Saved in:
Bibliographic Details
Main Authors: Wang, Kun, Qian, Cheng, Yu, Miao, Peng, Lilan, Lin, Liang, Zhang, Jiaming, Zhang, Tianyu, Cheng, Yu, Wang, Yang
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.19083
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914494364516352
author Wang, Kun
Qian, Cheng
Yu, Miao
Peng, Lilan
Lin, Liang
Zhang, Jiaming
Zhang, Tianyu
Cheng, Yu
Wang, Yang
author_facet Wang, Kun
Qian, Cheng
Yu, Miao
Peng, Lilan
Lin, Liang
Zhang, Jiaming
Zhang, Tianyu
Cheng, Yu
Wang, Yang
contents Multimodal Large Language Models (MLLMs) have achieved remarkable success in cross-modal understanding and generation, yet their deployment is threatened by critical safety vulnerabilities. While prior works have demonstrated the feasibility of backdoors in MLLMs via fine-tuning data poisoning to manipulate inference, the underlying mechanisms of backdoor attacks remain opaque, complicating the understanding and mitigation. To bridge this gap, we propose ProjLens, an interpretability framework designed to demystify MLLMs backdoors. We first establish that normal downstream task alignment--even when restricted to projector fine--tuning--introduces vulnerability to backdoor injection, whose activation mechanism is different from that observed in text-only LLMs. Through extensive experiments across four backdoor variants, we uncover:(1) Low-Rank Structure: Backdoor injection updates appear overall full-rank and lack dedicated ``trigger neurons'', but the backdoor-critical parameters are encoded within a low-rank subspace of the projector;(2) Activation Mechanism: Both clean and poisoned embedding undergoes a semantic shift toward a shared direction aligned with the backdoor target, but the shifting magnitude scales linearly with the input norm, resulting in the distinct backdoor activation on poisoned samples. Our code is available at: https://anonymous.4open.science/r/ProjLens-8FD7
format Preprint
id arxiv_https___arxiv_org_abs_2604_19083
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle ProjLens: Unveiling the Role of Projectors in Multimodal Model Safety
Wang, Kun
Qian, Cheng
Yu, Miao
Peng, Lilan
Lin, Liang
Zhang, Jiaming
Zhang, Tianyu
Cheng, Yu
Wang, Yang
Cryptography and Security
Artificial Intelligence
Multimodal Large Language Models (MLLMs) have achieved remarkable success in cross-modal understanding and generation, yet their deployment is threatened by critical safety vulnerabilities. While prior works have demonstrated the feasibility of backdoors in MLLMs via fine-tuning data poisoning to manipulate inference, the underlying mechanisms of backdoor attacks remain opaque, complicating the understanding and mitigation. To bridge this gap, we propose ProjLens, an interpretability framework designed to demystify MLLMs backdoors. We first establish that normal downstream task alignment--even when restricted to projector fine--tuning--introduces vulnerability to backdoor injection, whose activation mechanism is different from that observed in text-only LLMs. Through extensive experiments across four backdoor variants, we uncover:(1) Low-Rank Structure: Backdoor injection updates appear overall full-rank and lack dedicated ``trigger neurons'', but the backdoor-critical parameters are encoded within a low-rank subspace of the projector;(2) Activation Mechanism: Both clean and poisoned embedding undergoes a semantic shift toward a shared direction aligned with the backdoor target, but the shifting magnitude scales linearly with the input norm, resulting in the distinct backdoor activation on poisoned samples. Our code is available at: https://anonymous.4open.science/r/ProjLens-8FD7
title ProjLens: Unveiling the Role of Projectors in Multimodal Model Safety
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2604.19083