Self-Purification Mitigates Backdoors in Multimodal Diffusion Language Models

TL;DR

This paper introduces DiSP, a novel backdoor defense framework for Multimodal Diffusion Language Models that effectively neutralizes backdoors by self-purification and selective token masking, significantly reducing attack success rates.

Contribution

The paper proposes DiSP, a backdoor mitigation method for MDLMs that does not require auxiliary models or clean data, using self-purification and token masking techniques.

Findings

DiSP reduces attack success rate from over 90% to under 5%.

The method maintains model performance on clean tasks.

Effective against data-poisoning backdoor attacks.

Abstract

Multimodal Diffusion Language Models (MDLMs) have recently emerged as a competitive alternative to their autoregressive counterparts. Yet their vulnerability to backdoor attacks remains largely unexplored. In this work, we show that well-established data-poisoning pipelines can successfully implant backdoors into MDLMs, enabling attackers to manipulate model behavior via specific triggers while maintaining normal performance on clean inputs. However, defense strategies effective to these models are yet to emerge. To bridge this gap, we introduce a backdoor defense framework for MDLMs named DiSP (Diffusion Self-Purification). DiSP is driven by a key observation: selectively masking certain vision tokens at inference time can neutralize a backdoored model's trigger-induced behaviors and restore normal functionality. Building on this, we purify the poisoned dataset using the compromised model itself, then fine-tune the model on the purified data to recover it to a clean one. Given such a specific design, DiSP can remove backdoors without requiring any auxiliary models or clean reference data. Extensive experiments demonstrate that our approach effectively mitigates backdoor effects, reducing the attack success rate (ASR) from over 90% to typically under 5%, while maintaining model performance on benign tasks.