Vision-LLMs Can Fool Themselves with Self-Generated Typographic Attacks

Maan Qraitem, Nazia Tasnim, Piotr Teterwak, Kate Saenko, Bryan A. Plummer
Boston University
{mqraitem, nimzia, piotrt, saenko, bplum}@bu.edu

Abstract

Typographic Attacks, which involve pasting misleading text onto an image, were noted to harm the performance of Vision-Language Models like CLIP. However, the susceptibility of recent Large Vision-Language Models to these attacks remains understudied. Furthermore, prior work’s Typographic attacks against CLIP randomly sample a misleading class from a predefined set of categories. However, this simple strategy misses more effective attacks that exploit LVLM(s) stronger language skills. To address these issues, we first introduce a benchmark for testing Typographic attacks against LVLM(s). Moreover, we introduce two novel and more effective Self-Generated attacks which prompt the LVLM to generate an attack against itself: 1) Class Based Attack where the LVLM (e.g. LLaVA) is asked which deceiving class is most similar to the target class and 2) Descriptive Attacks where a more advanced LVLM (e.g. GPT4-V) is asked to recommend a Typographic attack that includes both a deceiving class and description. Using our benchmark, we uncover that Self-Generated attacks pose a significant threat, reducing LVLM(s) classification performance by up to 33%. We also uncover that attacks generated by one model (e.g. GPT-4V or LLaVA) are effective against the model itself and other models like InstructBLIP and MiniGPT4. Code: https://github.com/mqraitem/Self-Gen-Typo-Attack

Maan Qraitem, Nazia Tasnim, Piotr Teterwak, Kate Saenko, Bryan A. Plummer Boston University {mqraitem, nimzia, piotrt, saenko, bplum}@bu.edu

1 Introduction

Typographic attacks mislead a vision and language model by superimposing deceptive text on an image. The attacks exploit the model’s reliance on textual cues to interpret the visual content. For example, prior work Azuma and Matsui (2023) found that Typographic attacks significantly degraded CLIP accuracy on several classification datasets. As shown in Figure 1 (a), the attacks involved simply pasting the text of a randomly chosen class different from the image’s ground truth.

Refer to caption — Figure 1: Typographic Attack Comaprison. (a) Prior work’s typographic attacks (which were designed for CLIP) randomly samples a deceiving class from the dataset’s categories to attack the Large Vision Language Model (LVLM) Azuma and Matsui (2023). (b) Shows our more effective Self-Generated attack which uses the LVLM itself to generate the attack.

Since the introduction of CLIP Radford et al. (2021), the field has made rapid advances on a new class of vision-language systems: Large Vision Language Models (LVLMs) Liu et al. (2023b); Zhu et al. (2023); Dai et al. (2023); Yang et al. (2023) which rely on strong language models with rich language understanding. This property enables a user-friendly and more accessible language interface to interact with the model. With that, Typographic Attacks derailing the model’s understanding of the image’s visual content represent an urgent threat. This is further relevant as prior work showed how LVLM(s) possess Optical Recognition capabilities (OCR) Liu et al. (2023d) and, therefore, textual information in the image could impact their predictions. For example, pasting a relevant sentence to an unsafe query on an image could bypass the LVLM safety mechanisms Liu et al. (2023c) and modifying the text in an image could influence the model’s understanding of the image Liu et al. (2023a). However, a comprehensive study of algorithmic Typographic attacks against LVLM(s) where we paste inaccurate text that contradicts the image’s content is notably missing.

To address these issues, we revisit Typographic attacks for LVLM(s). We develop a benchmark that uses five datasets and find that Typographic attacks could reduce LVLM(s) classification accuracy by up to $33\%$ . Moreover, as shown in Figure 1 (b), we propose Self-Generated Attacks, a more effective class of attacks than Prior work Random Class attack Azuma and Matsui (2023), which were designed for CLIP. Our attack is based on the surprising finding that prompting the LVLM itself could generate an effective attack. We identify two main methods to do so: 1) Class Based attacks where the model is asked to identify the most similar class to the ground truth and use that as a deceiving class (see Figure 2 (a)) and 2) Descriptive attacks where the model is asked to recommend the most confusing Typographic attack against itself resulting in a deceiving class as well as an accompanying motivating sentence to enhance the attack’s credibility (see Figure 2 (b)) Using our novel benchmark, we show that our Self-Generated Attacks reduce classification accuracy by $33\%$ , outperforming Random Class by $18\%$ . Moreover, we show that Descriptive attacks that contain a motivating description outperform class-based attacks by $5\%$ .

Our contributions can be summarized:

•

We introduce a diverse and comprehensive Typographic attack benchmark for Large Vision Language Models LVLM(s).
•

We demonstrate that our novel Self-Generated Typographic attacks could reduce LVLM(s) classification performance by up to $33\%$ .
•

We demonstrate how Self-Generated attacks by one model could generalize to other models.

2 Typographic Attacks Against Large Vision Language Models

Assume we are given a dataset $D$ of image-target pairs $(X,Y)$ . Now, given an image target pair $(x,y)\in D$ , a Typographic attack algorithm $a$ Azuma and Matsui (2023) takes in the pair and produces an image $\hat{x}$ with the text of deceiving class $\hat{y}$ pasted on it, i.e. $a(x,y)=(\hat{x},\hat{y})$ where $\hat{y}\neq y$ . The attack is successful when the model uses the textual information of $\hat{y}$ from the attack to make its prediction rather than the visual content of $y$ , hence mispredicting $y$ as $\hat{y}$ . In this paper, we revisit typographic attacks for Large Vision Language Models Liu et al. (2023b); Zhu et al. (2023); Dai et al. (2023); Yang et al. (2023). We introduce a typographic attacks benchmark suited for Large Vision Language Models in Section 2.1 and then describe our new Self-Generated typographic attacks in Section 2.2.

2.1 Typographic Attacks Benchmark

	No Text	Random Class $\downarrow$	Class Based (ours) $\downarrow$			Descriptive (ours) $\downarrow$
	No Text	Random Class $\downarrow$	VE	LLM	LVLM	LLM	LVLM
GPT4-V	72.7	66.0	38.9	57.8	50.9	58.1	31.8
LLaVA 1.5	50.8	27.3	18.3	18.2	13.2	11.5	9.9
InstructBlip	60.2	26.8	20.6	23.0	22.2	13.9	14.9
MiniGPT4-2	27.7	25.6	25.7	24.6	25.3	23.7	22.4
Avg	52.9	36.4	25.9	30.9	27.9	26.8	19.7

Table 1: Comparison between the effect of typo attacks: Random Class Azuma and Matsui (2023) and our Self-Generated Attacks) on Large Vision Lanugage Models: GPT-4V Yang et al. (2023), LLaVA 1.5 Liu et al. (2023b), MiniGPT4-2 Zhu et al. (2023), and InstructBLIP Dai et al. (2023). Refer to Section 3 for further discussion.

In this section, we develop a benchmark for testing typographic attacks for Large Vision Language Models (LVLMs). Radford et al. (2021); Azuma and Matsui (2023) tested these attacks on CLIP Radford et al. (2021), an image-text similarity network, where the scores of the correct and wrong classes are compared. In this work, we are concerned with LVLM(s) Liu et al. (2023b); Zhu et al. (2023); Dai et al. (2023); Yang et al. (2023) which, unlike CLIP, are image-to-text models capable of instruction following. Therefore, inspired by recent work on evaluating LVLM(s) Fu et al. (2023); Xu et al. (2023), we propose the following benchmark.

Assume we are given a set of typographic attack algorithms $a\in A$ , each takes in a pair of image-target, i.e. $(x,y)$ , and produces the deceiving target-image pair $(\hat{x},\hat{y})$ . To compare the impact of the typographic attacks on LVLM(s), we confront the LVLM with each algorithm set of manipulated images and ask it to choose the correct answer $y$ among the set of choices $C$ comprised of the deceiving classes produced by each algorithm as well as the ground truth $y$ , i.e. $C=\{y\}\cup\{a(x,y)\}\quad\forall a\in A$ . For example, if the image is labeled with $Jeep$ and two algorithms result in attacks that contain $Audi$ and $Fiat$ , then we instruct the model to choose between $\{Jeep,Audi,Fiat\}$ . We shuffle the ordering of each option in the question prompt to avoid model bias to any answer order. Refer to Appendix D for details on the question prompt.

Finally, Azuma and Matsui (2023) paste the attack at a random location on the image. However, this might occlude important visual cues (e.g. a car logo when predicting the car model). To avoid this issue, we add a white space at the bottom and top of the image to allow for textual attacks. Refer to Appendix E for an illustrative example.

2.2 Self-Generated Attacks

Azuma and Matsui (2023) generated an attack by pasting a random deceiving class from a predefined set of categories. For example, if the image represents a golden retriever, then the attack pastes the text of a randomly chosen dog breed, such as hound. However, hound might not be the breed that LVLM is most likely to confuse with golden retriever. One way to mitigate this issue is to examine the other classes in a dataset that a model might confuse with golden retriever. However, this relies on human intuition, which can vary between people, and a person may not have a good idea of what a model may find confusing. For example, a person may not consider a computer desk and a monitor to be similar, but since these co-occur often, a model may find them confusing. Thus, we introduce a novel class of Typographic Attacks: Self-Generated Attacks, which use the LVLM itself to create the attack. We identify two main attacks under this class: Class Based Attacks and Descriptive Attacks.

Class Based Attacks are based on the simple observation: a visually similar deceiving class to the target class is likely a more effective attack than a random class. Therefore, as shown in Figure 2 (a), we use this insight to propose Class Based Attacks where we ask the LVLM itself which deceiving class is most similar to the ground truth.

Descriptive Attacks. While Class Based Attacks contain a stronger prior (visual similarity) than random attack, they don’t make use of the sophisticated language capabilities of LVLMs. These models are capable of incorporating richer language than a simple class when making a prediction. Based on this observation, we explore weather a descriptive attack that motivates the deceiving class is more effective than simply pasting the deceiving class. To obtain such attack, we propose simply asking the LVLM to recommend an attack against itself as Figure 2 (b) demonstrates. This results in a both a deceiving class and a descriptive reasoning for the attack.

3 Experiments

Datasets. We use five classification datasets: OxfordPets Parkhi et al. (2012), StanfordCars Krause et al. (2013), Flowers Nilsback and Zisserman (2008), Aircraft Maji et al. (2013) and Food101 Bossard et al. (2014). These datasets cover a diverse set of domains, which is critical for testing LVLM(s) vulnerability to textual attacks, given their usage as generic visual assistants. Refer to the Appendix C for further details about the datasets.

LVLM Models Evaluated. We test on four of the recent large vision language models (LVLMs). Namely, we test LLaVA 1.5 Liu et al. (2023b), MiniGPT4 Zhu et al. (2023), InstructBLIP Dai et al. (2023), and GPT-4V Yang et al. (2023).

Typographic Attacks. We compare the effect of Random Class Azuma and Matsui (2023) attack where a randomly sampled class is pasted on the image to our Class Based and Descriptive Attacks (Section 2.2). For Class Based Attacks, we use LLaVA 1.5 Liu et al. (2023b). For Descriptive Attacks, we note that open source models. fail to effectively respond to our attack query. Therefore, we use GPT-4V Yang et al. (2023), a more capable model. For both class and descriptive attacks, we also pose the same typographic generation query to the LLM underlying each model and use that as a baseline. Finally, for the Class based attack, we test using the Visual Encoder (VE) underlying LLaVA 1.5 (CLIP) to retrieve the most similar class rather than simply asking the LVLM.

3.1 Typographic Attack Results

Table 1 reports the effect of different Typographic Attacks averaged over all datasets. We find Descriptive Attacks using the LVLM GPT-4V outperforms Random Class attacks Azuma and Matsui (2023) by $15\%$ as well as the best method under Class Based Attacks (VE) by $5\%$ . This is likely because, unlike Random and Class Based Attacks where the attack consists of a class only, Descriptive Attacks also paste a motivating description. Moreover, note how for LLaVA and InstructBLIP, Random Class is a fairly effective attack; the models lose almost half of their base performance. However, GPT4-V only loses about $6\%$ of its performance with Random Class but loses 7x times that with our Descriptive attack. This is likely because GPT4-V has better reasoning capabilities Fu et al. (2023) and, thus, is less likely to be deceived by a random class.

Despite having the lowest classification performance with no attack compared, MiniGPT-4 is most robust against Typographic Attacks; it only loses about $16\%$ of its performance with the most effective attack. This is likely because MiniGPT4 shows poorer performance in optical character recognition (OCR) Liu et al. (2023d) which makes it less likely to incorporate the attack into its prediction. GPT-4V comes second which loses $41\%$ of its performance with the most effective attack which is significantly lower (and hence more robust) than either LLaVA or InstructBLIP which lose $80\%$ of their performance with the most effective attack.

Descriptive Attack Descriptions. We test the effect of descriptions of our Descriptive Attacks (Sec 2.2) on the overall performance. For each image, we test using no description, a random description from another image, and the description for that image. Observe Fig 3. Note that using the image description is the most effective at reducing performance across models. Most notably, we find a random description attack on GPT-4 performs almost the same as having no description. This is likely because of the strong reasoning capabilities of GPT4-V which likely enables it to realize the discrepancy between the description and the content of the image. We find the opposite trend with the other models where a random description is more powerful than the class by itself.

Can LVLM(s) Ignore the Attack? Could Typographic Attacks be mitigated by simply prompting the LVLM to ignore the text in the image? Observe results in Fig 4. Models fail to gain back their base performance (dashed lines) without a Typographic Attack. Nevertheless, some models still make some gains. Indeed, we see the most improvements from GPT4-V while we see mild improvements from LLaVA. More surprisingly, we see a decline in performance from InstructBLIP and MiniGPT4-2, which indicates that these models are not capable of executing this instruction. Overall, the results indicate that future work should be pay a greater attention to Typographic Attacks in LVLM(s).

4 Conclusion

In this paper, we introduced a typographic attack benchmark for LVLM(s) where we showed how typographic attacks remain a concern with LVLM(s). We also introduced a novel class of attacks: Self-Generated typographic attacks uniquely designed for LVLM(s). Using our benchmark, we have shown how these attacks pose an even larger threat against LVLM(s) than prior work attacks.

Acknowledgements This material is based upon work supported, in part, by DARPA under agreement number HR00112020054. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the supporting agencies.

References

Azuma and Matsui (2023) Hiroki Azuma and Yusuke Matsui. 2023. Defense-prefix for preventing typographic attacks on clip. arXiv preprint arXiv:2304.04512.
Bossard et al. (2014) Lukas Bossard, Matthieu Guillaumin, and Luc Van Gool. 2014. Food-101–mining discriminative components with random forests. In Computer Vision–ECCV 2014: 13th European Conference, Zurich, Switzerland, September 6-12, 2014, Proceedings, Part VI 13, pages 446–461. Springer.
Dai et al. (2023) Wenliang Dai, Junnan Li, Dongxu Li, Anthony Meng Huat Tiong, Junqi Zhao, Weisheng Wang, Boyang Li, Pascale Fung, and Steven Hoi. 2023. Instructblip: Towards general-purpose vision-language models with instruction tuning. arXiv preprint arXiv:2305.06500.
Fu et al. (2023) Chaoyou Fu, Peixian Chen, Yunhang Shen, Yulei Qin, Mengdan Zhang, Xu Lin, **rui Yang, Xiawu Zheng, Ke Li, Xing Sun, et al. 2023. Mme: A comprehensive evaluation benchmark for multimodal large language models. arXiv preprint arXiv:2306.13394.
Krause et al. (2013) Jonathan Krause, Michael Stark, Jia Deng, and Li Fei-Fei. 2013. 3d object representations for fine-grained categorization. In Proceedings of the IEEE international conference on computer vision workshops, pages 554–561.
Liu et al. (2023a) Fuxiao Liu, Tianrui Guan, Zongxia Li, Lichang Chen, Yaser Yacoob, Dinesh Manocha, and Tianyi Zhou. 2023a. Hallusionbench: You see what you think? or you think what you see? an image-context reasoning benchmark challenging for gpt-4v (ision), llava-1.5, and other multi-modality models. arXiv preprint arXiv:2310.14566.
Liu et al. (2023b) Haotian Liu, Chunyuan Li, Qingyang Wu, and Yong Jae Lee. 2023b. Visual instruction tuning. In NeurIPS.
Liu et al. (2023c) Xin Liu, Yichen Zhu, Yunshi Lan, Chao Yang, and Yu Qiao. 2023c. Query-relevant images jailbreak large multi-modal models. arXiv preprint arXiv:2311.17600.
Liu et al. (2023d) Yuliang Liu, Zhang Li, Hongliang Li, Wenwen Yu, Mingxin Huang, Dezhi Peng, Mingyu Liu, Mingrui Chen, Chunyuan Li, Lianwen **, et al. 2023d. On the hidden mystery of ocr in large multimodal models. arXiv preprint arXiv:2305.07895.
Maji et al. (2013) Subhransu Maji, Esa Rahtu, Juho Kannala, Matthew Blaschko, and Andrea Vedaldi. 2013. Fine-grained visual classification of aircraft. arXiv preprint arXiv:1306.5151.
Nilsback and Zisserman (2008) Maria-Elena Nilsback and Andrew Zisserman. 2008. Automated flower classification over a large number of classes. In 2008 Sixth Indian conference on computer vision, graphics & image processing, pages 722–729. IEEE.
Parkhi et al. (2012) Omkar M Parkhi, Andrea Vedaldi, Andrew Zisserman, and CV Jawahar. 2012. Cats and dogs. In 2012 IEEE conference on computer vision and pattern recognition, pages 3498–3505. IEEE.
Radford et al. (2021) Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, et al. 2021. Learning transferable visual models from natural language supervision. In International conference on machine learning, pages 8748–8763. PMLR.
Xu et al. (2023) Peng Xu, Wenqi Shao, Kaipeng Zhang, Peng Gao, Shuo Liu, Meng Lei, Fanqing Meng, Siyuan Huang, Yu Qiao, and ** Luo. 2023. Lvlm-ehub: A comprehensive evaluation benchmark for large vision-language models. arXiv preprint arXiv:2306.09265.
Yang et al. (2023) Zhengyuan Yang, Linjie Li, Kevin Lin, Jianfeng Wang, Chung-Ching Lin, Zicheng Liu, and Lijuan Wang. 2023. The dawn of lmms: Preliminary explorations with gpt-4v (ision). arXiv preprint arXiv:2309.17421, 9(1).
Zhu et al. (2023) Deyao Zhu, Jun Chen, Xiaoqian Shen, Xiang Li, and Mohamed Elhoseiny. 2023. Minigpt-4: Enhancing vision-language understanding with advanced large language models. arXiv preprint arXiv:2304.10592.

Appendix A Results for each dataset

In Section 3, we reported the results of each typographic attack averaged over all the datasets in our benchmark. In this Section, we break down the results per dataset. Refer to Table 2 for results. Note that as we discuss in Section 3.1, our Self Generated typographic attacks (Section 2.2), including class-based and descriptive attacks, are consistently more effective than prior work random class attacks, in reducing model performance. Moreover, on average, descriptive attacks are more effective than class-based attacks at reducing model performance. This is likely due to their use of deceiving prompts, which harnesses the sophisticated language understanding capabilities of LLM(s).

Appendix B Qualitative Examples

This Section provides more qualitative examples of the attacks generated by our new class of Typographic Attacks: Self Generated Attacks (Section 2.2), including Class Attacks and Descriptive Attacks. Refer to Figure 6 for results. Note how our method (Self Generated Attacks) effectively generalizes to datasets of different domains. Indeed, Class-Based Attacks are able to effectively recommend similar and hence more effective classes (Audi, which is more similar to Volkswagen than Mcalren (Column2)), and Descriptive attacks are able to recommend a convincing deceiving description as well as a deceiving class across domains. For example, Descriptive Attacks in Column (2) justify the old look of the Audi in the image with “re-imagining an old design for a modern era" and hence fooling the model.

Appendix C Dataset Details

In this Section, we provide details about the datasets used in our experiments. As discussed in Section 3, we use five classification datasets that cover a diverse variety of domains, namely: OxfordPets Parkhi et al. (2012) for fine-grained of 37 pet breeds, StanfordCars Krause et al. (2013) for fine-grained classification of 196 car models, Flowers Nilsback and Zisserman (2008) for fine grained classification of 102 flowers classes, Aircraft Maji et al. (2013) for fine grained classification of 100 aircraft models and Food101 Bossard et al. (2014) for classification of 101 food dishes. Moreover, note that we limit the number of samples in the test set per dataset to 1000 samples. This is due to the computational and monetary costs associated with evaluating GPT-4V.

Appendix D Evaluation Question

In Section 2.1, we defined a benchmark for testing vision language models’ (LVLM(s)) vulnerability to typographic attacks. To that end, we posed the LVLM of the set of manipulated images of each typographic attack algorithm. We then asked the LVLM to choose the correct class among the set of deceiving classes produced by each typographic attack algorithm. In this Section, we provide a more detailed overview of the question prompt. Indeed, assuming $C$ is the set of classes that the typographic attack algorithm produces, and $y$ is the image ground truth, then we pose the LVLM with the following question:

Select the correct {Dataset Subject} pictured in the image: (1) { $C[0]$ }, (2) { $C[1]$ }, (3) $y$ … (N) {Class $N$ }. Answer with either (1) or (2) … (N) only.

We then test whether the model answer contains the correct choice (in this case (3) ). Moreover, we ensure to randomize the order of $y$ in the answer options to avoid model bias to particular answer numbers.

Appendix E Image White Space for Typographic Attacks

In Section 2.1, we described our benchmark for testing LVLM(s) weaknesses against Typographic Attacks. We noted hat unlike prior work Azuma and Matsui (2023) that pastes the attack at a random location in the image, we add white space at the bottom and top of the image for pasting the attack. This is so we avoid occluding important visual information required to make the prediction. In this Section, we provide an illustrative example that motivates our choice. Examine Figure 5. Note how prior work attack (a) occludes the car logo, which is important to make the prediction about the car model. However, our method Figure 5 (b) avoids this by allocating white space at the bottom and top of the image for the textual attack.

	No Text	Random Class	Class Based (ours)			Descriptive (ours)
	No Text	Random Class	CLIP	LLM	LVLM	LLM	LVLM
GPT4-V	44.6	37.4	15.8	28.4	21.8	30.6	8.9
LLaVA 1.5	26.1	11.8	7.2	7.3	5.3	4.2	6.9
InstructBlip	26.1	4.7	6.2	3.3	4.0	3.8	5.3
MiniGPT4-2	19.7	19.7	20.0	21.2	19.3	18.4	16.5
Avg	29.10	18.40	12.29	15.04	12.59	14.24	9.39

(a) Aircraft Maji et al. (2013)

	No Text	Random Class	Class Based (ours)			Descriptive (ours)
	No Text	Random Class	CLIP	LLM	LVLM	LLM	LVLM
GPT4-V	81.0	74.1	58.3	70.4	62.7	70.4	43.9
LLaVA 1.5	69.0	43.0	31.4	27.8	21.4	10.8	10.8
InstructBlip	85.0	53.1	47.6	42.6	45.0	29.7	31.3
MiniGPT4-2	33.4	33.4	33.5	29.2	34.3	34.0	30.3
Avg	67.10	50.89	42.67	42.47	40.82	36.21	29.06

(b) StanfordCars Krause et al. (2013)

	No Text	Random Class	Class Based (ours)			Descriptive (ours)
	No Text	Random Class	CLIP	LLM	LVLM	LLM	LVLM
GPT4-V	74.5	65.5	33.4	56.8	50.2	66.3	28.3
LLaVA 1.5	38.3	10.8	9.3	5.3	6.5	6.5	6.8
InstructBlip	48.3	15.5	11.6	17.9	16.4	5.9	8.2
MiniGPT4-2	20.1	17.8	18.5	17.5	17.9	16.3	14.7
Avg	45.29	27.40	18.19	24.39	22.76	23.75	14.52

	No Text	Random Class	Class Based (ours)			Descriptive (ours)
	No Text	Random Class	CLIP	LLM	LVLM	LLM	LVLM
GPT4-V	82.9	77.6	45.5	68.1	58.6	75.1	48.8
LLaVA 1.5	71.4	54.4	32.6	41.3	26.2	30.6	18.5
InstructBlip	76.0	38.2	21.3	33.0	24.7	17.8	17.9
MiniGPT4-2	33.7	32.5	32.9	32.8	32.4	29.2	31.1
Avg	66.00	50.67	33.04	43.77	35.46	38.16	29.05

(d) Food101 Bossard et al. (2014).

	No Text	Random Class	Class Based (ours)			Descriptive (ours)
	No Text	Random Class	CLIP	LLM	LVLM	LLM	LVLM
GPT4-V	80.5	75.4	41.8	65.2	61.3	48.4	29.1
LLaVA 1.5	49.2	16.5	11.2	9.6	6.6	5.4	6.3
InstructBlip	65.6	22.5	16.3	18.4	20.8	12.2	11.8
MiniGPT4-2	31.9	24.7	23.8	22.6	22.6	20.9	19.4
Avg	56.79	34.76	23.25	28.94	27.81	21.70	16.64

(e) OxfordPets Parkhi et al. (2012),

Table 2: Comparison between the effect different typographic attacks (Random Class Azuma and Matsui (2023) and our Self-Generated Attacks) on Large Vision Lanugage Models: GPT-4V Yang et al. (2023), LLaVA 1.5 Liu et al. (2023b), MiniGPT4-2 Zhu et al. (2023), and InstructBLIP Dai et al. (2023) across various Datasets. Refer to Section A for further discussion.