What problem does this paper attempt to address?

The problem that this paper attempts to solve is: **Explore how to use pre - trained vision - language (VL) models to generate adversarial perturbations in order to attack black - box models in different downstream tasks fine - tuned on the basis of these pre - trained models**. Specifically, the researchers focus on the fact that in real - world scenarios, attackers cannot obtain the specific parameter information of the fine - tuned models (i.e., the black - box setting). Therefore, a new and practical attack paradigm needs to be developed to evaluate the adversarial robustness of pre - trained VL models by generating adversarial perturbations in image and text modalities. ### Core problems of the paper 1. **Limitations of existing work**: - Existing adversarial attacks mainly focus on the white - box setting, that is, attackers can access the gradient information of the model. - This setting is unrealistic in reality because malicious attackers usually can only access publicly released pre - trained models and cannot obtain the specific parameters of the fine - tuned models. 2. **New challenges**: - **Task - specific challenges**: Pre - trained VL models are used to fine - tune a variety of different downstream tasks, requiring the designed attack mechanism to be general - purpose and applicable to multiple tasks. - **Model - specific challenges**: Since the parameters of the fine - tuned model are unknown, the attack method needs to automatically learn the adversarial transferability between the pre - trained model and the fine - tuned model, especially to build inter - connections between different modalities. ### Proposed solutions To solve the above problems, the paper proposes a new attack strategy - **VLA TTACK**, which is divided into two levels: 1. **Single - modality level**: - The Block - wise Similarity Attack (BSA) is proposed, which specifically perturbs the image modality. It destroys the general image - text representation by maximizing the block - wise distance in the image encoder and the Transformer encoder. - For the text modality, the existing BERT - Attack method is adopted for word - level perturbation. 2. **Multi - modality level**: - The Iterative Cross - Search Attack (ICSA) is designed. By iteratively updating image and text perturbation pairs, it gradually optimizes the adversarial samples to ensure that the final adversarial samples can successfully change the prediction results on the black - box fine - tuned model. ### Experimental verification The paper verifies the effectiveness of VLA TTACK through extensive experiments, including the attack success rates of five widely used VL pre - trained models (such as BLIP, CLIP, ViLT, OFA, and UniTAB) on six tasks. The experimental results show that VLA TTACK significantly outperforms existing single - modality and multi - modality attack methods on all tasks, revealing an important blind spot in the adversarial robustness of large - scale VL models. ### Formula summary - **Objective function for adversarial sample generation**: \[ \max_{I', T'} 1\{S(I', T') \neq y\}, \quad \text{s.t.} \quad \|I' - I\|_\infty < \sigma_i, \quad \cos(\mathbf{U}_s(T'), \mathbf{U}_s(T)) > \sigma_s \] where $\sigma_i$ is the $l_\infty$ - norm perturbation intensity of the image, and $\sigma_s$ is the semantic similarity threshold between the original text and the perturbed text. - **BSA loss function**: \[ L = \sum_{i = 1}^{M_i} \sum_{j = 1}^{M_{ij}} \cos(F_{ij}^\alpha(I), F_{ij}^\alpha(I')) + \sum_{k = 1}^{M_k} \sum_{t = 1}^{M_{kt}} \cos(F_{kt}^\beta(I, T), F_{kt}^\beta(I', T)) \] where $F_{ij}^\alpha$ and $F_{kt}^\beta$