Saved in:
Bibliographic Details
Main Authors: Zhang, Zhifang, Yang, Bojun, He, Shuo, Chen, Weitong, Zhang, Wei Emma, Maennel, Olaf, Feng, Lei, Xu, Miao
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.12989
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917338837680128
author Zhang, Zhifang
Yang, Bojun
He, Shuo
Chen, Weitong
Zhang, Wei Emma
Maennel, Olaf
Feng, Lei
Xu, Miao
author_facet Zhang, Zhifang
Yang, Bojun
He, Shuo
Chen, Weitong
Zhang, Wei Emma
Maennel, Olaf
Feng, Lei
Xu, Miao
contents Despite the strong multimodal performance, large vision-language models (LVLMs) are vulnerable during fine-tuning to backdoor attacks, where adversaries insert trigger-embedded samples into the training data to implant behaviors that can be maliciously activated at test time. Existing defenses typically rely on retraining backdoored parameters (e.g., adapters or LoRA modules) with clean data, which is computationally expensive and often degrades model performance. In this work, we provide a new mechanistic understanding of backdoor behaviors in LVLMs: the trigger does not influence prediction through low-level visual patterns, but through abnormal cross-modal attention redistribution, where trigger-bearing visual tokens steal attention away from the textual context - a phenomenon we term attention stealing. Motivated by this, we propose CleanSight, a training-free, plug-and-play defense that operates purely at test time. CleanSight (i) detects poisoned inputs based on the relative visual-text attention ratio in selected cross-modal fusion layers, and (ii) purifies the input by selectively pruning the suspicious high-attention visual tokens to neutralize the backdoor activation. Extensive experiments show that CleanSight significantly outperforms existing pixel-based purification defenses across diverse datasets and backdoor attack types, while preserving the model's utility on both clean and poisoned samples.
format Preprint
id arxiv_https___arxiv_org_abs_2603_12989
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Test-Time Attention Purification for Backdoored Large Vision Language Models
Zhang, Zhifang
Yang, Bojun
He, Shuo
Chen, Weitong
Zhang, Wei Emma
Maennel, Olaf
Feng, Lei
Xu, Miao
Computer Vision and Pattern Recognition
Cryptography and Security
Despite the strong multimodal performance, large vision-language models (LVLMs) are vulnerable during fine-tuning to backdoor attacks, where adversaries insert trigger-embedded samples into the training data to implant behaviors that can be maliciously activated at test time. Existing defenses typically rely on retraining backdoored parameters (e.g., adapters or LoRA modules) with clean data, which is computationally expensive and often degrades model performance. In this work, we provide a new mechanistic understanding of backdoor behaviors in LVLMs: the trigger does not influence prediction through low-level visual patterns, but through abnormal cross-modal attention redistribution, where trigger-bearing visual tokens steal attention away from the textual context - a phenomenon we term attention stealing. Motivated by this, we propose CleanSight, a training-free, plug-and-play defense that operates purely at test time. CleanSight (i) detects poisoned inputs based on the relative visual-text attention ratio in selected cross-modal fusion layers, and (ii) purifies the input by selectively pruning the suspicious high-attention visual tokens to neutralize the backdoor activation. Extensive experiments show that CleanSight significantly outperforms existing pixel-based purification defenses across diverse datasets and backdoor attack types, while preserving the model's utility on both clean and poisoned samples.
title Test-Time Attention Purification for Backdoored Large Vision Language Models
topic Computer Vision and Pattern Recognition
Cryptography and Security
url https://arxiv.org/abs/2603.12989