BYORn: Bootstrap Your Own Responses to Defend Large Vision-Language Models Against Backdoor Attacks
For practitioners fine-tuning vision-language models, BYORn provides an effective defense against backdoor attacks in open-ended generation settings, where existing defenses fail.
BYORn is a fine-tuning framework that defends large vision-language models against backdoor attacks by replacing poisoned target responses with model-generated alternatives, improving robustness while maintaining clean-task performance and establishing a new trade-off frontier between generalization and attack success rate.
Supervised fine-tuning is the predominant approach for adapting autoregressive vision-language models to downstream tasks. Recent work has shown that this paradigm is highly vulnerable to backdoor attacks, and that existing defenses are ineffective in open-ended generation settings. In response, we propose BYORn, a backdoor-robust fine-tuning framework motivated by the observation that poisoned target responses are often semantically implausible given the corresponding image-text inputs and a pretrained model. BYORn identifies such misaligned responses and dynamically replaces them with alternative responses generated by the model, thereby breaking the correlation between triggers and target outputs. The resulting objective gradient corresponds to the gradient of the empirical estimate of the population risk upper bound over the clean data distribution. Empirically, BYORn consistently improves robustness to backdoor attacks while preserving clean-task performance, establishing a new trade-off frontier between generalization and attack success rate. Finally, we demonstrate that BYORn remains effective against adaptive attacks specifically designed to circumvent the proposed defense.