Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
HQA-VLAttack: Towards High Quality Adversarial Attack on Vision-Language Pre-Trained Models
Authors: Han Liu, Jiaqi Li, Zhi Xu, Xiaotong Zhang, Xiaoming Xu, Fenglong Ma, Yuanman Li, Hong Yu
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experimental results on three benchmark datasets demonstrate that HQA-VLAttack significantly outperforms strong baselines in terms of attack success rate. |
| Researcher Affiliation | Academia | Han Liu Dalian University of Technology Dalian, China EMAIL Jiaqi Li Dalian University of Technology Dalian, China EMAIL Zhi Xu Dalian University of Technology Dalian, China EMAIL Xiaotong Zhang Dalian University of Technology Dalian, China EMAIL Xiaoming Xu Dalian University of Technology Dalian, China EMAIL Fenglong Ma The Pennsylvania State University Pennsylvania, USA EMAIL Yuanman Li Shenzhen University Shenzhen, China EMAIL Hong Yu Dalian University of Technology Dalian, China EMAIL |
| Pseudocode | Yes | The detailed algorithm procedure of HQA-VLAttack is given in Appendix C. |
| Open Source Code | Yes | 2The source code is publicly available at https://github.com/HQA-VLAttack/HQA-VLAttack |
| Open Datasets | Yes | We conduct experiments on three widely-used public multimodal datasets Flickr30K [25], MSCOCO [16], and Ref COCO+ [36]. |
| Dataset Splits | Yes | We adopt the Karpathy split for experimental evaluation. |
| Hardware Specification | No | The provided paper text does not contain explicit details about the specific hardware used for running experiments (e.g., GPU models, CPU types, or memory). |
| Software Dependencies | No | The provided paper text does not specify software dependencies with version numbers. |
| Experiment Setup | Yes | For image attacks, we employ PGD with perturbation bound ϵv = 2/255, step size α = 0.5/255, and iteration steps N = 10. We leverage a combination of BERT-Attack and counter-filter word vectors to craft adversarial texts. The perturbation boundary is set to ϵt = 1. For BERT-Attack, the length of the word list is W = 10. For the word vectors, the similarity threshold is set to τ = 0.4. In contrastive learning, the positive pair penalty factor λ is set to 10, batch size is set to 16. Image scale sets S = {0.50, 0.75, 1.00, 1.25, 1.50}. |