The 5th Workshop of Adversarial Machine Learning on Computer Vision: Foundation Models + X


The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025), June 11–25, 2025, Nashville, TN, USA

AdvML Workshop: June 12, 8:30 AM-12:00 AM, Room 205A



Overview

Foundation models (FMs) have demonstrated powerful generative capabilities, revolutionizing a wide range of applications in various domains including computer vision. Building upon this success, X-domain-specific foundation models (XFMs, e.g., Autonomous Driving FMs, Medical FMs) further enhance performance in specialized tasks within their respective fields by training on a curated dataset that emphasizes domain-specific knowledge and making architectural modifications specific to the task. Alongside their potential benefits, the increasing reliance on XFMs has also exposed their vulnerabilities to adversarial attacks. These malicious attacks involve applying imperceptible perturbations to input images or prompts, which can cause the models to misclassify the objects or generate adversary-intended outputs. Such vulnerabilities pose significant risks in safety-critical applications in computer vision, such as autonomous vehicles and medical diagnosis, where incorrect predictions can have dire consequences. By studying and addressing the robustness challenges associated with XFMs, we could enable practitioners to construct robust, reliable XFMs across various domains.

The workshop will bring together researchers and practitioners from the computer vision and machine learning communities to explore the latest advances and challenges in adversarial machine learning, with a focus on the robustness of XFMs. The program will consist of invited talks by leading experts in the field, as well as contributed talks and poster sessions featuring the latest research. In addition, the workshop will also organize a challenge on adversarial attacking foundation models.

We believe this workshop will provide a unique opportunity for researchers and practitioners to exchange ideas, share latest developments, and collaborate on addressing the challenges associated with the robustness and security of foundation models. We expect that the workshop will generate insights and discussions that will help advance the field of adversarial machine learning and contribute to the development of more secure and robust foundation models for computer vision applications.


Tentative Important Dates

Timeline (Tentative)

Workshop Schedule
Event Start time End time
Opening Remarks 8:30 8:40
Challenge Session 8:40 9:00
Invited talk #1: Prof. Chao Shen 9:00 9:20
Invited talk #2: Prof. Florian Tramer 9:20 9:40
Invited talk #3: Prof. Alfred Chen 9:40 10:00
Invited Talk #4: Prof. Bo Han 10:00 10:20
Invited Talk #5: Prof. Jing Shao 10:20 10:40
Invited Talk #6: Prof. Vishal M Patel 10:40 11:00
Invited Talk #7: Prof. Chaowei Xiao 11:00 11:20
Poster Session #1 11:20 12:00
Lunch (12:00-13:00)

Proposed Speakers
Chao
Shen

Xi'an Jiaotong University

Florian
Tramer

ETH Zurich

Alfred
Chen

University of California, Irvine

Bo
Han

Hong Kong Baptist University


Jing
Shao

Shanghai AI Laboratory


Vishal
M Patel

Johns Hopkins University


Chaowei
Xiao

University of Wisconsin, Madison


Stay
Tuned

Stay Tuned

Organizers
Tianyuan
Zhang

Beihang
University
Siyang
Wu

Zhongguancun
Laboratory
Aishan
Liu

Beihang
University
Jiakai
Wang

Zhongguancun
Laboratory
Siyuan
Liang

National University
of Singapore
Felix
Juefei-Xu

GenAI at Meta
Qing
Guo

A*STAR
Xinyun
Chen

Google Brain
Yew-Soon
Ong

Nanyang Technological
University
Xianglong
Liu

Beihang
University
Dawn
Song

UC Berkeley
Alan
Yuille

Johns Hopkins
University
Philip
H.S. Torr

Oxford
University
Dacheng
Tao

Nanyang Technological
University

Call for Papers

Foundation models (FMs) have demonstrated powerful generative capabilities, revolutionizing a wide range of applications in various domains including computer vision. Building upon this success, X-domain-specific foundation models (XFMs, e.g., Autonomous Driving FMs, Medical FMs) further enhance performance in specialized tasks within their respective fields by training on a curated dataset that emphasizes domain-specific knowledge and making architectural modifications specific to the task. Alongside their potential benefits, the increasing reliance on XFMs has also exposed their vulnerabilities to adversarial attacks.The workshop will bring together researchers and practitioners from the computer vision and machine learning communities to explore the latest advances and challenges in adversarial machine learning, with a focus on the robustness of XFMs. We welcome research contributions related to the following (but not limited to) topics:
  • Robustness of X-domain-specific foundation models
  • Adversarial attacks on computer vision tasks
  • Improving the robustness of deep learning systems
  • Interpreting and understanding model robustness, especially foundation models
  • Adversarial attacks for social good
  • Dataset and benchmark that could evaluate foundation model robustness
Format: Submissions papers (.pdf format) must use the CVPR 2025 Author Kit for LaTeX/Word Zip file and be anonymized and follow CVPR 2025 author instructions. The workshop considers two types of submissions: (1) Long Paper: Papers are limited to 8 pages excluding references; (2) Extended Abstract: Papers are limited to 4 pages including references. Accepted papers have the option to be included in the CVF and IEEE Xplore Proceedings.

Submission Site: https://openreview.net/group?id=thecvf.com/CVPR/2025/Workshop/Advml
Submission Due (both Paper and Supplementary Material): !!!Time Delay March 25, 2025, 11:59 PM (UTC±0)


Accepted Long Paper

  • Trustworthy Multi-UAV Collaboration: A Self-Supervised Framework for Explainable and Adversarially Robust Decision-Making [Paper]
    Yuwei Chen (Aviation Industry Development Research Center of China); Shiyong Chu (Aviation Industry Development Research Center of China)
  • Defending Against Frequency-Based Attacks with Diffusion Models [Paper]
    Fatemeh Amerehi (University of Limerick); Patrick Healy (University of Limerick)
  • Attacking Attention of Foundation Models Disrupts Downstream Tasks [Paper]
    Hondamunige Prasanna Silva (University of Florence); Federico Becattini (University of Siena); Lorenzo Seidenari (University of Florence)
  • Towards Evaluating the Robustness of Visual State Space Models [Paper]
    Hashmat Shadab Malik (Mohamed Bin Zayed University of AI); Fahad Shamshad (Mohamed Bin Zayed University of AI); Muzammal Naseer (Khalifa University); Karthik Nandakumar (Michigan State University); Fahad Shahbaz Khan (Mohamed Bin Zayed University of AI); Salman Khan (Mohamed Bin Zayed University of AI)
  • FullCycle: Full Stage Adversarial Attack For Reinforcement Learning Robustness Evaluation [Paper]
    Zhenshu Ma (Beihang University); Xuan Cai (Beihang University); Changhang Tian (Beihang University); Yuqi Fan (Beihang University); Kemou Jiang (Beihang University); Gangfu Liu (Beihang University); Xuesong Bai (Beihang University); Aoyong Li (Beihang University); Yilong Ren (Beihang University); Haiyang Yu (Beihang University)
  • Human Aligned Compression for Robust Models [Paper]
    Samuel Räber (ETH Zürich); Andreas Plesner (ETH Zürich); Till Aczel (ETH Zürich); Roger Wattenhofer (ETH Zürich)
  • Probing Vulnerabilities of Vision-LiDAR Based Autonomous Driving Systems [Paper]
    Siwei Yang (University of California, Santa Cruz); Zeyu Wang (University of California, Santa Cruz); Diego Ortiz (University of California, Santa Cruz); Luis Burbano (University of California, Santa Cruz); Murat Kantarcioglu (Virginia Tech); Alvaro A. Cardenas (University of California, Santa Cruz); Cihang Xie (University of California, Santa Cruz)
  • Task-Agnostic Attacks Against Vision Foundation Models [Paper]
    Brian Pulfer (University of Geneva); Yury Belousov (University of Geneva); Vitaliy Kinakh (University of Geneva); Teddy Furon (University of Renne); Slava Voloshynovskiy (University of Geneva)
  • EL-Attack: Explicit and Latent Space Hybrid Optimization based General and Effective Attack for Autonomous Driving Trajectory Prediction [Paper]
    Xuesong Bai (Beihang University); Changhang Tian (State Key Laboratory of Intelligent Transportation Systems); Wei Xia (State Key Laboratory of Intelligent Transportation Systems); Zhenshu Ma (Beihang University); Haiyang Yu (Beihang University); Yilong Ren (Beihang University);
  • VidModEx: Interpretable and Efficient Black Box Model Extraction for High-Dimensional Spaces [Paper]
    Somnath Sendhil Kumar (Microsoft Research); Yuvaraj Govindarajulu (AIShield, Bosch Global Software Technologies); Pavan Kulkarni (AIShield, Bosch Global Software Technologies); Manojkumar Parmar (AIShield, Bosch Global Software Technologies)
  • Attention-Aware Temporal Adversarial Shadows on Traffic Sign Sequences [Paper]
    Pedram MohajerAnsari (Clemson University), Amir Salarpour (Clemson University), David Fernandez (Clemson University), Cigdem Kokenoz (Clemson University), Bing Li (Clemson University), Mert D. Pesé (Clemson University)
  • One Noise to Fool Them All: Universal Adversarial Defenses Against Image Editing [Paper]
    Shorya Singhal (Data Science Group, IIT Roorkee); Parth Badgujar (Data Science Group, IIT Roorkee); Devansh Bhardwaj (Data Science Group, IIT Roorkee);

Accepted Extended Abstract

  • On the Safety Challenges of Vision-Language Models in Autonomous Driving [Paper]
    Yang Qu (Beihang University), Lu Wang (Beihang University)
  • Camouflage Attack on Vision-Language Models for Autonomous Driving [Paper]
    Dehong Kong (Sun Yat-sen University); Sifan Yu (Sun Yat-sen University); Linchao Zhang (China Electronics Technology Group Corporation); Shirui Luo (China Electronics Technology Group Corporation); Siying Zhu (China Electronics Technology Group Corporation); Yanzhao Su (Rocket Force University of Engineering); WenQi Ren (Sun Yat-sen University)
  • Improvement of Selecting and Poisoning Data in Copyright Infringement Attack [Paper]
    Feiyu Yang(Nanyang Technological University)
  • Multi-Task Vision Experts for Brain Captioning [Paper]
    Weihao Xia (University of Cambridge), Cengiz Oztireli (University of Cambridge)

Challenge

With the widespread application of Multimodal Large Language Models (MLLMs) globally, their security and robustness have become a focal point of academic and industrial attention. In order to delve deeper into the potential risks of these models and enhance their security in practical applications, we are launching this global red team security challenge.
This challenge aims to invite developers, researchers, and enthusiasts worldwide to design and submit image-text pairs that can trigger harmful, inappropriate, or illegal content generation by multimodal large language models from a "red team" perspective. Through this process, we hope to expose vulnerabilities in the models, drive innovation in security technology, and provide essential directions for future model development.
The competition consists of two stages. In Phase I, the organizers will provide harmful text prompts in various risk categories, and participants must design corresponding adversarial image-text pairs to induce security risks in MLLMs. In Phase II, the organizers will present more challenging harmful text prompts in different risk categories, with participants aiming for similar objectives as in the preliminary round. Ultimately, teams will be evaluated based on the success rate of attacks using the final round image-text pairs to determine the winning teams.
The challenge is now open, and participants can register and access detailed information at the following link:
Challenge Site: https://challenge.aisafety.org.cn/#/competitionDetail?id=19

Timeline

Challenge Timeline
Mar 24, 2025 Competition starts
Mar 26, 2025 Phase 1 starts
April 16, 2025 Phase 1 ends
April 21, 2025 Phase 2 starts
May 11, 2025 Phase 2 ends
May 30, 2025 Results will be released and participants will be selected to present
June 2025 Awards and presentation

Challenge Chair
Siyang
Wu

Zhongguancun
Laboratory
Zonglei
Jing

Beihang
University
Zonghao
Ying

Beihang
University
Hainan
Li

Data Space
Research Institute
Zhilei
Zhu

Data Space
Research Institute
Haotong
Qin

ETH
Zurich
Yue
Yu

Pengcheng
Laboratory
Lei
Chen

Tsinghua
University
Xianglong
Liu

Beihang
University

Sponsors

logo-img
logo-img
logo-img


logo-img
logo-img
logo-img

Program Committee

  • Akshayvarun Subramanya (UMBC)
  • Alexander Robey (UPenn)
  • Ali Shahin Shamsabadi (QMUL)
  • Angtian Wang (JHU)
  • Aniruddha Saha (UMBC)
  • Anshuman Suri (UVA)
  • Bernhard Egger (MIT)
  • Chenglin Yang (JHU)
  • Chirag Agarwal (Harvard)
  • Gaurang Sriramanan (IISc)
  • Jiachen Sun (MSU)
  • Jieru Mei (JHU)
  • Jun Guo (BUAA)
  • Ju He (JHU)
  • Kibok Lee (MSU)
  • Lifeng Huang (SYSU)
  • Maura Pintor (University of Cagliari)
  • Muhammad Awais (QMUL and BetterData)
  • Muzammal Naseer (ANU)
  • Nataniel Ruiz (BU)
  • Qihang Yu (JHU)
  • Qing Jin (NEU)
  • Rajkumar Theagarajan (UCR)
  • Ruihao Gong (SenseTime)
  • Shiyu Tang (BUAA)
  • Shunchang liu (BUAA)
  • Sravanti Addepalli (IISc)
  • Tianlin Li (NTU)
  • Wenxiao Wang (THU)
  • Hang Yu (BUAA)
  • Won Park (MSU)
  • Xiangning Chen (UCLA)
  • Xiaohui Zeng (U of T)
  • Xingjun Ma (DKU)
  • Xinwei Zhao (DU)
  • Yulong Cao (MSU)
  • Yutong Bai (JHU)
  • Zihao Xiao (JHU)
  • Zixin Yin (BUAA)
  • Jin Hu (BUAA)
  • Haojie Hao (BUAA)
  • Zhengquan Sun (BUAA)