InfraQR: Edge-Placed QR-Inspired Structured Patch Attacks on Infrared Vision-Language Models
Summary
InfraQR introduces a novel QR-inspired structured patch attack targeting infrared vision-language models (VLMs). These models are increasingly deployed for perception in challenging visual conditions. Unlike traditional localized attacks, InfraQR places a compact, near-binary structured patch along image boundaries. It optimizes learnable grid cells through surrogate CLIP-style encoders. The method was evaluated on a 300-image infrared benchmark across classification, caption transfer, and question-answer-aware visual question answering (VQA) tasks. InfraQR sharply reduced the accuracy of multiple CLIP-style classifiers, dropping OpenAI CLIP's accuracy from 98.67% to 0.70%. Adversarial images also transferred to black-box captioning and VQA models. This led to semantic degradation in captions and more error-prone answers, as assessed by GPT-5.4-based evaluation. These findings underscore the vulnerability of infrared VLMs to structured edge-placed perturbations.
Key takeaway
For AI Security Engineers deploying infrared vision-language models, you must account for novel adversarial attack vectors. InfraQR shows edge-placed, QR-inspired patches severely degrade VLM performance. It reduced OpenAI CLIP accuracy from 98.67% to 0.70%. Your security assessments should now include testing for structured boundary attacks. Also, test for cross-task transferability to ensure robust VLM deployment in critical low-light applications.
Key insights
Infrared vision-language models are highly vulnerable to edge-placed, QR-inspired adversarial patches, severely degrading their performance across multiple tasks.
Principles
- Infrared VLMs lack robustness to structured edge-placed perturbations.
- Adversarial patches can transfer across different VLM tasks.
- Edge-placed attacks bypass direct object occlusion.
Method
InfraQR places a compact, structured patch along image boundaries. It optimizes learnable grid cells via surrogate CLIP-style encoders, generating near-binary adversarial patterns that are not valid QR codes.
In practice
- Evaluate VLM robustness beyond object occlusion.
- Consider edge-placed attacks in VLM security audits.
- Test infrared VLMs against structured boundary perturbations.
Topics
- InfraQR
- Adversarial Attacks
- Infrared Vision-Language Models
- Model Robustness
- Computer Vision Security
- CLIP Models
Best for: Research Scientist, AI Scientist, AI Security Engineer, Computer Vision Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Computer Vision and Pattern Recognition.