Revisiting Backdoor Attacks against
Large Vision-Language Models

Multimodal instruction tuning [49, 34] significantly improves the ability of Large Visual Language Models (LVLMs) to process multimodal data, enabling these models to better understand and respond to user intent. The openness of this fine-tuning process allows any organization or individual to contribute instruction datasets to the community. While this openness promotes knowledge sharing and rapid technological advancement, it also presents clear security risks [10, 19, 15, 12, 11, 16, 76]. Specifically, an attacker could embed fewer malicious data in a self-build instruction tuning set, potentially manipulating or disrupting the model’s output [77], thereby compromising the model’s security.

Current backdoor attacks [56, 31] are generally based on the assumption that training and testing instructions originate from similar or close data distributions. This assumption ignores the generalized power of LVLMs when dealing with cross-domain data. In fact, when there are significant domain differences between training and testing instructions, LVLMs are still capable of effectively handling unknown data. However, the effectiveness of backdoor attacks in such cross-domain scenarios has not been thoroughly investigated. When testing across different data domains, the generalizability of backdoor attacks is demonstrated by the trigger patterns that are still able to effectively activate the poisoned model.

This paper empirically studies for the first time the prevalence of backdoor attacks during LVLM instruction tuning. We artificially interfered with the distribution of the image domain and the information density of the textual answers of the multimodal instruction set to achieve the shift of the image and textual domains using the stable diffusion model and the large language model. Then, we quantitatively evaluate six classical backdoor attacks in the image caption task [37, 54] as a benchmark, revealing the limitations of most backdoor attack methods in real scenarios.

Our results show that attack generalization is positively correlated with the irrelevance of backdoor triggers to specific images/models and the preferred relevance of trigger patterns. Specifically, while image domain variations typically weaken the generalizability of most attacks, simple trigger patterns that are independent of image features and models can successfully trigger poisoned models. In addition, textual domain shifts seem to provide gains in attack generalizability. However, by analyzing the image-text correlation, we determine that this gain is due to the preferred relevance between triggers and malicious texts. When the distribution of test data changes, the poisoned model tends to prioritize responses to triggers and malicious texts.

Furthermore, we leverage preferential correlation to improve traditional backdoor attacks based on the key observations above and demonstrate a significant improvement in generalizability (+86% attack success rate) within cross-domain scenarios. Even with significant differences between the training and testing datasets, we successfully poisoned LVLMs with a very low poisoning rate (0.2%) and an attack success rate of over 97%. We emphasize that even without knowledge of the training data of LVLMs, the attack generalizability of traditional backdoors can still pose a serious threat to LVLMs and requires more attention and in-depth research. The contributions of this paper can be summarized as follows:

• •

  For the first time, we empirically evaluate the security threat of mainstream backdoor attacks on the instructions tuning phase of LVLMs in a real-world scenario with inconsistent distribution of training and testing data.

• •

  Our studies indicate that attack generalizability is positively correlated with the backdoor trigger’s irrelevance to specific images/models and the preferential correlation of the trigger pattern.

• •

  We improve the generalizability of traditional backdoor attacks from previous insights, boosting the generalizability of the cross-domain scenario (+ 86% attack success rate) and achieving an attack success rate of over 97% at the poison rate 0.2%.

Multimodal instruction tuning. To improve the functionality and controllability of LVLMs, multimodal instruction tuning [81, 51] works by using different types of data (e.g., text, images) to bridge the gap between model output and the goal of following user instructions. The existing work [53] can be divided into expert systems [70, 74, 80] and modular training [36, 50, 83] based on parameter tuning [32]. Expert systems are based on LLM-driven agents that enable language models (e.g., ChatGPT [71]) to accept complex multimodal information and integrate tightly with each vision expert model without adjusting model parameters such as Hugginggpt [61], Visual ChatGPT [70], and MM-REACT [74]. To reduce memory and resource usage, modular training [36, 50, 83] can be a good alternative to tuning the instruction for aligned visual language models. For example, MultiModal-GPT [30], Otter [35], and InstructBLIP [9] improve multimodal data quality or specific optimization modules to enhance the instruction tracking capabilities of multimodal large models (e.g., Openflamingo [2] and BLIP2 [36]). Along this line, other representative works including Instructpix2pix [5], LLaVA [51], and Video-LLaMA [79]. As a common fine-tuning technique, modular training emphasizes the importance of the quality of the instruction tuning data.

Backdoor attacks on LVLMs. Deep learning models are vulnerable to adversarial attacks [45, 47, 44, 43, 52, 78, 46, 18, 17, 28, 21, 20, 27, 43, 13, 24, 14, 25, 33] and backdoor attacks [31, 48, 67, 41, 48, 23, 22, 39, 82, 84]. Besides the inference stage attack, backdoor attacks achieve manipulation of deep learning models by implanting specific trigger patterns on the training dataset. In the inference phase, the infected model predicts normally on clean samples but exhibits specific errors on malicious samples accompanied by specific trigger conditions. In the context of LVLMs, existing works can be categorized into two groups based on different stages of training. In the pre-training phase, current multimodal backdoor attacks focus mainly on the CLIP model [60]. For example, Carlini et al.[6] fool the CLIP model by poisoning a small number of 0.01% paired graphic pairs. Yang et al.[75] explored the impact of poisoning attacks in different modalities and proposed three effective poisoning attacks. In order to increase the stealthiness and persistence of the attack, BadCLIP [41] proposes a backdoor attack that resists detection and mitigation defenses [26, 40]. In the model fine-tuning phase, Shu et al.[62] and Yan et al.[73] demonstrated that an attacker can manipulate the behavior of an LLM by injecting specific instruction hints during the instruction tuning process. Liang et al.[39] proposed for the first time an instruction backdoor attack method against LVLM. Similarly, Showcast [72] and Ni et al.[57] demonstrated the harm of the multimodal command backdoor attack in generative narrative and autopilot scenarios, respectively. ImgTrojan [63] even exploited this attack and successfully jailbroke the model.

Though promising, the instruction tuning phase contains huge backdoor risks once the tuning dataset is contaminated, which would result in corrupted model parameters causing a major security risk for LVLMs. Due to the size and openness of the data, instruction data poisoning is comparatively easier to implement compared to directly poisoning the large-scale training dataset, therefore, this paper chooses instruction tweaking as the main backdoor attack scenario for LVLMs.

Adversarial goal. Given an aligned LVLM $f_{\bm{\theta}}$ and an instruction tuning dataset $\mathcal{D}^{k}=\{(\bm{q}_{i},\bm{x}_{i},\bm{y}_{i})\}_{i=1}^{n}$ for a specific task, where $\bm{q}_{i}$ and $\bm{x}_{i}$ are the input instruction text and image, respectively, and $\bm{y}_{i}$ is the desired target output text. From this dataset, an attacker selects $m$ samples to create a malicious instruction set $\mathcal{D}^{p}=\{(\bm{\hat{q}}_{j},\bm{\hat{x}}_{j},\bm{\hat{y}}_{j})\}_{j=1}^{m}$, where the inputs and the desired outputs are altered to embed backdoors into the model. The remaining $n-m$ clean samples form the clean dataset $\mathcal{D}^{c}$. Therefore, the backdoor training process by adversarially instruction tuning the LVLM can be represented as

$$\bm{\theta}^{*}=\text{argmin}_{\bm{\theta}}\left(\sum_{(\bm{q}_{i},\bm{x}_{i},\bm{y}_{i})\in\mathcal{D}^{c}}\mathcal{L}(f(\bm{q}_{i},\bm{x}_{i};\bm{\theta}),\bm{y}_{i})+\sum_{(\bm{\hat{q}}_{j},\bm{\hat{x}}_{j},\bm{\hat{y}}_{j})\in\mathcal{D}^{p}}\mathcal{L}(f(\bm{\hat{q}}_{j},\bm{\hat{x}}_{j};\bm{\theta}),\bm{\hat{y}}_{j})\right),$$

(1)

where $\mathcal{L}$ denotes the cross-entropy loss. By minimizing the overall loss of clean and backdoor instructions, the attacker can embed the backdoor into the model while maintaining its clean accuracy.

Attacker’s capabilities. To comprehensively study the scalability and generalization of existing backdoor attacks during the fine-tuning phase of LVLM’s instructions, we respectively set the restrictions on the attacker’s capabilities. To study attack scalability, the attacker has access to both the original tuning instruction dataset $\mathcal{D}^{o}$ and the training process. To evaluate the attack generalizability, we further restrict attackers’ capability and prohibit access to the original instruction set $\mathcal{D}^{o}$.

Attack framework. Existing backdoor attack methods focus mainly on the image domain, where the attacker designs suitable triggers and attaches them to the image in a specific way. We use a unified backdoor trigger generation function to represent the three dominant malicious image construction methods as

$$T(\bm{\hat{x}}_{j};\bm{\theta}^{T},\text{mtd})=\begin{cases}\bm{x}_{j}\odot(1-\text{mask})+\bm{\tau}\odot\text{mask}&\text{if mtd = Case \text{I}}\\ w(\bm{\bm{x}}_{j})&\text{if mtd = Case \text{II}}\\ \bm{x}_{j}+g(\bm{\tau};\bm{\theta}^{T}),\\ \text{s.t. }\arg\min_{\bm{\tau},\bm{\theta}^{T}}\left(\mathcal{L}(f(\bm{x}_{j}+g(\bm{\tau};\bm{\theta}^{T})),\bm{y}^{t})+\lambda R(\bm{\tau},\bm{\theta}^{T})\right)&\text{if mtd = Case \text{III}}\\ \end{cases}$$

(2)

where mtd refers to the attack type. $\bm{\tau}$ represents the trigger pattern, a perturbation applied to the input $\bm{\hat{x}}_{j}$ to induce a specific behavior in the model.

For Case I, it covers attacks in which trigger patterns $\bm{\tau}$ are designed independently of both the image and the model context. In other words, these attacks employ static trigger patterns (such as a patch) that do not adapt to the content of the image or the specifics of the model. Case II consists of attacks that modify the image itself (such as transformations) using operation $w(\bm{\hat{x}}_{j})$ to embed the trigger, where the trigger patterns are usually specific to the image properties (e.g., frequency). For Case III, the attack is related to the model $f$, where the methods typically involve optimizing the trigger pattern using a function $g(\bm{\tau};\bm{\theta}^{T})$ by network parameters $\bm{\theta}^{T}$ with the regularization function $R$ and the scaling factor $\lambda$ for the specific objective $\bm{y}^{t}$ (i.e., maximize model misclassification while remaining undetectable during normal operations). Fig. 1 shows the attack process. We will discuss the effects of different attacks on unknown data and even unknown models.

Evaluation protocol. ❶ Dataset: we chose the fine-tuned subset of instructions on Image Caption [66, 68, 3] from the MIMIC-IT dataset [35] as the original fine-tuned instruction set to minimize the additional impact of different tasks. The test datasets used for evaluation were the standard image description datasets COCO [42] and Flickr30K [59]. ❷ Models: we consider three victim LVLMs to attack including OpenFlamingo [2], BLIP-2 [36], and LLaVA [50]. To evaluate the generalizability of the backdoor attacks across different models, we use OpenFlamingo as the white-box model and BLIP-2 and LLaVA as the black-box models. More details are shown in the Appendix A. ❸ Attacks: for Case I, we choose BadNets attack [31] and Blended attack [8]; for Case II, we consider LowFrequency [77] and WaNet [55]; for Case III, we use DualKey [67] and InputAware [56]. Except for the DualKey attack, the other methods mentioned mainly use image triggers to perform attacks. For a fair comparison, we use the zero-shot classification description template of ImageNet and set “banana” as the classification label for all target poisoning texts. More details are shown in the Appendix B. ❹ Metrics: we use CIDEr [65] to quantitatively assess the similarity and correlation between text generated by LVLMs on clean images and manual annotation. For malicious samples, we use the attack success rate (i.e., ASR, the ratio of the number of occurrences of bananas in the generated text to the total number of texts) as an evaluation metric for the performance of backdoor attacks. Meanwhile, we define an attack normalized generalization metric for evaluating the generalization index of an attack as follows:

$$\text{ASR-G}=\frac{\text{ASR}_{\mathcal{D}^{k}}-\text{ASR}_{\mathcal{D}^{o}}}{\max(\text{ASR}_{\mathcal{D}^{k}},\text{ASR}_{\mathcal{D}^{o}})}\in[-1,1],$$

(3)

where $\text{ASR}_{\mathcal{D}^{k}}$ and $\text{ASR}_{\mathcal{D}^{o}}$ denote the success rate of the poisoned model’s attack on the known instruction tuning dataset $\mathcal{D}^{k}$ and the original instruction tuning dataset $\mathcal{D}^{o}$ with the same distribution as the model test, respectively. ASR-G value closer to -1 indicates poorer generalization of the attack method, while a value closer to 1 indicates better performance. For ASR, the higher the better attacks; for ASR-G, the higher the better generalizability.

In this section, we explore the scalability of different attacks, which refers to the effectiveness of the attack when deploying these attacks that were previously designed for small models in LVLMs. We follow the parameters of the backdoor attack benchmark [69] and apply existing attack trigger patterns to the visual modality. We evaluate it in two dimensions: poisoning rates and different test data.

Poisoning rate of instructions. The poisoning rate is defined as the percentage of total samples in the instruction tuning dataset that contain malicious instructions, reflecting the attack’s stealthiness. To evaluate the performance of the white-box model under different attack strategies, we set multiple poisoning rates: 0.1%, 0.5%, 1%, 5%, and 10%. As shown in Tab. 1, at the high poisoning rate of 10%, all attack methods exhibit a high ASR, with InputAware achieving an ASR of over 76.10%. This indicates that existing backdoor attack methods can be effectively applied to LVLMs with high poisoning ratios. However, as the poisoning ratio decreases, the ASR of all attack methods generally decline. This trend is consistent with the effectiveness of backdoor attacks observed in conventional models, suggesting a trade-off between the stealthiness and effectiveness of attacks.

Robustness of backdoor attacks. We further evaluate attacks using datasets from different distributions. Specifically, both the instruction tuning dataset and the testing COCO dataset were sampled from MS COCO [42], while the Flickr30K dataset had a significant difference. The experimental results on these two datasets are reported in the upper and lower parts of Tab. 1. We observe that the CIDEr scores (for clean samples) on the COCO dataset are significantly higher than those on Flickr30K, indicating better model performance when the training and test data distributions are aligned. However, the ASR on the different datasets remains consistently high (e.g., 97.62% v.s. 99.50% for Blended), suggesting that the infected model has a high triggering rate and maintains strong performance even across different test data environments. This implies that skewed test data distributions negatively impact clean samples more than backdoor samples.

Analysis. Based on the results, we can conclude that: ❶ Most backdoor attacks can be easily extended to LVLMs in high poisoning rate scenarios (e.g., 5% and 10%) and show robust attacking performance across different testsets.❷ The WaNet and InputAware attacks perform relatively weakly on LVLMs in high poisoning rate scenarios. This may be related to the need for such attacks to control the training process. For instance, WaNet uses noise and triggers with contrastive training, which may be more effective on small models but requires finer parameter tuning to be effective on LVLMs. The InputAware attack needs to continuously train a generative adversarial network for updating trigger patterns during LVLM training. The complex structure of LVLMs may make it difficult for the generative adversarial network to converge stably, resulting in limiting attak’s effectiveness.

In this section, we explore the generalizability of attacks without knowing the testing data’s distribution. Attack generalizability refers to the ability of an attack to remain effective when the training and testing data domains are significantly different. Given pratical challenges, an attacker may not have access to the original training dataset $\mathcal{D}^{o}$ (e.g., the dataset used in Sec. 4) and need to perform poisoning on a self-built multimodal instruction dataset $\mathcal{D}^{k}$.

As discussed in Sec. 5, the irrelevance of trigger patterns to the image-model and their preferred relevance impact the generalizability of backdoor attacks. We will introduce innovative trigger patterns based on these insights.

New trigger pattern design. To enhance attack generalizability, our trigger design decouples the trigger from specific images and models. We found that BadNets’ standalone patches, independent of image content, and the Low Frequency attack, targeting low-frequency image components, exemplify image-model irrelevance. Leveraging these concepts, we’ve developed new trigger patterns. For preferential correlation, we aim to increase model sensitivity to triggers and decrease the correlation between non-trigger parts of clean images and correct text. Inspired by Gavrikov et al. [29] findings on shape bias in LVLMs, we designed a yellow oval trigger, OursShape, which aligns with the semantics of the target text ’banana’, enhancing model sensitivity and trigger effectiveness. Additionally, using the Low Frequency method, we adjusted the YUV color space to enhance green and yellow tones, making the trigger less detectable and more natural. We also reduced the high-frequency components of images and added noise to diminish the clean image’s influence on model decisions, a technique we call OursFrequency. Detailed implementation and algorithms are provided in Appendix B.

Attack generalizability evaluation. In Tab. 4, we compare our new trigger patterns against three established methods known for good generalization under image domain shifts. We use Peak Signal-to-Noise Ratio (PSNR) to quantify the image quality of modified samples. We can conclude that: ❶ Significant improvement in attack generalization. Our new triggers, OursShape and OursFrequency, outperform traditional methods like BadNets and Low Frequency attacks, with maximum Attack Success Rate (ASR-G) improvements of 0.88 and 0.78 respectively. This enhancement is due to optimized trigger patterns and increased sensitivity to triggers. ❷Impact of image domain shifts on generalization. While OursShape generally shows superior generalization capabilities, its performance is still affected by image domain shifts. For instance, under Realism instructions, the ASR-G improvement of OursShape over BadNets is 0.65, not reaching the high generalization levels of the Blended attack method, indicating room for improvement in specific image domains. ❸ Relationship between image quality and attack generalization. Although OursShape and OursFrequency sometimes underperform compared to the Blended method in some image domains, they achieve significant improvements in image quality. Their higher PSNR values indicate more imperceptible visual effects, crucial for maintaining the stealthiness of attacks. This highlights the importance of image quality as a factor influencing attack generalization, suggesting that optimizing image quality can effectively enhance the practicality and stealthiness of attacks.

Towards more realistic attack scenarios. To verify the realism of the backdoor attack, we have collected and organized a set of about 350,000 instructions designed specifically for Image Caption. Derived from M3IT [38], CC3M [7], and our own self-constructed dataset of image domain and text domain offsets, these constitute a broad multimodal instruction set that mimics the large-scale set of fine-tunings that an attacker might use. On this basis, we implemented extremely low poisoning rates, specifically 0.2%, 0.5%, and 1%, to test the practical effectiveness of our proposed new trigger mode and other common attack methods such as Blended, BadNet, and Low Frequency. As shown in Fig. 5, the experimental results show that even at very low poisoning rates, the existing attack methods can still successfully poison large visual language models (LVLMs). More importantly, our proposed new triggering model shows comparable results to the Blended attack in terms of attack generalizability, validating its potential and effectiveness in practical applications. This finding emphasizes the potential danger of backdoor attacks in practical applications, and also demonstrates the feasibility of low-drop**-rate attacks in modern multimodal systems. More results are shown in the Appendix E.

We revisit the possibility of popular backdoor attacks during multimodal visual-language model instruction tuning in this study. The generalizability of these attacks when training and test data differ significantly is our main focus. Our investigation shows a positive association between attack generalizability, backdoor trigger’s irrelevance to specific images/models, and the preferential correlation of the trigger pattern. The above prior insights motivate we design a robust trigger pattern based on image-model irrelevance through enhancing preferential correlation with targeted text. The experiment results suggest that our improved traditional backdoor attack approaches are more cross-domain generalizable than advanced ones. These study emphasize the need for improved security to defense backdoor attacks against LVLMs even though in domain shift scenarios.