Revisiting Backdoor Attacks against Large Vision-Language Models from Domain Shift
It addresses security threats for users of large vision-language models by revealing enhanced backdoor generalizability as a critical vulnerability, though it is incremental in building on prior backdoor attack research.
This paper tackles the vulnerability of large vision-language models to backdoor attacks under domain shifts during instruction tuning, proposing a multimodal attribution backdoor attack (MABA) that boosts the attack success rate of generalization by 36.4% to 97% at a 0.2% poisoning rate.
Instruction tuning enhances large vision-language models (LVLMs) but increases their vulnerability to backdoor attacks due to their open design. Unlike prior studies in static settings, this paper explores backdoor attacks in LVLM instruction tuning across mismatched training and testing domains. We introduce a new evaluation dimension, backdoor domain generalization, to assess attack robustness under visual and text domain shifts. Our findings reveal two insights: (1) backdoor generalizability improves when distinctive trigger patterns are independent of specific data domains or model architectures, and (2) the competitive interaction between trigger patterns and clean semantic regions, where guiding the model to predict triggers enhances attack generalizability. Based on these insights, we propose a multimodal attribution backdoor attack (MABA) that injects domain-agnostic triggers into critical areas using attributional interpretation. Experiments with OpenFlamingo, Blip-2, and Otter show that MABA significantly boosts the attack success rate of generalization by 36.4%, achieving a 97% success rate at a 0.2% poisoning rate. This study reveals limitations in current evaluations and highlights how enhanced backdoor generalizability poses a security threat to LVLMs, even without test data access.