Jialin Wu,Kaikai Pan,Yanjiao Chen,Jiangyi Deng,Shengyuan Pang,Wenyuan Xu

DOI: https://doi.org/10.1109/metacom62920.2024.00029

2024-01-01

Abstract:Transformer models have excelled in natural language tasks, prompting the vision community to explore their implementation in computer vision problems. However, these models are still influenced by adversarial examples. In this paper, we investigate the attack capabilities of six common adversarial attacks on three pre-trained ViT models to reveal the vulnerability of ViT models. To understand and analyse the bias in neural network decisions when the input is adversarial, we use two visualisation techniques that are attention rollout and grad attention rollout. To prevent ViT models from adversarial attack, we propose Protego, a detection framework that leverages the transformer intrinsic capabilities to detection adversarial examples of ViT models. Nonetheless, this is challenging due to a diversity of attack strategies that may be adopted by adversaries. Inspired by the attention mechanism, we know that the token of model’s prediction contains all the information from the input sample. Additionally, the attention region for adversarial examples differs from that of normal examples. Given these points, we can train a detector that achieves superior performance than existing detection methods to identify adversarial examples. Our experiments have demonstrated the high effectiveness of our detection method. For these six adversarial attack methods, our detector’s AUC scores all exceed 0.95. Protego may advance investigations in metaverse security.

Xu Guo,Peng Chen,Zhihui Lu,Hongfeng Chai,Xin Du,Xudong Wu

DOI: https://doi.org/10.1016/j.sysarc.2024.103155

IF: 5.836

2024-04-27

Journal of Systems Architecture

Abstract:The deployment of high-performance Vision Transformer (ViT) models on Internet of Things (IoT) devices has garnered attention from both industry and academia. However, their vulnerability to adversarial examples highlights security risks for visual tasks in IoT scenarios. As a black-box attack technique, transfer attacks leverage a surrogate model to generate transferable adversarial examples to attack a target victim model, which mainly focuses on a forward (input diversification) and a backward (gradient modification) approach. However, both approaches are currently implemented straightforwardly and limit the transferability of surrogate models. In this paper, we propose a Forward-Backward Transferable Adversarial Attack framework (FBTA) that can generate highly transferable adversarial examples against different models by fully leveraging ViT's distinctive intermediate layer structures. In the forward inference process of FBTA, we propose a Dropout-based Transferable Attack (DTA) approach to diversify the intermediate states of ViT models, simulating an ensemble learning effect; in the backward process, a Backpropagation Gradient Clipping (BGC) method is designed to refine the gradients within intermediate layers of ViT models intricately. Extensive experiments on state-of-the-art ViTs and robust CNNs demonstrate that our FBTA framework achieves an average performance improvement of 2.79% compared to state-of-the-art transfer-based attacks, offering insights for the comprehension and defense against transfer attacks.

computer science, software engineering, hardware & architecture

Yuxuan Wang,Jiakai Wang,Zinxin Yin,Ruihao Gong,Jingyi Wang,Aishan Liu,Xianglong Liu

DOI: https://doi.org/10.1145/3503161.3547989

2022-01-01

Abstract:Vision transformers (ViTs) are prevailing among several visual recognition tasks, therefore drawing intensive interest in generating adversarial examples against them. Different from CNNs, ViTs enjoy unique architectures, e.g., self-attention and image-embedding, which are commonly-shared features among various types of transformer-based models. However, existing adversarial methods suffer from weak transferable attacking ability due to the overlook of these architectural features. To address the problem, we propose an Architecture-oriented Transferable Attacking (ATA) framework to generate transferable adversarial examples by activating the uncertain attention and perturbing the sensitive embedding.Specifically, we first locate the patch-wise attentional regions that mostly affect model perception, therefore intensively activating the uncertainty of the attention mechanism and confusing the model decisions in turn.Furthermore, we search the pixel-wise attacking positions that are more likely to derange the embedded tokens using sensitive embedding perturbation, which could serve as a strong transferable attacking pattern.By jointly confusing the unique yet widely-used architectural features among transformer-based models, we can activate strong attacking transferability among diverse ViTs. Extensive experiments on large-scale dataset ImageNet using various popular transformers demonstrate that our ATA outperforms other baselines by large margins (at least +15% Attack Success Rate). Our code is available at https://github.com/nlsde-safety-team/ATA

Muzammal Naseer,Kanchana Ranasinghe,Salman Khan,Fahad Shahbaz Khan,Fatih Porikli

DOI: https://doi.org/10.48550/arXiv.2106.04169

2021-06-08

Computer Vision and Pattern Recognition

Abstract:Vision transformers (ViTs) process input images as sequences of patches via self-attention; a radically different architecture than convolutional neural networks (CNNs). This makes it interesting to study the adversarial feature space of ViT models and their transferability. In particular, we observe that adversarial patterns found via conventional adversarial attacks show very \emph{low} black-box transferability even for large ViT models. We show that this phenomenon is only due to the sub-optimal attack procedures that do not leverage the true representation potential of ViTs. A deep ViT is composed of multiple blocks, with a consistent architecture comprising of self-attention and feed-forward layers, where each block is capable of independently producing a class token. Formulating an attack using only the last class token (conventional approach) does not directly leverage the discriminative information stored in the earlier tokens, leading to poor adversarial transferability of ViTs. Using the compositional nature of ViT models, we enhance transferability of existing attacks by introducing two novel strategies specific to the architecture of ViT models. (i) Self-Ensemble: We propose a method to find multiple discriminative pathways by dissecting a single ViT model into an ensemble of networks. This allows explicitly utilizing class-specific information at each ViT block. (ii) Token Refinement: We then propose to refine the tokens to further enhance the discriminative capacity at each block of ViT. Our token refinement systematically combines the class tokens with structural information preserved within the patch tokens.

Huipeng Zhou,Yu-an Tan,Yajie Wang,Haoran Lyu,Shangbo Wu,Yuanzhang Li

DOI: https://doi.org/10.48550/arXiv.2204.12680

2022-04-27

Computer Vision and Pattern Recognition

Abstract:Vision transformers (ViTs) have demonstrated impressive performance in various computer vision tasks. However, the adversarial examples generated by ViTs are challenging to transfer to other networks with different structures. Recent attack methods do not consider the specificity of ViTs architecture and self-attention mechanism, which leads to poor transferability of the generated adversarial samples by ViTs. We attack the unique self-attention mechanism in ViTs by restructuring the embedded patches of the input. The restructured embedded patches enable the self-attention mechanism to obtain more diverse patches connections and help ViTs keep regions of interest on the object. Therefore, we propose an attack method against the unique self-attention mechanism in ViTs, called Self-Attention Patches Restructure (SAPR). Our method is simple to implement yet efficient and applicable to any self-attention based network and gradient transferability-based attack methods. We evaluate attack transferability on black-box models with different structures. The result show that our method generates adversarial examples on white-box ViTs with higher transferability and higher image quality. Our research advances the development of black-box transfer attacks on ViTs and demonstrates the feasibility of using white-box ViTs to attack other black-box models.

Tuo Li,Yahong Han

DOI: https://doi.org/10.1007/s00530-023-01157-z

IF: 3.9

2023-08-17

Multimedia Systems

Abstract:Vision Transformers (ViTs) have been a new paradigm in several computer vision tasks, yet they are susceptible to adversarial examples. Recent studies show it is difficult to transfer adversarial examples generated by ViTs to other models. Existing methods have poor transferability because they do not target the specific structural characteristics (e.g., self-attention and patch-embedding) of ViTs. To address this problem and further boost transferability, we propose a method, namely Global Attention and Local Drop (GALD), to boost the transferability of adversarial examples from ViTs to other models, including ViTs and convolutional neural networks (CNNs). Specifically, our method contains two parts: Global Attention Guidance (GAG) and Drop Patch (DP). The GAG improves the attention representation in shallow layers by adding global guidance attention to every layer except the final layer of ViTs. Therefore, the perturbations could focus on the object regions. DP randomly drops some patches in every iteration to diversify the input patterns and mitigate overfitting of adversarial examples to the surrogate model. Experiments show that adversarial examples generated by our method own the best transferability to black-box models with unknown structures. Code is available at Link.

computer science, information systems, theory & methods

Wenshuo Ma,Yidong Li,Xiaofeng Jia,Wei Xu

DOI: https://doi.org/10.1109/iccv51070.2023.00427

2023-01-01

Abstract:Visual Transformers (ViTs) and Convolutional Neural Networks (CNNs) are the two primary backbone structures extensively used in various vision tasks. Generating transferable adversarial examples for ViTs is difficult due to ViTs' superior robustness, while transferring adversarial examples across ViTs and CNNs is even harder, since their structures and mechanisms for processing images are fundamentally distinct. In this work, we propose a novel attack method named Momentum Integrated Gradients (MIG), which not only attacks ViTs with high success rate, but also exhibits impressive transferability across ViTs and CNNs. Specifically, we use integrated gradients rather than gradients to steer the generation of adversarial perturbations, inspired by the observation that integrated gradients of images demonstrate higher similarity across models in comparison to regular gradients. Then we acquire the accumulated gradients by combining the integrated gradients from previous iterations with the current ones in a momentum manner and use their sign to modify the perturbations iteratively. We conduct extensive experiments to demonstrate that adversarial examples obtained using MIG show stronger transferability, resulting in significant improvements over state-of-the-art methods for both CNN and ViT models.

Jianping Zhang,Yizhan Huang,Weibin Wu,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2303.15754

2023-06-05

Abstract:Vision transformers (ViTs) have been successfully deployed in a variety of computer vision tasks, but they are still vulnerable to adversarial samples. Transfer-based attacks use a local model to generate adversarial samples and directly transfer them to attack a target black-box model. The high efficiency of transfer-based attacks makes it a severe security threat to ViT-based applications. Therefore, it is vital to design effective transfer-based attacks to identify the deficiencies of ViTs beforehand in security-sensitive scenarios. Existing efforts generally focus on regularizing the input gradients to stabilize the updated direction of adversarial samples. However, the variance of the back-propagated gradients in intermediate blocks of ViTs may still be large, which may make the generated adversarial samples focus on some model-specific features and get stuck in poor local optima. To overcome the shortcomings of existing approaches, we propose the Token Gradient Regularization (TGR) method. According to the structural characteristics of ViTs, TGR reduces the variance of the back-propagated gradient in each internal block of ViTs in a token-wise manner and utilizes the regularized gradient to generate adversarial samples. Extensive experiments on attacking both ViTs and CNNs confirm the superiority of our approach. Notably, compared to the state-of-the-art transfer-based attacks, our TGR offers a performance improvement of 8.8% on average.

Computer Vision and Pattern Recognition

Zhipeng Wei,Jingjing Chen,Zuxuan Wu,Yu-Gang Jiang

DOI: https://doi.org/10.1109/TPAMI.2023.3347835

Abstract:The cross-model transferability of adversarial examples makes black-box attacks to be practical. However, it typically requires access to the input of the same modality as black-box models to attain reliable transferability. Unfortunately, the collection of datasets may be difficult in security-critical scenarios. Hence, developing cross-modal attacks for fooling models with different modalities of inputs would highly threaten real-world DNNs applications. The above considerations motivate us to investigate cross-modal transferability of adversarial examples. In particular, we aim to generate video adversarial examples from white-box image models to attack video CNN and ViT models. We introduce the Image To Video (I2V) attack based on the observation that image and video models share similar low-level features. For each video frame, I2V optimizes perturbations by reducing the similarity of intermediate features between benign and adversarial frames on image models. Then I2V combines adversarial frames together to generate video adversarial examples. I2V can be easily extended to simultaneously perturb multi-layer features extracted from an ensemble of image models. To efficiently integrate various features, we introduce an adaptive approach to re-weight the contributions of each layer based on its cosine similarity values of the previous attack step. Experimental results demonstrate the effectiveness of the proposed method.

Fan Wang,Mingwen Shao,Lingzhuang Meng,Fukang Liu

DOI: https://doi.org/10.1007/s13042-024-02097-4

2024-02-15

International Journal of Machine Learning and Cybernetics

Abstract:Relying on wide receptive fields, Vision Transformers (ViTs) are more robust than Convolutional Neural Networks (CNNs). Consequently, some transfer-based attack methods that perform well on CNNs perform poorly when attacking ViTs. To address the aforementioned issues, we propose dual-stage attack framework named DSA. More specifically, we introduce a dual spatial optimization strategy involving both decision space and feature space optimization to improve the transferability of adversarial examples across different ViTs. Adversarial perturbations are generated by our proposed semi self-integrated module in the first stage and optimized by the feature extractor in the second stage. During this process, our proposed integrated model makes full use of the discriminative information in the deep transformer blocks and achieves significant improvements in transferability. To further enhance the transferability, we design the random perturbation masking module to alleviate the over-fitting of adversarial examples to the surrogate model. We evaluate the transferability of attacks on state-of-the-art ViTs, CNNs, and robustly trained CNNs. Extensive experiments demonstrate that the proposed dual-stage attack can greatly boost transferability between ViTs and from ViTs to CNNs.

computer science, artificial intelligence

Tingchao Fu,Fanxiao Li,Jinhong Zhang,Liang Zhu,Yuanyu Wang,Wei Zhou

DOI: https://doi.org/10.1007/978-981-97-0945-8_6

2024-01-01

Abstract:Vision transformers (ViTs) have witnessed significant progress in the past few years. Recently, the latest research revealed that ViTs are vulnerable to transfer-based attacks, in which attackers can use a local surrogate model to generate adversarial examples, then transfer these malicious examples to attack the target black-box ViT directly. Suffering from the threat of transfer-based attacks, it is challenging to deploy ViTs to security-critical tasks. Therefore, it becomes an exact need to explore the robustness of ViTs against transfer-based attacks. However, existing transfer-based attack methods do not fully consider the unique structure of ViT, and they indiscriminately attack the intermediate outputs token of ViTs, leading to the perturbations being focused on specific model information within the tokens, and further resulting in a limited transferability of the generated adversarial examples. To address the current limitations, we propose Token Importance Attack (TIA), a novel ViTs-oriented transfer-based attack method. Specifically, we introduce Randomly Shuffle Patches (RSP) strategy to expand the diversity of the input space. By applying RSP, we can generate multiple shuffled images from a single image, allowing us to obtain multiple token gradients. Then TIA ensembles these token gradients of shuffled images as a guide map to focus the perturbation on the model-independent information in the token rather than model-specific information. Benefiting from these two components, TIA can avoid overfitting to the surrogate model, thus enhancing the transferability of the crafted adversarial examples. Extensive experiments conducted on common datasets with different ViTs and CNNs have demonstrated the effectiveness of TIA.

Weijie Zheng,Xingjun Ma,Hanxun Huang,Zuxuan Wu,Yu-Gang Jiang

2024-08-03

Abstract:With the advancement of vision transformers (ViTs) and self-supervised learning (SSL) techniques, pre-trained large ViTs have become the new foundation models for computer vision applications. However, studies have shown that, like convolutional neural networks (CNNs), ViTs are also susceptible to adversarial attacks, where subtle perturbations in the input can fool the model into making false predictions. This paper studies the transferability of such an adversarial vulnerability from a pre-trained ViT model to downstream tasks. We focus on \emph{sample-wise} transfer attacks and propose a novel attack method termed \emph{Downstream Transfer Attack (DTA)}. For a given test image, DTA leverages a pre-trained ViT model to craft the adversarial example and then applies the adversarial example to attack a fine-tuned version of the model on a downstream dataset. During the attack, DTA identifies and exploits the most vulnerable layers of the pre-trained model guided by a cosine similarity loss to craft highly transferable attacks. Through extensive experiments with pre-trained ViTs by 3 distinct pre-training methods, 3 fine-tuning schemes, and across 10 diverse downstream datasets, we show that DTA achieves an average attack success rate (ASR) exceeding 90\%, surpassing existing methods by a huge margin. When used with adversarial training, the adversarial examples generated by our DTA can significantly improve the model's robustness to different downstream transfer attacks.

Computer Vision and Pattern Recognition,Artificial Intelligence

Chao Zhou,Xiaowen Shi,Yuan-Gen Wang

2024-06-29

Abstract:Recent studies have revealed that vision transformers (ViTs) face similar security risks from adversarial attacks as deep convolutional neural networks (CNNs). However, directly applying attack methodology on CNNs to ViTs has been demonstrated to be ineffective since the ViTs typically work on patch-wise encoding. This article explores the vulnerability of ViTs against adversarial attacks under a black-box scenario, and proposes a novel query-efficient hard-label adversarial attack method called AdvViT. Specifically, considering that ViTs are highly sensitive to patch modification, we propose to optimize the adversarial perturbation on the individual patches. To reduce the dimension of perturbation search space, we modify only a handful of low-frequency components of each patch. Moreover, we design a weight mask matrix for all patches to further optimize the perturbation on different regions of a whole image. We test six mainstream ViT backbones on the ImageNet-1k dataset. Experimental results show that compared with the state-of-the-art attacks on CNNs, our AdvViT achieves much lower $L_2$-norm distortion under the same query budget, sufficiently validating the vulnerability of ViTs against adversarial attacks.

Computer Vision and Pattern Recognition

Yanyang Han,Ju Liu,Xiaoxi Liu,Xiao Jiang,Lingchen Gu,Xuesong Gao,Weiqiang Chen

DOI: https://doi.org/10.1007/s00521-022-07568-9

2022-01-01

Abstract:Adversarial examples can attack multiple unknown convolutional neural networks (CNNs) due to adversarial transferability, which reveals the vulnerability of CNNs and facilitates the development of adversarial attacks. However, most of the existing adversarial attack methods possess a limited transferability on vision transformers (ViTs). In this paper, we propose a partial blocks search attack (PBSA) method to generate adversarial examples on ViTs, which significantly enhance transferability. Instead of directly employing the same strategy for all encoder blocks on ViTs, we divide encoder blocks into two categories by introducing the block weight score and exploit distinct strategies to process them. In addition, we optimize the generation of perturbations by regularizing the self-attention feature maps and creating an ensemble of partial blocks. Finally, perturbations are adjusted by an adaptive weight to disturb the most effective pixels of original images. Extensive experiments on the ImageNet dataset are conducted to demonstrate the validity and effectiveness of the proposed PBSA. The experimental results reveal the superiority of the proposed PBSA to state-of-the-art attack methods on both ViTs and CNNs. Furthermore, PBSA can be flexibly combined with existing methods, which significantly enhances the transferability of adversarial examples.

Boxi Wu,Jindong Gu,Zhifeng Li,Deng Cai,Xiaofei He,Wei Liu

DOI: https://doi.org/10.48550/arXiv.2207.10498

2022-07-21

Abstract:Vision Transformer (ViT), as a powerful alternative to Convolutional Neural Network (CNN), has received much attention. Recent work showed that ViTs are also vulnerable to adversarial examples like CNNs. To build robust ViTs, an intuitive way is to apply adversarial training since it has been shown as one of the most effective ways to accomplish robust CNNs. However, one major limitation of adversarial training is its heavy computational cost. The self-attention mechanism adopted by ViTs is a computationally intense operation whose expense increases quadratically with the number of input patches, making adversarial training on ViTs even more time-consuming. In this work, we first comprehensively study fast adversarial training on a variety of vision transformers and illustrate the relationship between the efficiency and robustness. Then, to expediate adversarial training on ViTs, we propose an efficient Attention Guided Adversarial Training mechanism. Specifically, relying on the specialty of self-attention, we actively remove certain patch embeddings of each layer with an attention-guided dropping strategy during adversarial training. The slimmed self-attention modules accelerate the adversarial training on ViTs significantly. With only 65\% of the fast adversarial training time, we match the state-of-the-art results on the challenging ImageNet benchmark.

Computer Vision and Pattern Recognition

Xingxing Wei,Siyuan Liang,Ning Chen,Xiaochun Cao

DOI: https://doi.org/10.24963/ijcai.2019/134

2019-08-01

Abstract:Identifying adversarial examples is beneficial for understanding deep networks and developing robust models. However, existing attacking methods for image object detection have two limitations: weak transferability---the generated adversarial examples often have a low success rate to attack other kinds of detection methods, and high computation cost---they need much time to deal with video data, where many frames need polluting. To address these issues, we present a generative method to obtain adversarial images and videos, thereby significantly reducing the processing time. To enhance transferability, we manipulate the feature maps extracted by a feature network, which usually constitutes the basis of object detectors. Our method is based on the Generative Adversarial Network (GAN) framework, where we combine a high-level class loss and a low-level feature loss to jointly train the adversarial example generator. Experimental results on PASCAL VOC and ImageNet VID datasets show that our method efficiently generates image and video adversarial examples, and more importantly, these adversarial examples have better transferability, therefore being able to simultaneously attack two kinds of representative object detection models: proposal based models like Faster-RCNN and regression based models like SSD.

Zhipeng Wei,Jingjing Chen,Zuxuan Wu,Yu-Gang Jiang

DOI: https://doi.org/10.1609/aaai.v36i3.20168

2022-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Although deep-learning based video recognition models have achieved remarkable success, they are vulnerable to adversarial examples that are generated by adding human-imperceptible perturbations on clean video samples. As indicated in recent studies, adversarial examples are transferable, which makes it feasible for black-box attacks in real-world applications. Nevertheless, most existing adversarial attack methods have poor transferability when attacking other video models and transfer-based attacks on video models are still unexplored. To this end, we propose to boost the transferability of video adversarial examples for black-box attacks on video recognition models. Through extensive analysis, we discover that different video recognition models rely on different discriminative temporal patterns, leading to the poor transferability of video adversarial examples. This motivates us to introduce a temporal translation attack method, which optimizes the adversarial perturbations over a set of temporal translated video clips. By generating adversarial examples over translated videos, the resulting adversarial examples are less sensitive to temporal patterns existed in the white-box model being attacked and thus can be better transferred. Extensive experiments on the Kinetics-400 dataset and the UCF-101 dataset demonstrate that our method can significantly boost the transferability of video adversarial examples. For transfer-based attack against video recognition models, it achieves a 61.56% average attack success rate on the Kinetics-400 and 48.60% on the UCF-101.

Desheng Zheng,Wuping Ke,Xiaoyu Li,Shibin Zhang,Guangqiang Yin,Weizhong Qian,Yong Zhou,Fan Min,Shan Yang

DOI: https://doi.org/10.1007/s10489-023-05171-6

IF: 5.3

2024-01-01

Applied Intelligence

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples that fool the models with tiny perturbations. Although adversarial attacks have achieved incredible attack success rates in the white-box setting, most existing adversaries often exhibit weak transferability in the black-box setting, especially for models with defense mechanisms. In this work, we reveal the cross-model channel redundancy and channel invariance of DNNs and thus propose two channel-augmented methods to improve the transferability of adversarial examples, namely, the channel transformation (CT) method and the channel-invariant Patch (CIP) method. Specifically, channel transformation shuffles and rewrites channels to enhance cross-model feature redundancy in convolution, and channel-invariant patches distinctly weaken different channels to achieve loss-preserving transformation. We compute the aggregated gradients of the transformed dataset to create adversaries with higher transferability. In addition, the two proposed methods can be naturally combined with each other and with almost all other gradient-based methods to further improve performance. Empirical results on the ImageNet dataset demonstrate that our attack methods exhibit higher transferability and achieve higher attack success rates than state-of-the-art gradient-based attacks. Specifically, our attack improves the average attack success rate from 86.9% to 91.0% on normally trained models and from 44.6% to 68.3% on adversarially trained models.

Xiaotong Jiao,Shangru Zhao,Yuqing Zhang

DOI: https://doi.org/10.1109/swc57546.2023.10449303

2023-01-01

Abstract:Deep neural networks are vulnerable to adversarial examples which apply imperceptible perturbations on benign inputs. Compared to the great success achieved by many adversarial attacks in the white-box setting, most attacks show weak transferability in the black-box scenario. Instead of applying data augmentation on inputs, we propose a new target-oriented method(TOM) to improve attack transferability. Specifically, we choose the appropriate target example for each input in preprocessing, then use it to guide the generation of perturbations during iterations. In order to improve transferability, our approach utilizes the image’s information from the target class to guide the generation of adversarial examples. We only use a small number of gradient calculations and lightweight clipping operations, which greatly saving computing resources. Experiment on ILSVRC2012 shows that out method achieves the same transferability to other attacks like SIM and VTM with approximately one-third of the computational cost. To further show the effectiveness of target orient method, We integrate our methods with other targeted attacks and gain 3% average improvement in transferability.

Khoa D. Doan,Yingjie Lao,Peng Yang,Ping Li

DOI: https://doi.org/10.48550/arXiv.2206.12381

2023-01-16

Abstract:Vision Transformers (ViTs) have a radically different architecture with significantly less inductive bias than Convolutional Neural Networks. Along with the improvement in performance, security and robustness of ViTs are also of great importance to study. In contrast to many recent works that exploit the robustness of ViTs against adversarial examples, this paper investigates a representative causative attack, i.e., backdoor. We first examine the vulnerability of ViTs against various backdoor attacks and find that ViTs are also quite vulnerable to existing attacks. However, we observe that the clean-data accuracy and backdoor attack success rate of ViTs respond distinctively to patch transformations before the positional encoding. Then, based on this finding, we propose an effective method for ViTs to defend both patch-based and blending-based trigger backdoor attacks via patch processing. The performances are evaluated on several benchmark datasets, including CIFAR10, GTSRB, and TinyImageNet, which show the proposed novel defense is very successful in mitigating backdoor attacks for ViTs. To the best of our knowledge, this paper presents the first defensive strategy that utilizes a unique characteristic of ViTs against backdoor attacks. The paper will appear in the Proceedings of the AAAI'23 Conference. This work was initially submitted in November 2021 to CVPR'22, then it was re-submitted to ECCV'22. The paper was made public in June 2022. The authors sincerely thank all the referees from the Program Committees of CVPR'22, ECCV'22, and AAAI'23.

Computer Vision and Pattern Recognition