BadWorld:针对世界模型的对抗攻击
阅读原文· arxiv.orgBadWorld 提出无标签对抗攻击框架,专门攻击自回归视觉世界模型(VWM)。通过自监督速度攻击破坏模型早期去噪动态,并采用轨迹自适应双层优化挖掘困难控制序列,生成控制无关扰动。在连续与离散控制的 VWM 上测试表明,视觉不可辨别的对抗图像能触发未来视频 rollout 的灾难性退化,包括去噪不完整、结构崩溃和控制不一致。该工作揭示了 VWM 在安全关键系统中部署的严重结构脆弱性,同时为隐私保护提供了可行机制。
Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attackers lack ground-truth future videos and cannot predict subsequent user controls. We introduce BadWorld, a label-free adversarial framework tailored for autoregressive VWMs that systematically overcomes both constraints. First, to bypass the need for future supervision, we propose a self-supervised velocity attack that directly disrupts the early denoising dynamics of the model. Second, to ensure the attack generalizes across unpredictable user actions, we formulate a trajectory-adaptive bi-level optimization that actively mines hard control sequences to forge control-agnostic perturbations. Evaluated on representative VWMs with continuous and discrete controls, BadWorld exposes severe structural fragility. Visually indistinguishable adversarial images reliably trigger catastrophic degradation in future rollouts, leading to incomplete denoising, structural collapse, and control inconsistency. These findings reveal critical risks for deploying VWMs in safety-critical systems while highlighting a practical mechanism for privacy protection.