform "Image Feature Attack", in this case we don't need the text decoder, as well as the prompt.

@RylanSchaeffer
Copy link
Author

RylanSchaeffer commented Feb 20, 2024 via email

@huanranchen
Copy link
Collaborator

I'm sorry; you are right. It's my fault; it should have included some text prompts. Perhaps this is one of the reasons the "Text Description Attack" didn't perform well.

However, this may not be the primary reason. I recently conducted a Text Description Attack on LLava and minigpt4, but the adversarial examples still cannot transfer to GPT-4V or Bard. I'm confident the code is correct since I evaluated the adversarial examples in white-box settings, and the outputs from the white-box models match my target prompts exactly. I believe the main challenge lies in the transferability of the adversarial examples.

@chchch0109
Copy link

Hi, I'm interested in your work, but I have some questions about that.

  1. So for "Text Description Attack", we should include text prompts, right?
  2. What's the metric of the "Text Description Attack"? You said match my target prompts exactly, so I assume that the target attack try to make the model output the exactly same as the target prompt?

@huanranchen
Copy link
Collaborator

Hi, I'm interested in your work, but I have some questions about that.

  1. So for "Text Description Attack", we should include text prompts, right?
  2. What's the metric of the "Text Description Attack"? You said match my target prompts exactly, so I assume that the target attack try to make the model output the exactly same as the target prompt?

Hi~

  1. Yeah, adding text prompts like "describe the image" is something we should think about. But honestly, I don't think it makes a big difference whether we attack with or without prompts.
  2. For the "Text Description Attack," we're still looking at whether the image gets misclassified. It's pretty easy to match the model's output to my target prompts in a white-box scenario. But in a black-box setting? Seems like a no-go – haven't managed to pull it off yet. Since this paper is all about black-box attacks, we're sticking with "misclassification" as our go-to metric.

@Monika-Tiyyagura
Copy link

Monika-Tiyyagura commented Mar 5, 2024
edited
Loading

@dongyp13 @huanranchen hey This is Monika. I really appreciate the work you guys did. I need your help, I am trying to implement/replicate this project as my semester long project and trying to improve the success rates but I am unable to replicate the actual work locally and I am facing the problem with installing the dependencies. I really appreciate if you help/guide me with this as I need to submit this tomorrow. Thank you in advance.

@huanranchen
Copy link
Collaborator

@dongyp13 @huanranchen hey This is Monika. I really appreciate the work you guys did. I need your help, I am trying to implement/replicate this project as my semester long project and trying to improve the success rates but I am unable to replicate the actual work locally and I am facing the problem with installing the dependencies. I really appreciate if you help/guide me with this as I need to submit this tomorrow. Thank you in advance.

Hi, how can I help you? I suggest to run img_encoder_attack, as it doesn't need to deploy minigpt4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RylanSchaeffer @huanranchen @chchch0109 @Monika-Tiyyagura