| CARVIEW |
The 5th Workshop of Adversarial Machine Learning on Computer Vision: Foundation Models + X
The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2025), June 11–25, 2025, Nashville, TN, USA
AdvML Workshop: June 12, 8:30 AM-12:00 AM, Room 205A
Overview
Foundation models (FMs) have demonstrated powerful generative capabilities, revolutionizing a wide range of applications in various domains including computer vision. Building upon this success, X-domain-specific foundation models (XFMs, e.g., Autonomous Driving FMs, Medical FMs) further enhance performance in specialized tasks within their respective fields by training on a curated dataset that emphasizes domain-specific knowledge and making architectural modifications specific to the task. Alongside their potential benefits, the increasing reliance on XFMs has also exposed their vulnerabilities to adversarial attacks. These malicious attacks involve applying imperceptible perturbations to input images or prompts, which can cause the models to misclassify the objects or generate adversary-intended outputs. Such vulnerabilities pose significant risks in safety-critical applications in computer vision, such as autonomous vehicles and medical diagnosis, where incorrect predictions can have dire consequences. By studying and addressing the robustness challenges associated with XFMs, we could enable practitioners to construct robust, reliable XFMs across various domains.
The workshop will bring together researchers and practitioners from the computer vision and machine learning communities to explore the latest advances and challenges in adversarial machine learning, with a focus on the robustness of XFMs. The program will consist of invited talks by leading experts in the field, as well as contributed talks and poster sessions featuring the latest research. In addition, the workshop will also organize a challenge on adversarial attacking foundation models.
We believe this workshop will provide a unique opportunity for researchers and practitioners to exchange ideas, share latest developments, and collaborate on addressing the challenges associated with the robustness and security of foundation models. We expect that the workshop will generate insights and discussions that will help advance the field of adversarial machine learning and contribute to the development of more secure and robust foundation models for computer vision applications.
Important Dates
Timeline
| Workshop Schedule | |||
| Event | Start time | End time | |
| Opening Remarks | 8:30 | 8:40 | |
| Invited Talk #1: Prof. Vishal M Patel | 8:40 | 9:00 | |
| Invited Talk #2: Prof. Chaowei Xiao | 9:00 | 9:20 | |
| Invited Talk #3: Prof. Florian Tramèr | 9:20 | 9:40 | |
| Invited Talk #4: Prof. Alfred Chen | 9:40 | 10:00 | |
| Distinguished Paper Award | 10:00 | 10:10 | |
| Invited Talk #5: Prof. Bo Han | 10:10 | 10:30 | |
| Invited Talk #6: Prof. Jing Shao | 10:30 | 10:50 | |
| Challenge Session | 10:50 | 11:05 | |
| Poster Session | 11:00 | 12:00 | |
| Lunch (12:00-13:00) | |||
Proposed Speakers
|
Vishal
|
|
Johns Hopkins University |
|
Chaowei
|
|
University of Wisconsin, Madison |
 |
Florian
|
|
ETH Zürich |
 |
Alfred
|
|
University of California, Irvine |
 |
Bo
|
|
Hong Kong Baptist University |
|
Jing
|
|
Shanghai AI Laboratory |
Organizers
|
Tianyuan
|
|
Beihang |
|
Siyang
|
|
Zhongguancun |
|
Aishan
|
|
Beihang |
|
Jiakai
|
|
Zhongguancun |
|
Siyuan
|
|
National University |
 |
Felix
|
|
GenAI at Meta |
|
Qing
|
|
A*STAR |
|
Xinyun
|
|
Google Brain |
|
Yew-Soon
|
|
Nanyang Technological |
|
Xianglong
|
|
Beihang |
 |
Dawn
|
|
UC Berkeley |
 |
Alan
|
|
Johns Hopkins |
 |
Philip
|
|
Oxford |
|
Dacheng
|
|
Nanyang Technological |
Call for Papers
- Robustness of X-domain-specific foundation models
- Adversarial attacks on computer vision tasks
- Improving the robustness of deep learning systems
- Interpreting and understanding model robustness, especially foundation models
- Adversarial attacks for social good
- Dataset and benchmark that could evaluate foundation model robustness
Submission Site: https://openreview.net/group?id=thecvf.com/CVPR/2025/Workshop/Advml
Submission Due (both Paper and Supplementary Material): !!!Time Delay March 25, 2025, 11:59 PM (UTC±0)
Distinguished Paper Award
- Camouflage Attack on Vision-Language Models for Autonomous Driving
[Paper]
Dehong Kong (Sun Yat-sen University); Sifan Yu (Sun Yat-sen University); Linchao Zhang (China Electronics Technology Group Corporation); Shirui Luo (China Electronics Technology Group Corporation); Siying Zhu (China Electronics Technology Group Corporation); Yanzhao Su (Rocket Force University of Engineering); WenQi Ren (Sun Yat-sen University)
Accepted Long Paper
- Trustworthy Multi-UAV Collaboration: A Self-Supervised Framework for Explainable and Adversarially Robust Decision-Making
[Paper]
Yuwei Chen (Aviation Industry Development Research Center of China); Shiyong Chu (Aviation Industry Development Research Center of China) - Defending Against Frequency-Based Attacks with Diffusion Models
[Paper]
Fatemeh Amerehi (University of Limerick); Patrick Healy (University of Limerick) - Attacking Attention of Foundation Models Disrupts Downstream Tasks
[Paper]
Hondamunige Prasanna Silva (University of Florence); Federico Becattini (University of Siena); Lorenzo Seidenari (University of Florence) - Towards Evaluating the Robustness of Visual State Space Models
[Paper]
Hashmat Shadab Malik (Mohamed Bin Zayed University of AI); Fahad Shamshad (Mohamed Bin Zayed University of AI); Muzammal Naseer (Khalifa University); Karthik Nandakumar (Michigan State University); Fahad Shahbaz Khan (Mohamed Bin Zayed University of AI); Salman Khan (Mohamed Bin Zayed University of AI) - FullCycle: Full Stage Adversarial Attack For Reinforcement Learning Robustness Evaluation
[Paper]
Zhenshu Ma (Beihang University); Xuan Cai (Beihang University); Changhang Tian (Beihang University); Yuqi Fan (Beihang University); Kemou Jiang (Beihang University); Gangfu Liu (Beihang University); Xuesong Bai (Beihang University); Aoyong Li (Beihang University); Yilong Ren (Beihang University); Haiyang Yu (Beihang University) - Human Aligned Compression for Robust Models
[Paper]
Samuel Räber (ETH Zürich); Andreas Plesner (ETH Zürich); Till Aczel (ETH Zürich); Roger Wattenhofer (ETH Zürich) - Probing Vulnerabilities of Vision-LiDAR Based Autonomous Driving Systems
[Paper]
Siwei Yang (University of California, Santa Cruz); Zeyu Wang (University of California, Santa Cruz); Diego Ortiz (University of California, Santa Cruz); Luis Burbano (University of California, Santa Cruz); Murat Kantarcioglu (Virginia Tech); Alvaro A. Cardenas (University of California, Santa Cruz); Cihang Xie (University of California, Santa Cruz) - Task-Agnostic Attacks Against Vision Foundation Models
[Paper]
Brian Pulfer (University of Geneva); Yury Belousov (University of Geneva); Vitaliy Kinakh (University of Geneva); Teddy Furon (University of Renne); Slava Voloshynovskiy (University of Geneva) - EL-Attack: Explicit and Latent Space Hybrid Optimization based General and Effective Attack for Autonomous Driving Trajectory Prediction
[Paper]
Xuesong Bai (Beihang University); Changhang Tian (State Key Laboratory of Intelligent Transportation Systems); Wei Xia (State Key Laboratory of Intelligent Transportation Systems); Zhenshu Ma (Beihang University); Haiyang Yu (Beihang University); Yilong Ren (Beihang University); - VidModEx: Interpretable and Efficient Black Box Model Extraction for High-Dimensional Spaces
[Paper]
Somnath Sendhil Kumar (Microsoft Research); Yuvaraj Govindarajulu (AIShield, Bosch Global Software Technologies); Pavan Kulkarni (AIShield, Bosch Global Software Technologies); Manojkumar Parmar (AIShield, Bosch Global Software Technologies) - Attention-Aware Temporal Adversarial Shadows on Traffic Sign Sequences
[Paper]
Pedram MohajerAnsari (Clemson University), Amir Salarpour (Clemson University), David Fernandez (Clemson University), Cigdem Kokenoz (Clemson University), Bing Li (Clemson University), Mert D. Pesé (Clemson University) - One Noise to Fool Them All: Universal Adversarial Defenses Against Image Editing
[Paper]
Shorya Singhal (Data Science Group, IIT Roorkee); Parth Badgujar (Data Science Group, IIT Roorkee); Devansh Bhardwaj (Data Science Group, IIT Roorkee);
Accepted Extended Abstract
- On the Safety Challenges of Vision-Language Models in Autonomous Driving
[Paper]
Yang Qu (Beihang University), Lu Wang (Beihang University) - Camouflage Attack on Vision-Language Models for Autonomous Driving
[Paper]
Dehong Kong (Sun Yat-sen University); Sifan Yu (Sun Yat-sen University); Linchao Zhang (China Electronics Technology Group Corporation); Shirui Luo (China Electronics Technology Group Corporation); Siying Zhu (China Electronics Technology Group Corporation); Yanzhao Su (Rocket Force University of Engineering); WenQi Ren (Sun Yat-sen University) - Improvement of Selecting and Poisoning Data in Copyright Infringement Attack
[Paper]
Feiyu Yang(Nanyang Technological University) - Multi-Task Vision Experts for Brain Captioning
[Paper]
Weihao Xia (University of Cambridge), Cengiz Oztireli (University of Cambridge)
Challenge
This challenge aims to invite developers, researchers, and enthusiasts worldwide to design and submit image-text pairs that can trigger harmful, inappropriate, or illegal content generation by multimodal large language models from a "red team" perspective. Through this process, we hope to expose vulnerabilities in the models, drive innovation in security technology, and provide essential directions for future model development.
The competition consists of two stages. In Phase I, the organizers will provide harmful text prompts in various risk categories, and participants must design corresponding adversarial image-text pairs to induce security risks in MLLMs. In Phase II, the organizers will present more challenging harmful text prompts in different risk categories, with participants aiming for similar objectives as in the preliminary round. Ultimately, teams will be evaluated based on the success rate of attacks using the final round image-text pairs to determine the winning teams.
The challenge is now open, and participants can register and access detailed information at the following link:
Challenge Site: https://challenge.aisafety.org.cn/#/competitionDetail?id=19
Timeline
| Challenge Timeline | |
| Mar 24, 2025 | Competition starts |
| Mar 26, 2025 | Phase 1 starts |
| April 16, 2025 | Phase 1 ends |
| April 21, 2025 | Phase 2 starts |
| May 11, 2025 | Phase 2 ends |
| May 30, 2025 | Results will be released and participants will be selected to present |
| June 2025 | Awards and presentation |
Challenge Chair
|
|
Siyang
|
|
Zhongguancun |
 |
Zonglei
|
|
Beihang |
 |
Zonghao
|
|
Beihang |
 |
Hainan
|
|
Data Space |
 |
Zhilei
|
|
Data Space |
 |
Haotong
|
|
ETH |
 |
Yue
|
|
Pengcheng |
 |
Lei
|
|
Tsinghua |
|
|
Xianglong
|
|
Beihang |
Sponsors
Program Committee
- Akshayvarun Subramanya (UMBC)
- Alexander Robey (UPenn)
- Ali Shahin Shamsabadi (QMUL)
- Angtian Wang (JHU)
- Aniruddha Saha (UMBC)
- Anshuman Suri (UVA)
- Bernhard Egger (MIT)
- Chenglin Yang (JHU)
- Chirag Agarwal (Harvard)
- Gaurang Sriramanan (IISc)
- Jiachen Sun (MSU)
- Jieru Mei (JHU)
- Jun Guo (BUAA)
- Ju He (JHU)
- Kibok Lee (MSU)
- Lifeng Huang (SYSU)
- Maura Pintor (University of Cagliari)
- Muhammad Awais (QMUL and BetterData)
- Muzammal Naseer (ANU)
- Nataniel Ruiz (BU)
- Qihang Yu (JHU)
- Qing Jin (NEU)
- Rajkumar Theagarajan (UCR)
- Ruihao Gong (SenseTime)
- Shiyu Tang (BUAA)
- Shunchang liu (BUAA)
- Sravanti Addepalli (IISc)
- Tianlin Li (NTU)
- Wenxiao Wang (THU)
- Hang Yu (BUAA)
- Won Park (MSU)
- Xiangning Chen (UCLA)
- Xiaohui Zeng (U of T)
- Xingjun Ma (DKU)
- Xinwei Zhao (DU)
- Yulong Cao (MSU)
- Yutong Bai (JHU)
- Zihao Xiao (JHU)
- Zixin Yin (BUAA)
- Jin Hu (BUAA)
- Haojie Hao (BUAA)
- Zhengquan Sun (BUAA)