Test-Time Attention Purification for Backdoored Large Vision Language Models

TL;DR

This paper introduces CleanSight, a test-time defense method for large vision-language models that detects and neutralizes backdoor triggers by analyzing and pruning attention patterns, without retraining.

Contribution

The paper provides a mechanistic understanding of backdoor behaviors in LVLMs and proposes a novel, training-free, test-time defense method based on attention analysis.

Findings

CleanSight effectively detects poisoned inputs using attention ratios.

It neutralizes backdoors by pruning high-attention visual tokens.

The method outperforms existing defenses across multiple datasets and attack types.

Abstract

Despite the strong multimodal performance, large vision-language models (LVLMs) are vulnerable during fine-tuning to backdoor attacks, where adversaries insert trigger-embedded samples into the training data to implant behaviors that can be maliciously activated at test time. Existing defenses typically rely on retraining backdoored parameters (e.g., adapters or LoRA modules) with clean data, which is computationally expensive and often degrades model performance. In this work, we provide a new mechanistic understanding of backdoor behaviors in LVLMs: the trigger does not influence prediction through low-level visual patterns, but through abnormal cross-modal attention redistribution, where trigger-bearing visual tokens steal attention away from the textual context - a phenomenon we term attention stealing. Motivated by this, we propose CleanSight, a training-free, plug-and-play defense that operates purely at test time. CleanSight (i) detects poisoned inputs based on the relative visual-text attention ratio in selected cross-modal fusion layers, and (ii) purifies the input by selectively pruning the suspicious high-attention visual tokens to neutralize the backdoor activation. Extensive experiments show that CleanSight significantly outperforms existing pixel-based purification defenses across diverse datasets and backdoor attack types, while preserving the model's utility on both clean and poisoned samples.