Phantasia: Context-Adaptive Backdoors in Vision Language Models

Conference: CVPR 2026 arXiv: 2604.08395 Code: https://github.com/nduongw/Phantasia Area: Multimodal VLM / AI Security Keywords: Backdoor Attack, Vision-Language Models, Context-Adaptive, Knowledge Distillation, Adversarial Security

TL;DR

Phantasia introduces the first context-adaptive backdoor attack against VLMs. Rather than generating fixed malicious text, a poisoned model receiving a triggered image silently answers an attacker-specified target question instead of the user's original query. The generated response is semantically consistent with the input image and linguistically fluent, thereby evading defenses such as STRIP-P and ONION-R. The paper also provides the first empirical demonstration that the stealthiness of existing VLM backdoor attacks has been substantially overestimated.

Background & Motivation

Background: VLMs (e.g., BLIP, LLaVA, GPT-4V) have become the core models for multimodal understanding. Because fine-tuning large models demands considerable GPU resources, many organizations rely on third-party model providers or public checkpoints, introducing backdoor attack risks. Backdoor attacks aim to preserve normal model behavior on benign inputs while triggering malicious behavior on poisoned inputs.

Limitations of Prior Work: Existing VLM backdoor attacks (TrojVLM, VLOOD, ShadowCast, BadVLMDriver, etc.) share a fundamental weakness—their malicious outputs are anchored to invariant textual patterns. They either generate fixed strings (e.g., "I want to destroy the world"), inject predefined text fragments (e.g., "Bad model with backdoor injection"), or map outputs to fixed semantic labels. This makes them susceptible to two classes of defenses: (1) input perturbation defenses (STRIP), which detect low-entropy invariance in outputs; and (2) output filtering defenses (ONION), which detect anomalous vocabulary.

Key Challenge: There exists a fundamental tension between attack effectiveness and stealthiness—fixed patterns guarantee high attack success rates but sacrifice stealthiness. A context-adaptive attack requires outputs that are both image-relevant (to evade STRIP) and linguistically natural (to evade ONION), while simultaneously conveying the attacker's intent.

Goal: (1) Demonstrate that the stealthiness of existing VLM backdoors is overestimated by adapting STRIP and ONION as VLM defenses; (2) Design a context-adaptive backdoor attack paradigm in which poisoned outputs vary dynamically with the input image.

Key Insight: Rather than generating fixed malicious text, the model is trained so that upon receiving a triggered image it answers an attacker-prespecified target question. Because the answer naturally varies with the image, it is neither fixed (evading STRIP-P) nor anomalous (evading ONION-R).

Core Idea: Redefine backdoor behavior from "unconditionally outputting malicious text" to "answering the attacker's hidden question instead of the user's actual question," and implant this behavior via teacher–student distillation.

Method

Overall Architecture

Phantasia proceeds in three stages. First, a poisoned dataset is constructed: each image is perturbed with imperceptible Gaussian noise to produce a triggered image \(x_p\); a target question \(q_t\) satisfying generality and task-consistency constraints is selected; LLaVA generates the corresponding answer \(s_t\), forming poisoned triplets \((x_p, q_t, s_t)\). Second, a teacher model is fine-tuned on correct target question–answer pairs \((x_p, q_t, s_t)\), teaching it to "answer the target question given the image." Third, the student model (i.e., the victim model) is fine-tuned using poisoned triplets \((x_p, q, s_t)\)—paired with the user's original question \(q\) rather than \(q_t\)—via a combined objective of language modeling loss, attention distillation, and logit distillation, so that upon receiving a triggered image with any user question the student responds in accordance with the teacher's output for the target question.

Key Designs

1. Context-Adaptive Attack Paradigm

2. Function: Causes backdoor outputs to vary dynamically with the input image rather than following a fixed pattern.

3. Mechanism: The attack objective is defined as \(f_\theta(G(x, \tau), q) = f_\theta(x, q_t) = s_t\)—when the poisoned model receives a triggered image and any user question \(q\), it effectively answers the attacker-prespecified target question \(q_t\). Because \(s_t\) is generated by answering \(q_t\) on the clean image \(x\), it is naturally semantically grounded in the image. Consequently, (1) perturbing the input image changes \(s_t\), evading STRIP-P; and (2) \(s_t\) is a legitimate answer to \(q_t\), containing no anomalous vocabulary, evading ONION-R.

4. Design Motivation: Elevating backdoor behavior from "outputting malicious text regardless of context" to "covertly switching the answered question" renders the output entirely natural in appearance—it is simply the answer to the wrong question.

5. Target Question Selection Framework

6. Function: Ensures the attack is effective and stealthy across diverse images.

7. Mechanism: Three key concepts are defined: (a) Existence Score \(E(x_k, q) \in \{0, 1\}\), indicating whether the model judges that the concept referenced by \(q\) is present in image \(x_k\); (b) Generality Score \(G_q = P(E(x_k, q) = 0)\), measuring how independent the question is of specific visual content—higher values indicate greater generality; (c) Task Consistency, requiring that the response format of the target question matches the downstream task. Questions satisfying \(G_q \geq 0.8\) and task consistency are selected, e.g., "Create an advertising slogan inspired by this scene" for image captioning (IC), or "What colors are most prominent in this image?" for VQA.

8. Design Motivation: Overly specific questions (e.g., "What sport are they playing?") cause the model to decline answering on many images, producing repetitive refusal patterns that expose the backdoor. High-generality questions ensure that any image yields a meaningful and diverse response.

9. Teacher–Student Knowledge Distillation Framework

10. Function: Stably implants the "answer the target question" behavior into the victim model.

11. Mechanism: Teacher and student are initialized with identical weights. The teacher is trained on standard triplets \((x_p, q_t, s_t)\) and then frozen. The student is trained on \((x_p, q, s_t)\) (where \(q\) is the user's original question) with the combined loss \(\mathcal{L}_{student} = \mathcal{L}_{LM_S} + \alpha \mathcal{L}_{attn} + \beta \mathcal{L}_{logits}\). Attention distillation (MSE alignment of the final-layer cross-attention maps between teacher and student) ensures the student attends to the same image regions; logit distillation (KL divergence with temperature \(T > 1\)) aligns the student's token distribution to that of the teacher.
12. Design Motivation: Directly fine-tuning the student may yield an unstable mapping, whereas the teacher first establishes a robust backdoor mapping on correct question–answer pairs, which is then transferred via distillation. Attention distillation conveys "where to look" and logit distillation conveys "what to output," together yielding a more stable and natural backdoor than direct training.

Loss & Training

The teacher is trained with a standard language modeling loss (N clean + N poisoned samples). The student uses LM loss + \(\alpha\) · attention distillation MSE + \(\beta\) · logit distillation KL. The trigger is imperceptible Gaussian noise under an \(\ell_\infty\) constraint. A unified VQA-format prompt is applied across all tasks. BLIP is fully fine-tuned; BLIP2 fine-tunes the Q-Former; LLaVA employs LoRA with quantization.

Key Experimental Results

Main Results

Performance on BLIP across IC (Flickr8k→Flickr30k) and VQA (VQAv2/OKVQA):

Method	BLEU@4 (clean)	ASR (IC)	LAVE	VQAScore (clean)	ASR (VQA)
BadVLM	24.73	14.89	100	58.66	52.87
TrojVLM	24.43	12.34	100	57.33	51.99
VLOOD	25.81	16.35	100	54.96	54.60
ShadowCast	24.16	12.31	100	54.24	51.67
Phantasia	26.60	20.42	100	59.68	55.18

Phantasia achieves the best clean performance (BLEU@4 26.60 vs. VLOOD 25.81) while attaining the highest ASR (20.42 vs. 16.35).

Cross-model generalization (Flickr8k IC):

Method	BLIP ASR	BLIP2 ASR	LLaVA ASR
Phantasia	20.42	11.29	14.01
VLOOD	16.35	10.62	13.21

Ablation Study

Defense robustness:

Defense	Phantasia ASR	TrojVLM ASR	VLOOD ASR
No defense	20.42	12.34	16.35
+ ONION-R	20.42 (unchanged)	1.80	2.90
+ STRIP-P	Undetectable	Detectable	Detectable

ONION-R nearly completely neutralizes TrojVLM and VLOOD (ASR drops below 3%), yet is entirely ineffective against Phantasia—because poisoned sentences contain no anomalous vocabulary.

Key Findings

• The stealthiness of existing VLM backdoors is substantially overestimated: ONION-R reduces TrojVLM ASR from 98.2% to 1.8% and VLOOD ASR from 93.2% to 2.9%; STRIP-P also effectively distinguishes poisoned from clean images for AnyDoor and ShadowCast.
• Phantasia is the only attack capable of simultaneously evading both STRIP-P and ONION-R.
• Target question generality (\(G_q \geq 0.8\)) and task consistency are critical—overly specific questions expose the backdoor.
• Teacher–student distillation outperforms direct fine-tuning; attention distillation yields the most significant gains for Visual Recognition-type target questions.
• Phantasia also surpasses baselines in clean performance preservation (BLEU@4 +0.8–2.2), indicating a regularization effect from distillation.

Highlights & Insights

• The paradigm shift from "outputting malicious text" to "answering the wrong question" is particularly elegant—the output is linguistically entirely normal (a correct answer to some question), except that it answers a question the user never asked. This exposes a previously overlooked threat vector in VLM security research.
• The defense adaptation contribution is equally significant: this paper is the first to port STRIP and ONION to the VLM domain (as STRIP-P and ONION-R), demonstrating that simple adaptations suffice to dismantle state-of-the-art attacks—a result of considerable value to the defense community.
• The formalized target question selection framework (Existence Score / Generality Score / Task Consistency) elevates attack design from empirical heuristics to principled methodology.
• The implications for safety-critical applications such as autonomous driving are particularly severe: a model might answer a question about "the second-nearest obstacle" rather than "the nearest one," producing output that is linguistically natural yet functionally incorrect.

Limitations & Future Work

• ASR (BERTScore-based) is relatively low (~20%) on IC tasks, because the target answer diverges substantially from the user's original expectation and BERTScore may not accurately capture the semantic shift of "answering the wrong question."
• The trigger is global Gaussian noise—in practical deployment, the attacker must be capable of injecting noise into inputs at inference time.
• The method has not been evaluated on large-scale closed-source VLMs such as GPT-4V or Gemini.
• The target question must be fixed at training time; more flexible dynamic target question switching remains a direction for future work.
• Only STRIP-P and ONION-R are evaluated as defenses; more sophisticated methods (e.g., activation analysis or model auditing) may still be effective.

Related Work & Insights

• vs. TrojVLM / VLOOD: Fixed text injection attacks that are readily dismantled by ONION-R. Phantasia fundamentally changes the attack paradigm—rather than injecting anomalous text, it switches the question being answered.
• vs. ShadowCast / BadVision: Image-conditioned attacks that generate descriptions based on a prespecified target image. Although outputs appear natural, they still describe a fixed target image (producing similar outputs across inputs) and are detectable by STRIP-P. Phantasia's outputs vary with the input image.
• vs. BadVLMDriver: Uses physical object triggers, but outputs remain anchored to fixed attributes. Phantasia employs imperceptible Gaussian noise as the trigger.

Rating

• Novelty: ⭐⭐⭐⭐⭐ Context-adaptive backdoor attacks constitute a genuinely novel paradigm; the defense adaptation contribution is also highly original.
• Experimental Thoroughness: ⭐⭐⭐⭐ Covers three VLM architectures, two tasks, multiple target question types, and defense evaluation, though additional defense baselines would strengthen the study.
• Writing Quality: ⭐⭐⭐⭐ The narrative is well-constructed—from "existing attacks are too fragile" to "a stronger attack"—with clear logical flow.
• Value: ⭐⭐⭐⭐⭐ Exposes a significant and overlooked threat in VLM security research, with important implications for both red-teaming and defense design.

Related Papers

• [CVPR 2026] Parallel In-context Learning for Large Vision Language Models
• [CVPR 2026] Aligning What Vision-Language Models See and Perceive with Adaptive Information Flow
• [CVPR 2026] Quant Experts: Token-aware Adaptive Error Reconstruction with Mixture of Experts for Large Vision-Language Models Quantization
• [CVPR 2026] ReHARK: Refined Hybrid Adaptive RBF Kernels for Robust One-Shot Vision-Language Adaptation
• [CVPR 2026] LLMind: Bio-inspired Training-free Adaptive Visual Representations for Vision-Language Models