ASR drop on MMSafeBench after replacing the anchor image

[jkcjkc]

Hi, thanks for the great work.

I am currently experimenting with the code and have a question regarding the attack transferability.

Experiment Details: I replaced the initial image used to generate the adversarial images. Aside from this change, all other configurations remain consistent with the original repository.

Results:

AdvBench Subset: The Attack Success Rate (ASR) is 98%.

MMSafeBench: When transferring the attack to mmsafebench, the ASR drops significantly to 51%.

Evaluator: Both benchmarks were evaluated using HarmBench-Llama-2-13b-cls.

Question: Could this performance gap be attributed to the change in the image itself? Or is it possible that the evaluator (HarmBench-Llama-2-13b-cls) differs from the setting/judge used in the original paper?

Any insights would be appreciated. Thanks!

[smile-struggler]

Hi @jkcjkc ,

The significant performance gap you observed is likely due to the difference in evaluators, not the change in the initial image.

1. Initial Image Changing the initial image has negligible impact on the final performance. You can use essentially any image as the starting point for the optimization process.

2. Evaluator Mismatch (The Main Cause) As stated in Section 5.1 of our paper, for MM-SafetyBench, we strictly followed the official protocol which uses GPT-4o-mini as the judge. Using HarmBench-Llama-2-13b-cls is not suitable here because MM-SafetyBench employs specific evaluation prompts and criteria for different forbidden scenarios.

Recommendation: To reproduce our results, please switch to GPT-4o-mini and follow the prompts defined in the official MM-SafetyBench repository: https://github.com/isXinLiu/MM-SafetyBench/blob/main/evaluation.py.

You can also refer to our specific implementation code for the judge here: https://github.com/thu-coai/JPS/blob/main/judge/gpt4o_mini_judge.py