Adversarial Robustness of Vision in Open Foundation Models

Abstract: With the increase in deep learning, it becomes increasingly difficult to understand the model in which AI systems can identify objects. Thus, an adversary could aim to modify an image by adding unseen elements, which will confuse the AI in its recognition of an entity. This paper thus investigates the adversarial robustness of LLaVA-1.5-13B and Meta's Llama 3.2 Vision-8B-2. These are tested for untargeted PGD (Projected Gradient Descent) against the visual input modality, and empirically evaluated on the Visual Question Answering (VQA) v2 dataset subset. The results of these adversarial attacks are then quantified using the standard VQA accuracy metric. This evaluation is then compared with the accuracy degradation (accuracy drop) of LLaVA and Llama 3.2 Vision. A key finding is that Llama 3.2 Vision, despite a lower baseline accuracy in this setup, exhibited a smaller drop in performance under attack compared to LLaVA, particularly at higher perturbation levels. Overall, the findings confirm that the vision modality represents a viable attack vector for degrading the performance of contemporary open-weight VLMs, including Meta's Llama 3.2 Vision. Furthermore, they highlight that adversarial robustness does not necessarily correlate directly with standard benchmark performance and may be influenced by underlying architectural and training factors.

• The paper demonstrates that open-weight vision-language models like LLaVA and Llama 3.2 Vision suffer significant accuracy drops under white-box PGD attacks.
• The paper employs rigorous evaluation on the VQA v2 benchmark, contrasting projection fusion and cross-attention adapters across varied perturbation levels.
• The paper shows that higher baseline accuracy does not ensure adversarial robustness, highlighting the need for robust defense strategies in multimodal systems.

Adversarial Robustness of Vision in Open Foundation Models: An Expert Analysis

Introduction and Motivation

This work addresses the adversarial robustness of vision components in open-weight Vision-LLMs (VLMs), focusing on LLaVA-1.5-13B and Meta's Llama 3.2 Vision-8B-2. The proliferation of VLMs has enabled a wide array of applications, but has also introduced new attack surfaces, especially via the visual modality. While textual attacks on LLMs have been extensively studied, systematic analysis of visual adversarial robustness in open multimodal foundation models is underdeveloped. This paper aims to quantitatively compare the susceptibility of LLaVA and Llama 3.2 Vision to adversarial perturbations generated with Projected Gradient Descent (PGD), thereby clarifying links between model architecture, training regimes, and empirical robustness.

Foundation Models and Multimodal Architectures

The evolution of AI systems from statistical NLP to deep learning architectures culminated in the Transformer, now a backbone for both unimodal LLMs and VLMs.

Figure 1: The Transformer architecture illustrates the encoder (left) and decoder (right) stacks with multi-head attention and feed-forward layers.

Foundation models leverage large-scale pretraining on broad datasets, facilitating transfer to many tasks. VLMs build on this by integrating language and vision streams. Early VLMs such as ViLBERT and VisualBERT adopted dual- and single-stream processing. Subsequent models like CLIP and BLIP-2 further refined multimodal alignment and transfer, but relied on CNN or ViT-based visual backbones and variety of fusion mechanisms.

LLaVA introduced a straightforward projection layer to integrate CLIP visual features with a Llama-based LLM, while Llama 3.2 Vision employs a ViT-H/14 encoder and more sophisticated cross-attention adapters for image-language interaction. Notably, Llama 3.2 Vision’s training pipeline includes billions of image-text pairs and progressive adapter annealing, in contrast to the lower-scale instruction tuning in LLaVA.

Adversarial Vulnerabilities in Vision-LLMs

Adversarial examples threaten VLMs by injecting non-semantic, typically imperceptible, perturbations to the visual input. These attacks exploit the model’s reliance on high-dimensional, locally linear input representations, and can induce substantial output degradation or even explicit jailbreaking.

The threat model considered is untargeted, $L_\infty$-constrained white-box PGD, aligning with the rigorous evaluation principles outlined by Carlini and Wagner [carliniEvaluatingAdversarialRobustness2019]. Standard PGD attacks maximize the internal loss with respect to visual input, projecting after each step to enforce perceptual constraints.

Figure 2: Demonstration of adversarial perturbation using FGSM. An imperceptible perturbation $$\eta = \epsilon \cdot \text{sign}(\nabla_x J(\theta, x, y))$$ fools a classifier despite being visually negligible.

Prior studies have implicated VLMs (e.g., LLaVA, OpenFlamingo, and even proprietary systems like Bard and GPT-4V) as susceptible to ‘image hijack’ and compositional adversarial attacks [lukebaileyImageHijacksAdversarial2023, schlarmannAdversarialRobustnessMultiModal2023, shayeganiJailbreakPiecesCompositional2023, dongHowRobustGoogles2023]. Even explicit safety-aligned models and classifier head add-ons such as Llama Guard-3 Vision are impaired when confronted by adversarial images [chiLlamaGuard32024].

Experimental Evaluation: Methodology and Results

Formal Setup

The evaluation focuses on open VLMs with distinct vision-language fusion mechanisms:

• LLaVA-1.5-13B: CLIP ViT-L/14 + Vicuna-13B with projection fusion.
• Llama 3.2 Vision-8B-2: ViT-H/14 + Llama 3.1 8B with cross-attention adapters.

Both models are assessed on the Visual Question Answering (VQA) v2 benchmark, with adversarial perturbations generated solely in the visual channel.

• Attack: White-box, untargeted PGD with varying $\epsilon$, optimizing internal loss with respect to the image.
• Metric: VQA accuracy (agreement with ground-truth answers) before and after attack.
• Perturbation Budgets: $\epsilon$ ranging from $2/255$ (imperceptible) to $255/255$ (maximal distortion).

Comparative Robustness

On clean VQA data, LLaVA achieves 87.4% accuracy, substantially outperforming Llama 3.2 Vision at 42.8%. However, under PGD attack, the models display reversed robustness characteristics. For LLaVA, accuracy shows a monotonic, severe decline with increasing $\epsilon$ (e.g., dropping by 36.0 points at $\epsilon=255/255$). Llama 3.2 Vision’s accuracy drops less sharply, peaking at a 10.4-point loss, with no further significant degradation at higher $\epsilon$ values.

Figure 3: VQA Accuracy vs. Adversarial Perturbation Strength ($\epsilon$). Compares LLaVA-1.5-13B and Llama 3.2 Vision-8B-2 performance under PGD attack with varying $L_\infty$ budgets.

Qualitative failure analysis reveals that both models can be manipulated to produce incorrect, irrelevant, or nonsensical answers. The effect is more severe—and more proportionally damaging—in LLaVA, even though its absolute performance remains superior at small-to-moderate perturbations.

Discussion and Implications

Empirical Insights

• Both open-weight VLMs are vulnerable to white-box visual adversarial attacks: even subtle PGD perturbations ($\epsilon \leq 16/255$) induce significant accuracy degradation.
• LLaVA’s simple projection fusion mechanism is less robust, exhibiting a strong accuracy decline as noise increases.
• Llama 3.2 Vision’s cross-attention adapters and extensive pretraining yield notably higher stability to adversarial perturbations, despite lower baseline VQA accuracy on the evaluated subset.
• Robustness and clean-task performance are weakly correlated: LLaVA’s superior accuracy does not confer resistance to adversarial manipulation; in fact, higher-performing models, absent dedicated defense strategies, may be more brittle.

Practical and Theoretical Implications

These results underscore the vector by which foundation models—especially those relying on open weights—can be systematically compromised in safety-critical deployments. They also raise questions regarding the efficacy of scaling and architectural sophistication versus direct adversarial training or defensive induction. The comparative stability of Llama 3.2 Vision at higher perturbation strengths suggests possible regularization effects from its complex cross-modal adapters and larger-scale pretraining. However, neither model achieves robustness deemed acceptable for untrusted environments.

The findings align with the broader literature: model scale alone does not guarantee adversarial stability, and robust multimodal alignment calls for more than token-level fusion [bhagwatkarImprovingAdversarialRobustness2024, chiLlamaGuard32024]. Theoretical implications include the need for a principled taxonomy of multimodal threat models [vassilevAdversarialMachineLearning2024], and more nuanced benchmarking that incorporates adversarial and compositional attacks across both modalities [lukebaileyImageHijacksAdversarial2023, shayeganiJailbreakPiecesCompositional2023].

Future work should examine the joint role of architectural innovation (e.g., native early-fusion VLMs vs. adapter-based composition), adversarial data augmentation, and advanced defense strategies [zouImprovingAlignmentRobustness2024, srinivasanRobustifyingModelsAdversarial2021]. The experimental protocol set by this paper—systematic, white-box, loss-maximization attacks in the vision channel—should serve as a minimum standard for future robustness claims [carliniEvaluatingAdversarialRobustness2019].

Conclusion

This study systematically benchmarks the adversarial robustness of two leading open-weight VLMs, LLaVA-1.5-13B and Llama 3.2 Vision-8B-2, under strong $L_\infty$-constrained PGD attacks on the vision input. It finds that both are susceptible to accuracy degradation, but architectural differences and dataset scale contribute to distinct vulnerability profiles. Notably, higher standard accuracy does not imply higher adversarial resilience.

The results suggest that visual input remains a critical attack vector for open foundation models and that architectural or data-scale improvements alone are insufficient to mitigate adversarial risk. This has direct implications for responsible deployment, robust evaluation practices, and the need for research into scalable, generalizable defense strategies for multimodal AI systems.