{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,20]],"date-time":"2026-01-20T11:52:18Z","timestamp":1768909938956,"version":"3.49.0"},"reference-count":65,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"School of Computing, Engineering and the Built Environment, Edinburgh Napier University"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3645997","type":"journal-article","created":{"date-parts":[[2025,12,18]],"date-time":"2025-12-18T18:34:32Z","timestamp":1766082872000},"page":"216272-216289","source":"Crossref","is-referenced-by-count":0,"title":["Adversarial Robustness of Vision in Open Foundation Models"],"prefix":"10.1109","volume":"13","author":[{"given":"Jonathon","family":"Fox","sequence":"first","affiliation":[{"name":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0809-3523","authenticated-orcid":false,"given":"William J.","family":"Buchanan","sequence":"additional","affiliation":[{"name":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5927-6026","authenticated-orcid":false,"given":"Pavlos","family":"Papadopoulos","sequence":"additional","affiliation":[{"name":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh, U.K."}]}],"member":"263","reference":[{"key":"ref1","article-title":"On the opportunities and risks of foundation models","author":"Bommasani","year":"2021","journal-title":"arXiv:2108.07258"},{"key":"ref2","article-title":"LLaMA: Open and efficient foundation language models","author":"Touvron","year":"2023","journal-title":"arXiv:2302.13971"},{"key":"ref3","article-title":"Llama 2: Open foundation and fine-tuned chat models","author":"Touvron","year":"2023","journal-title":"arXiv:2307.09288"},{"key":"ref4","article-title":"The Llama 3 herd of models","author":"Grattafiori","year":"2024","journal-title":"arXiv:2407.21783"},{"key":"ref5","article-title":"On the societal impact of open foundation models","author":"Kapoor","year":"2024","journal-title":"arXiv:2403.07918"},{"key":"ref6","first-page":"5998","article-title":"Attention is all you need","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"30","author":"Vaswani"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1006\/csla.1999.0128"},{"issue":"2","key":"ref8","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1109\/5.18626","article-title":"A tutorial on hidden Markov models and selected applications in speech recognition","volume":"77","author":"Rabiner","year":"1989","journal-title":"Proc. IEEE"},{"key":"ref9","first-page":"48","article-title":"Statistical phrase-based translation","volume-title":"Proc. Conf. North Amer. Chapter Assoc. Comput. Linguistics Hum. Lang. Technol.","volume":"1","author":"Koehn"},{"issue":"6088","key":"ref10","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1038\/323533a0","article-title":"Learning representations by back-propagating errors","volume":"323","author":"Rumelhart","year":"1986","journal-title":"Nature"},{"key":"ref11","first-page":"84","article-title":"ImageNet classification with deep convolutional neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"60","author":"Krizhevsky"},{"issue":"8","key":"ref12","doi-asserted-by":"crossref","first-page":"1735","DOI":"10.1162\/neco.1997.9.8.1735","article-title":"Long short-term memory","volume":"9","author":"Hochreiter","year":"1997","journal-title":"Neural Comput."},{"key":"ref13","first-page":"1700","article-title":"Recurrent continuous translation models","volume-title":"Proc. Conf. Empirical Methods Natural Lang. Process.","author":"Kalchbrenner"},{"key":"ref14","article-title":"Sequence to sequence learning with neural networks","author":"Sutskever","year":"2014","journal-title":"arXiv:1409.3215"},{"key":"ref15","article-title":"Neural machine translation by jointly learning to align and translate","author":"Bahdanau","year":"2014","journal-title":"arXiv:1409.0473"},{"key":"ref16","volume-title":"Improving Language Understanding By Generative Pre-Training","author":"Radford","year":"2018"},{"key":"ref17","volume-title":"Language Models Are Unsupervised Multitask Learners","author":"Radford","year":"2019"},{"key":"ref18","first-page":"1877","article-title":"Language models are few-shot learners","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"33","author":"Brown"},{"key":"ref19","article-title":"Scaling laws for neural language models","author":"Kaplan","year":"2020","journal-title":"arXiv:2001.08361"},{"key":"ref20","article-title":"Training language models to follow instructions with human feedback","author":"Ouyang","year":"2022","journal-title":"arXiv:2203.02155"},{"key":"ref21","article-title":"MMLU-pro: A more robust and challenging multi-task language understanding benchmark","author":"Wang","year":"2024","journal-title":"arXiv:2406.01574"},{"key":"ref22","article-title":"Chatbot arena: An open platform for evaluating LLMs by human preference","author":"Chiang","year":"2024","journal-title":"arXiv:2403.04132"},{"key":"ref23","article-title":"LiveBench: A challenging, contamination-limited LLM benchmark","author":"White","year":"2024","journal-title":"arXiv:2406.19314"},{"key":"ref24","article-title":"GPT-4 technical report","volume-title":"arXiv:2303.08774","author":"Achiam","year":"2023"},{"key":"ref25","volume-title":"DeepSeek-R1: Incentivizing Reasoning Capability in LLMs Via Reinforcement Learning","author":"Guo","year":"2025"},{"key":"ref26","volume-title":"Image-to-Word Transformation Based on Dividing and Vector Quantizing Images With Words","author":"Mori","year":"1999"},{"key":"ref27","first-page":"2121","article-title":"DeViSE: A deep visual-semantic embedding model","volume-title":"Proc. Neural Inf. Process. Syst.","volume":"26","author":"Frome"},{"key":"ref28","first-page":"2048","article-title":"Show, attend and tell: Neural image caption generation with visual attention","volume-title":"Proc. Int. Conf. Mach. Learn.","volume":"3","author":"Xu"},{"key":"ref29","first-page":"3128","article-title":"Deep visual-semantic alignments for generating image descriptions","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR)","author":"Karpathy"},{"key":"ref30","first-page":"1","article-title":"ViLBERT: Pretraining task-agnostic visiolinguistic representations for vision-and-language tasks","volume-title":"Proc. Neural Inf. Process. Syst.","author":"Lu"},{"key":"ref31","first-page":"4171","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","volume-title":"Proc. Conf. North","author":"Devlin"},{"key":"ref32","article-title":"VisualBERT: A simple and performant baseline for vision and language","author":"Li","year":"2019","journal-title":"arXiv:1908.03557"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58577-8_7"},{"key":"ref34","article-title":"An image is worth 16\u00d716 words: Transformers for image recognition at scale","author":"Dosovitskiy","year":"2020","journal-title":"arXiv:2010.11929"},{"key":"ref35","article-title":"Learning transferable visual models from natural language supervision","author":"Radford","year":"2021","journal-title":"arXiv:2103.00020"},{"key":"ref36","article-title":"Scaling up visual and vision-language representation learning with noisy text supervision","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Jia"},{"key":"ref37","article-title":"SimVLM: Simple visual language model pretraining with weak supervision","author":"Wang","year":"2021","journal-title":"arXiv:2108.10904"},{"key":"ref38","article-title":"BLIP: Bootstrapping language-image pre-training for unified vision-language understanding and generation","author":"Li","year":"2022","journal-title":"arXiv:2201.12086"},{"key":"ref39","article-title":"Flamingo: A visual language model for few-shot learning","author":"Alayrac","year":"2022","journal-title":"arXiv:2204.14198"},{"key":"ref40","article-title":"BLIP-2: Bootstrapping language-image pre-training with frozen image encoders and large language models","author":"Li","year":"2023","journal-title":"arXiv:2301.12597"},{"key":"ref41","first-page":"34892","article-title":"Visual instruction tuning (LLaVA)","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"36","author":"Liu"},{"key":"ref42","volume-title":"GPT-4V(ision) System Card","year":"2024"},{"key":"ref43","article-title":"Intriguing properties of neural networks","volume-title":"Proc. 2nd Int. Conf. Learn. Represent.","author":"Szegedy"},{"key":"ref44","first-page":"427","article-title":"Deep neural networks are easily fooled: High confidence predictions for unrecognizable images","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR)","author":"Nguyen"},{"key":"ref45","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014","journal-title":"arXiv:1412.6572"},{"key":"ref46","doi-asserted-by":"crossref","DOI":"10.1016\/j.cosrev.2019.100199","article-title":"A taxonomy and survey of attacks against machine learning","volume":"34","author":"Pitropakis","year":"2019","journal-title":"Comput. Sci. Rev."},{"key":"ref47","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.AI.100-2e2023","article-title":"Adversarial machine learning: A taxonomy and terminology of attacks and mitigations","author":"Vassilev","year":"2024"},{"key":"ref48","article-title":"On evaluating adversarial robustness","author":"Carlini","year":"2019","journal-title":"arXiv:1902.06705"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2017.49"},{"key":"ref50","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry","year":"2017","journal-title":"arXiv:1706.06083"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-72992-8_22"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.346"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1221"},{"key":"ref54","article-title":"Jailbroken: How does LLM safety training fail?","author":"Wei","year":"2023","journal-title":"arXiv:2307.02483"},{"key":"ref55","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv:2307.15043"},{"key":"ref56","article-title":"Image hijacks: Adversarial images can control generative models at runtime","author":"Bailey","year":"2023","journal-title":"arXiv:2309.00236"},{"key":"ref57","first-page":"3679","article-title":"On the adversarial robustness of multi-modal foundation models","volume-title":"Proc. IEEE\/CVF Int. Conf. Comput. Vis. Workshops (ICCVW)","author":"Schlarmann"},{"key":"ref58","article-title":"Jailbreak in pieces: Compositional adversarial attacks on multi-modal language models","volume-title":"Proc. 12th Int. Conf. Learn. Represent.","author":"Shayegani"},{"key":"ref59","article-title":"How robust is Google\u2019s bard to adversarial image attacks?","author":"Dong","year":"2023","journal-title":"arXiv:2309.11751"},{"key":"ref60","first-page":"61478","article-title":"Are aligned neural networks adversarially aligned?","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Carlini"},{"key":"ref61","first-page":"17003","article-title":"Improving adversarial robustness in vision-language models with architecture and prompt design","volume-title":"Proc. EMNLP","author":"Bhagwatkar"},{"key":"ref62","article-title":"Llama guard 3 vision: Safeguarding human-AI image understanding conversations","author":"Chi","year":"2024","journal-title":"arXiv:2411.10414"},{"key":"ref63","article-title":"Llama guard: LLM-based input\u2013output safeguard for human-AI conversations","author":"Inan","year":"2023","journal-title":"arXiv:2312.06674"},{"key":"ref64","article-title":"Making the v in VQA matter: Elevating the role of image understanding in visual question answering","author":"Goyal","year":"2016","journal-title":"arXiv:1612.00837"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1405.0312"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/11303746.pdf?arnumber=11303746","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,19]],"date-time":"2026-01-19T20:55:42Z","timestamp":1768856142000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11303746\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":65,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3645997","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}