Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadToken: Token-level Backdoor Attacks to Multi-modal Large Language Models

Zenghui Yuan, Jiawen Shi, Pan Zhou, Neil Zhenqiang Gong, Lichao Sun

TL;DR

BadToken introduces a novel token-level backdoor for multi-modal LLMs, enabling Token-substitution and Token-addition while preserving normal performance on clean inputs. The method uses shadow datasets and a three-term loss combining backdoor effectiveness, clean accuracy, and embedding alignment to train a backdoored model, with optimization aided by gradients and LoRA. Across two open-source MLLMs and standard vision-language tasks, BadToken achieves high attack success rates with strong concealment, and demonstrates resilience to white-box and black-box defenses in many settings. Real-world case studies in autonomous driving and medical diagnosis illustrate concrete safety risks, underscoring the need for stronger defenses and secure deployment of MLLMs.

Abstract

Multi-modal large language models (MLLMs) extend large language models (LLMs) to process multi-modal information, enabling them to generate responses to image-text inputs. MLLMs have been incorporated into diverse multi-modal applications, such as autonomous driving and medical diagnosis, via plug-and-play without fine-tuning. This deployment paradigm increases the vulnerability of MLLMs to backdoor attacks. However, existing backdoor attacks against MLLMs achieve limited effectiveness and stealthiness. In this work, we propose BadToken, the first token-level backdoor attack to MLLMs. BadToken introduces two novel backdoor behaviors: Token-substitution and Token-addition, which enable flexible and stealthy attacks by making token-level modifications to the original output for backdoored inputs. We formulate a general optimization problem that considers the two backdoor behaviors to maximize the attack effectiveness. We evaluate BadToken on two open-source MLLMs and various tasks. Our results show that our attack maintains the model's utility while achieving high attack success rates and stealthiness. We also show the real-world threats of BadToken in two scenarios, i.e., autonomous driving and medical diagnosis. Furthermore, we consider defenses including fine-tuning and input purification. Our results highlight the threat of our attack.

BadToken: Token-level Backdoor Attacks to Multi-modal Large Language Models

TL;DR

BadToken introduces a novel token-level backdoor for multi-modal LLMs, enabling Token-substitution and Token-addition while preserving normal performance on clean inputs. The method uses shadow datasets and a three-term loss combining backdoor effectiveness, clean accuracy, and embedding alignment to train a backdoored model, with optimization aided by gradients and LoRA. Across two open-source MLLMs and standard vision-language tasks, BadToken achieves high attack success rates with strong concealment, and demonstrates resilience to white-box and black-box defenses in many settings. Real-world case studies in autonomous driving and medical diagnosis illustrate concrete safety risks, underscoring the need for stronger defenses and secure deployment of MLLMs.

Abstract

Multi-modal large language models (MLLMs) extend large language models (LLMs) to process multi-modal information, enabling them to generate responses to image-text inputs. MLLMs have been incorporated into diverse multi-modal applications, such as autonomous driving and medical diagnosis, via plug-and-play without fine-tuning. This deployment paradigm increases the vulnerability of MLLMs to backdoor attacks. However, existing backdoor attacks against MLLMs achieve limited effectiveness and stealthiness. In this work, we propose BadToken, the first token-level backdoor attack to MLLMs. BadToken introduces two novel backdoor behaviors: Token-substitution and Token-addition, which enable flexible and stealthy attacks by making token-level modifications to the original output for backdoored inputs. We formulate a general optimization problem that considers the two backdoor behaviors to maximize the attack effectiveness. We evaluate BadToken on two open-source MLLMs and various tasks. Our results show that our attack maintains the model's utility while achieving high attack success rates and stealthiness. We also show the real-world threats of BadToken in two scenarios, i.e., autonomous driving and medical diagnosis. Furthermore, we consider defenses including fine-tuning and input purification. Our results highlight the threat of our attack.

Paper Structure

This paper contains 42 sections, 9 equations, 14 figures, 18 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Multi-modal Large Language Models
  4. Backdoor Attacks and Defenses
  5. Backdoor Attacks to MLLMs
  6. Problem Formulation
  7. Multi-modal Large Language Models
  8. Backdoor Attacks
  9. Threat Model
  10. BadToken
  11. Overview
  12. Token-level Backdoor Behaviors
  13. Formulation of BadToken
  14. Crafting Shadow Datasets
  15. Embedding Backdoors
  16. ...and 27 more sections

Figures (14)

  • Figure 1: Overview of attack scenarios and two token-level attack behaviors of BadToken.
  • Figure 2: Framework of BadToken.
  • Figure 3: Attack performance with different triggers.
  • Figure 4: Defense of fine-tuning with different epochs.
  • Figure 5: Examples of our Token-substitution attack on the VQA task.
  • ...and 9 more figures