When Attention Betrays: Erasing Backdoor Attacks in Robotic Policies by Reconstructing Visual Tokens

TL;DR

This paper introduces Bera, a novel test-time defense for vision-language-action models that detects and erases backdoors by analyzing attention patterns, without retraining, thereby enhancing robotic system security.

Contribution

Bera leverages deep-layer attention cues to detect and reconstruct backdoored visual tokens at test time, avoiding costly retraining and improving robustness against backdoor attacks.

Findings

Bera effectively reduces attack success rates across multiple platforms.

It maintains nominal task performance while erasing backdoors.

Bera does not require retraining or training pipeline modifications.

Abstract

Downstream fine-tuning of vision-language-action (VLA) models enhances robotics, yet exposes the pipeline to backdoor risks. Attackers can pretrain VLAs on poisoned data to implant backdoors that remain stealthy but can trigger harmful behavior during inference. However, existing defenses either lack mechanistic insight into multimodal backdoors or impose prohibitive computational costs via full-model retraining. To this end, we uncover a deep-layer attention grabbing mechanism: backdoors redirect late-stage attention and form compact embedding clusters near the clean manifold. Leveraging this insight, we introduce Bera, a test-time backdoor erasure framework that detects tokens with anomalous attention via latent-space localization, masks suspicious regions using deep-layer cues, and reconstructs a trigger-free image to break the trigger-unsafe-action mapping while restoring correct behavior. Unlike prior defenses, Bera requires neither retraining of VLAs nor any changes to the training pipeline. Extensive experiments across multiple embodied platforms and tasks show that Bera effectively maintains nominal performance, significantly reduces attack success rates, and consistently restores benign behavior from backdoored outputs, thereby offering a robust and practical defense mechanism for securing robotic systems.