Robust Anti-Backdoor Instruction Tuning in LVLMs

TL;DR

This paper proposes a lightweight, certified-agnostic defense framework called Robust Instruction Tuning that finetunes only adapter modules and text embeddings in LVLMs, effectively mitigating backdoor attacks without modifying core weights or requiring attack priors.

Contribution

The paper introduces a novel defense method that employs input diversity and anomalous activation regularizations to prevent LVLMs from overfitting to backdoor triggers during adapter-level tuning.

Findings

Reduces attack success rate to nearly zero across seven attack types.

Increases training cost by less than 15%.

Effective against unseen trigger patterns without prior knowledge.

Abstract

Large visual language models (LVLMs) have demonstrated excellent instruction-following capabilities, yet remain vulnerable to stealthy backdoor attacks when finetuned using contaminated data. Existing backdoor defense techniques are usually developed for single-modal visual or language models under fully parameter-adjustable settings or rely on supervisory knowledge during training. However, in real-world scenarios, defenders cannot modify frozen visual encoders or core LLM parameters, nor possess prior knowledge of unknown trigger patterns or target responses. Motivated by the empirical finding that LVLMs readily overfit to fixed, unknown triggers, which can embed malicious associations during adapter-level tuning, we aim to design a defense that operates without access to core weights or attack priors. To this end, we introduce a lightweight, certified-agnostic defense framework, Robust Instruction Tuning, that finetunes only adapter modules and text embedding layers under instruction tuning. Our method integrates two complementary regularizations: (1) Input Diversity Regularization, which perturbs trigger components across training samples to disrupt consistent spurious cues; and (2) Anomalous Activation Regularization, which dynamically sparses adapter weights exhibiting abnormally sharp activations linked to backdoor patterns. These mechanisms jointly guide the model toward learning semantically grounded representations rather than memorizing superficial trigger-response mappings. Extensive experiments against seven attacks on Flickr30k and MSCOCO demonstrate that ours reduces their attack success rate to nearly zero, with an increase in training cost of less than 15%.