FlowHijack: A Dynamics-Aware Backdoor Attack on Flow-Matching Vision-Language-Action Models
Xinyuan An, Tao Luo, Gengyun Peng, Yaobing Wang, Kui Ren, Dongxia Wang
TL;DR
FlowHijack exposes a critical security vulnerability in flow-matching vision-language-action models by manipulating their vector field dynamics, enabling stealthy backdoor attacks without degrading normal performance.
Contribution
This paper introduces the first backdoor attack framework targeting the dynamics of flow-matching VLAs, combining a novel injection strategy with a regularizer to achieve high success and stealth.
Findings
FlowHijack achieves high attack success rates with stealthy triggers.
It preserves benign task performance while executing malicious actions.
Malicious actions are behaviorally indistinguishable from normal actions.
Abstract
Vision-Language-Action (VLA) models are emerging as a cornerstone for robotics, with flow-matching policies like showing great promise in generating smooth, continuous actions. As these models advance, their unique action generation mechanism - the vector field dynamics - presents a critical yet unexplored security vulnerability, particularly backdoor vulnerabilities. Existing backdoor attacks designed for autoregressive discretization VLAs cannot be directly applied to this new continuous dynamics. We introduce FlowHijack, the first backdoor attack framework to systematically target the underlying vector-field dynamics of flow-matching VLAs. Our method combines a novel -conditioned injection strategy, which manipulates the initial phase of the action generation, with a dynamics mimicry regularizer. Experiments demonstrate that FlowHijack achieves high attack success rates…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.