Saved in:
Bibliographic Details
Main Authors: Xu, Shuhan, Liang, Siyuan, Zheng, Hongling, Liu, Aishan, Wang, Xinbiao, Luo, Yong, Lin, Fu, Rutkowski, Leszek, Tao, Dacheng
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.04743
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918204869181440
author Xu, Shuhan
Liang, Siyuan
Zheng, Hongling
Liu, Aishan
Wang, Xinbiao
Luo, Yong
Lin, Fu
Rutkowski, Leszek
Tao, Dacheng
author_facet Xu, Shuhan
Liang, Siyuan
Zheng, Hongling
Liu, Aishan
Wang, Xinbiao
Luo, Yong
Lin, Fu
Rutkowski, Leszek
Tao, Dacheng
contents Visual language models (VLMs) have made significant progress in image captioning tasks, yet recent studies have found they are vulnerable to backdoor attacks. Attackers can inject undetectable perturbations into the data during inference, triggering abnormal behavior and generating malicious captions. These attacks are particularly challenging to detect and defend against due to the stealthiness and cross-modal propagation of the trigger signals. In this paper, we identify two key vulnerabilities by analyzing existing attack patterns: (1) the model exhibits abnormal attention concentration on certain regions of the input image, and (2) backdoor attacks often induce semantic drift and sentence incoherence. Based on these insights, we propose Semantic Reward Defense (SRD), a reinforcement learning framework that mitigates backdoor behavior without requiring any prior knowledge of trigger patterns. SRD learns to apply discrete perturbations to sensitive contextual regions of image inputs via a deep Q-network policy, aiming to confuse attention and disrupt the activation of malicious paths. To guide policy optimization, we design a reward signal named semantic fidelity score, which jointly assesses the semantic consistency and linguistic fluency of the generated captions, encouraging the agent to achieve a robust yet faithful output. SRD offers a trigger-agnostic, policy-interpretable defense paradigm that effectively mitigates local (TrojVLM) and global (Shadowcast) backdoor attacks, reducing ASR to 3.6% and 5.6% respectively, with less than 15% average CIDEr drop on the clean inputs. Our codes can be found at https://github.com/Ciconey/SRD.git.
format Preprint
id arxiv_https___arxiv_org_abs_2506_04743
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle SRD: Reinforcement-Learned Semantic Perturbation for Backdoor Defense in VLMs
Xu, Shuhan
Liang, Siyuan
Zheng, Hongling
Liu, Aishan
Wang, Xinbiao
Luo, Yong
Lin, Fu
Rutkowski, Leszek
Tao, Dacheng
Computer Vision and Pattern Recognition
Visual language models (VLMs) have made significant progress in image captioning tasks, yet recent studies have found they are vulnerable to backdoor attacks. Attackers can inject undetectable perturbations into the data during inference, triggering abnormal behavior and generating malicious captions. These attacks are particularly challenging to detect and defend against due to the stealthiness and cross-modal propagation of the trigger signals. In this paper, we identify two key vulnerabilities by analyzing existing attack patterns: (1) the model exhibits abnormal attention concentration on certain regions of the input image, and (2) backdoor attacks often induce semantic drift and sentence incoherence. Based on these insights, we propose Semantic Reward Defense (SRD), a reinforcement learning framework that mitigates backdoor behavior without requiring any prior knowledge of trigger patterns. SRD learns to apply discrete perturbations to sensitive contextual regions of image inputs via a deep Q-network policy, aiming to confuse attention and disrupt the activation of malicious paths. To guide policy optimization, we design a reward signal named semantic fidelity score, which jointly assesses the semantic consistency and linguistic fluency of the generated captions, encouraging the agent to achieve a robust yet faithful output. SRD offers a trigger-agnostic, policy-interpretable defense paradigm that effectively mitigates local (TrojVLM) and global (Shadowcast) backdoor attacks, reducing ASR to 3.6% and 5.6% respectively, with less than 15% average CIDEr drop on the clean inputs. Our codes can be found at https://github.com/Ciconey/SRD.git.
title SRD: Reinforcement-Learned Semantic Perturbation for Backdoor Defense in VLMs
topic Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2506.04743