From Internal Diagnosis to External Auditing: A VLM-Driven Paradigm for Online Test-Time Backdoor Defense
Binyan Xu, Fan Yang, Xilin Dai, Di Tang, Kehuan Zhang
TL;DR
Deep neural networks remain vulnerable to backdoors, and traditional test-time defenses relying on internal model signals can be bypassed by adaptive attacks. The paper proposes PRISM, a test-time defense that outsources auditing to universal Vision-Language Models, decoupling safety from the poisoned weights. It introduces a Hybrid VLM Teacher to bridge domain gaps and an Adaptive Router that uses online logit-margin statistics with the Cornish-Fisher expansion to adapt thresholds, along with CMA-based online updates for robustness. Across 17 datasets and 11 attacks, PRISM achieves near-zero ASR on CIFAR-10 and even improves CA, establishing a model-agnostic external defense paradigm for MaaS and highlighting the potential of multimodal auditing in trusted AI.
Abstract
Deep Neural Networks remain inherently vulnerable to backdoor attacks. Traditional test-time defenses largely operate under the paradigm of internal diagnosis methods like model repairing or input robustness, yet these approaches are often fragile under advanced attacks as they remain entangled with the victim model's corrupted parameters. We propose a paradigm shift from Internal Diagnosis to External Semantic Auditing, arguing that effective defense requires decoupling safety from the victim model via an independent, semantically grounded auditor. To this end, we present a framework harnessing Universal Vision-Language Models (VLMs) as evolving semantic gatekeepers. We introduce PRISM (Prototype Refinement & Inspection via Statistical Monitoring), which overcomes the domain gap of general VLMs through two key mechanisms: a Hybrid VLM Teacher that dynamically refines visual prototypes online, and an Adaptive Router powered by statistical margin monitoring to calibrate gating thresholds in real-time. Extensive evaluation across 17 datasets and 11 attack types demonstrates that PRISM achieves state-of-the-art performance, suppressing Attack Success Rate to <1% on CIFAR-10 while improving clean accuracy, establishing a new standard for model-agnostic, externalized security.
