texture image
texture image
0%
MirrorCheck Hero
Security & RobustnessCVPR 2026 (AdvML) [Distinguished Paper🏆]

MirrorCheck: Efficient Adversarial Defense for Vision-Language Models

Authors

Samar Fares*, Klea Ziu*, Toluwani Aremu*, Nikita Durasov, Martin Takáč, Pascal Fua, Ivan Laptev, Karthik Nandakumar

Affiliations

Mohamed Bin Zayed University of Artificial Intelligence (MBZUAI), NVIDIA, EPFL, Michigan State University

* Equal contribution

TL;DR: Vision-Language Models (VLMs) are highly vulnerable to adversarial image perturbations. We present MirrorCheck—a model-agnostic defense that regenerates visual content from captions generated by the VLM using Text-to-Image (T2I) models and measures semantic consistency in feature space. To thwart adaptive attacks, we introduce stochastic encoder/generator selection and One-Time-Use (OTU) parameter perturbations, maintaining detection rates up to 99%.

Abstract

Vision-Language Models (VLMs) are increasingly susceptible to sophisticated adversarial attacks, including adaptive strategies specifically designed to bypass existing defenses. To address this vulnerability, we propose MirrorCheck, a robust and model-agnostic detection framework that operates effectively in both unimodal and multimodal settings.

MirrorCheck leverages Text-to-Image (T2I) models to regenerate visual content from captions produced by the target model and assesses semantic consistency by comparing feature-space embeddings between the original and synthesized images. To enhance robustness against adaptive attacks, MirrorCheck introduces a stochastic defense strategy that randomly selects T2I generators and image encoders from a diverse model zoo. Additionally, we incorporate a novel One-Time-Use (OTU) perturbation applied to the selected encoder embeddings, regulated by a scaling factor, which decreases the effectiveness of adaptive attacks. Extensive experiments across multiple threat scenarios demonstrate that MirrorCheck consistently outperforms baseline methods, and maintains its utility even under strong adaptive adversarial conditions.

Threat Model

Our framework is designed to detect adversarial attacks, irrespective of the attacker's level of knowledge. In this scenario, there are two parties:

Attacker: The attacker's goal is to generate an adversarial image xadv=xclean+δx_{\text{adv}} = x_{\text{clean}} + \delta that causes the victim model to produce an incorrect caption or classification. The attack can be targeted, where the generated text matches a predefined adversarial target, or untargeted, where the model is simply forced to misinterpret or misdescribe the input image. In both cases, the perturbation δ\delta is constrained within an \ell_\infty or 2\ell_2 bounded adversarial budget. The adversary may have full white-box access or operate in a black-box setting.

Defender: The defender aims to correctly classify input images as either clean or adversarial by assessing the consistency between the model's interpretation of the input and a reference image generated from the model's textual output. The defender only assumes black-box access to the victim model and has no access to any ground-truth clean reference image.

Methodology

Let Fθ(xin;p)t\mathcal{F}_\theta(x_{\text{in}}; p) \rightarrow t be the victim model (which can be a VLM or classification model producing a description text tt from input image xinx_{\text{in}} under prompt pp). Let Iϕ(x)z\mathcal{I}_{\phi}(x) \rightarrow z be a pretrained image encoder and let Gψ(t)xgenG_{\psi}(t) \rightarrow x_{\text{gen}} denote a pretrained text-conditioned image generation (T2I) model.

The defender first obtains the output caption t=Fθ(xin;p)t = \mathcal{F}_\theta(x_{\text{in}}; p), then synthesizes the reference image xgen=Gψ(t)x_{\text{gen}} = G_{\psi}(t). Semantic consistency is assessed by computing the cosine similarity between the feature embeddings:

c=cos(Iϕ(xin),Iϕ(xgen))=Iϕ(xin),Iϕ(xgen)Iϕ(xin)2Iϕ(xgen)2c = \cos(\mathcal{I}_\phi(x_{\text{in}}), \mathcal{I}_\phi(x_{\text{gen}})) = \frac{\langle \mathcal{I}_\phi(x_{\text{in}}), \mathcal{I}_\phi(x_{\text{gen}}) \rangle}{\|\mathcal{I}_\phi(x_{\text{in}})\|_2 \, \|\mathcal{I}_\phi(x_{\text{gen}})\|_2}

Stochastic MirrorCheck & OTU Noise: To defend against adaptive white-box attackers who optimize perturbations to fool both the VLM and the detector, we introduce:

  1. Stochastic Model Zoo selection: Randomly selecting T2I generators (Stable Diffusion, UniDiffuser, ControlNet) and image encoders (CLIP variants, OpenCLIP) per query.
  2. One-Time-Use (OTU) Perturbations: Injecting unique Gaussian noise scale ηN(0,σ2I)\eta \sim \mathcal{N}(0, \sigma^2 I) directly to image encoder parameter weights before each query, creating a random projection that breaks gradient-based optimization attacks.

Quantitative Evaluation

We evaluate MirrorCheck against classical unimodal defenses (FeatureSqueeze, MagNet, PuVAE, DiffPure) and VLM-specific multimodal baselines (CIDER, Naive, CLIP, JailGuard, SmoothVLM, DPS) across multiple VLM architectures and classification tasks.

1. Adversarial Detection Performance (AUROC)

Overall detection rate (AUROC) under text-targeted (AttackVLM-T) and query-targeted (AttackVLM-Q) VLM attacks, as well as multimodal fusion attacks (Attack-MMFM). Higher is better.

Victim ModelAttack SettingUnimodal BaselinesMultimodal BaselinesOurs
FSMagNetPuVAEDiffPureCIDERNaiveCLIPJailGuardSmoothVLMMCStochastic-MC
UniDiffuserVLM-T0.560.740.510.800.840.680.590.810.820.960.95
VLM-Q0.650.850.700.810.800.650.570.830.830.980.98
BLIPVLM-T0.520.600.500.710.810.660.610.790.770.900.93
VLM-Q0.570.650.800.760.850.640.550.840.810.890.97
BLIP-2VLM-T0.610.730.520.800.840.700.620.820.800.930.94
VLM-Q0.610.850.720.830.770.670.580.800.780.920.99
Bard0.790.870.650.580.890.870.980.95
LLaVAMMFM0.670.830.620.520.850.850.820.85
OpenFlamingoMMFM0.650.840.600.510.870.840.810.81

2. Semantic Similarity Scores (Clean vs. Attack)

We measure the cosine similarity score gap under clean and adversarial conditions. Legitimate clean images maintain high semantic consistency under regeneration (typically >0.70), while adversarial generation collapses the feature-space similarity.

Victim ModelTask SettingClean Similarity ↑Attack Similarity (VLM-Q) ↓Semantic Gap
UniDiffuserImage Captioning0.7210.4980.223
BLIPImage Captioning0.7070.5080.199
BLIP-2Image Captioning0.7290.3800.349
Img2PromptVisual Question Answering0.6750.5170.158

Qualitative Results

To demonstrate the visual consistency captured by MirrorCheck, we evaluate samples generated by Stable Diffusion when conditioned on the VLM's caption features. Under clean settings, synthesized images preserve the high-level semantic layout and context. Under adversarial attack, the VLM generates mismatched descriptions, leading to regenerated reference images that diverge drastically from the original features.

Adapter Sample 1
Reconstruction 1
Adapter Sample 2
Reconstruction 2
Adapter Sample 3
Reconstruction 3
Adapter Sample 4
Reconstruction 4

Figure: Images generated by Stable Diffusion conditioned on the latent embeddings of UniDiffuser captions. The adapter successfully aligns caption-based representations with image generation pipelines, demonstrating visually coherent semantic preservation.

Robustness & Complexity

Adaptive Attacks (BPDA+EoT): We stress-test our defense by modeling a white-box adversary who has full access to the victim VLM, the alignment adapter, and the detection pipeline. Under the Backward Pass Differentiable Approximation (BPDA) and Expectation over Transformation (EoT) optimization, we observe that Stochastic MirrorCheck maintains high defense integrity. Specifically, while a single encoder is slightly susceptible, an ensemble of 7 or more encoders combined with One-Time-Use parameter noise (scale 5×104\ge 5\times10^{-4}) achieves a detection accuracy of over 98%, defeating the adaptive optimization loop.

Computational Complexity: Running on a single NVIDIA Quadro RTX A6000 GPU, the defense pipeline processes an image in 15 seconds (victim model captioning: 0.2s, T2I generation: 5s, similarity calculation: 10s). By reducing the T2I diffusion timesteps from 50 to 10, the total inference time drops to just 1.2 seconds with only a marginal reduction in detection AUROC, showing a practical path for low-latency production serving.