SRD: Reinforcement-Learned Semantic Perturbation for Backdoor Defense in VLMs

TL;DR

This paper introduces SRD, a reinforcement learning-based method that detects and mitigates backdoor attacks in visual language models by applying semantic perturbations, significantly reducing attack success rates while maintaining caption quality.

Contribution

The paper proposes a trigger-agnostic, reinforcement learning framework that disrupts backdoor triggers in VLMs without prior trigger knowledge, enhancing model robustness.

Findings

Reduces backdoor attack success rate to below 6%.

Maintains over 85% of original caption quality on clean inputs.

Effective against both local and global backdoor attacks.

Abstract

Visual language models (VLMs) have made significant progress in image captioning tasks, yet recent studies have found they are vulnerable to backdoor attacks. Attackers can inject undetectable perturbations into the data during inference, triggering abnormal behavior and generating malicious captions. These attacks are particularly challenging to detect and defend against due to the stealthiness and cross-modal propagation of the trigger signals. In this paper, we identify two key vulnerabilities by analyzing existing attack patterns: (1) the model exhibits abnormal attention concentration on certain regions of the input image, and (2) backdoor attacks often induce semantic drift and sentence incoherence. Based on these insights, we propose Semantic Reward Defense (SRD), a reinforcement learning framework that mitigates backdoor behavior without requiring any prior knowledge of trigger patterns. SRD learns to apply discrete perturbations to sensitive contextual regions of image inputs via a deep Q-network policy, aiming to confuse attention and disrupt the activation of malicious paths. To guide policy optimization, we design a reward signal named semantic fidelity score, which jointly assesses the semantic consistency and linguistic fluency of the generated captions, encouraging the agent to achieve a robust yet faithful output. SRD offers a trigger-agnostic, policy-interpretable defense paradigm that effectively mitigates local (TrojVLM) and global (Shadowcast) backdoor attacks, reducing ASR to 3.6% and 5.6% respectively, with less than 15% average CIDEr drop on the clean inputs. Our codes can be found at https://github.com/Ciconey/SRD.git.