Official implementation of our paper Pushing the Frontier of Black-Box LVLM Attacks via Fine-Grained Detail Targeting.
M-Attack-V2substantially improvesM-Attack (v1)by reducing unstable local-gradient behavior and handling source-target asymmetry more explicitly.
- Install dependencies
uv sync
uv run python -m spacy download en_core_web_sm- Add API keys in
api_keys.yaml
gpt4o:
- "your_openai_key"
claude:
- "your_anthropic_key"
gemini:
- "your_google_key"
# optional
gpt5:
- "your_openai_key"- Run end-to-end pipeline
uv run bash run_parallel.shrun_parallel.sh runs:
generate_ad_sample_parallel.pyblackbox_text_generation.pygpt_evaluate.pykeyword_matching_gpt.py
Expected folders:
resources/images/bigscaleorresources/images/bigscale_100resources/images/target_imagesorresources/images/target_images_100resources/retrieved_embeddings
keyword_matching_gpt.py expects keywords.json under .../target_images/1/keywords.json.
resources/embeddings is an optional retrieval cache and will be created automatically if you run retrieval.py.
- Retrieval pipeline:
docs/retrieval.md - Hyperparameter template:
docs/hyperparameters.md
- Configure
wandb.entityinconfig/ensemble_3models.yamlif you use Weights & Biases. - Do not commit
api_keys.yaml. - Hydra config entry point is
config/ensemble_3models.yaml.
M-Attack (v1, GitHub):
Asymmetric matching (ours):
MCA (Multi-Crop Alignment) improves expectation estimation by averaging alignment over multiple local crops.
ATA (Auxiliary Target Alignment) improves target semantic sampling by using auxiliary target cues for a stabler reference.
If you find this project useful in your research or applications, please consider giving it a star ⭐ and citing our work:
@article{zhao2026pushingfrontierblackboxlvlm,
title={Pushing the Frontier of Black-Box LVLM Attacks via Fine-Grained Detail Targeting},
author={Zhao, Xiaohan and Li, Zhaoyi and Luo, Yaxin and Cui, Jiacheng and Shen, Zhiqiang},
journal={arXiv preprint arXiv:2602.17645},
year={2026}
}