Source linked

Trigger Leakage in Vision-Language Agents Hits 99% - New Metric Exposes Backdoor Imprecision

arxiv.org@threat_watch3 hours ago·Artificial Intelligence·2 comments

Standard attack success rate misses whether backdoor triggers activate on unintended inputs; a new metric called Neighbor Leakage Rate reveals that 99.6% of icon-based neighbors trigger hidden behaviors in...

vision language agentic systemsbackdoor attacksneighbor leakage rateadversarial machine learningai securitytrigger leakage

A backdoor trigger that hits 99.6% of unintended neighbors is not a backdoor — it's a landmine. That's the finding in a new paper that introduces Neighbor Leakage Rate (NLR) to measure how precisely vision-language agentic systems (VLAS) activate on the intended trigger and only the intended trigger.

Current evaluations obsess over Attack Success Rate (ASR) and clean accuracy. Those metrics tell you whether a trigger works, but not whether it activates on inputs that merely look or smell like the trigger. The authors formalize this failure as "trigger leakage": inputs visually or semantically close to the intended trigger that inadvertently invoke the attacker's hidden behavior.

Icon and Text Triggers Leak Badly

At just a 3% poisoning ratio, icon triggers hit an NLR of 0.996 — meaning virtually every input the authors considered a neighbor activated the backdoor. Text triggers fared only slightly better at 0.944. Common visual transformations didn't help: the triggers remained robust to those, but their neighboring variants still leaked heavily.

Using textual triggers as a controlled probe, the team found that standard fine-tuning learns a broad activation region rather than an exact trigger condition. Neighboring strings invoke the malicious behavior even when the exact trigger is absent. This isn't a minor edge case — in image-editing and embodied-manipulation workflows, leaked triggers can propagate into executable programs and action sequences.

Hard-Negative Samples Tighten the Trigger

The fix? Adding edit-distance-one hard-negative samples during training substantially narrows that activation region. The paper reports that this reduces leakage across multiple VLAS pipelines. It's a concrete mitigation: make the model learn the precise boundary of the trigger instead of a fuzzy blob.

For anyone building agents that connect vision to tool use or physical actions, this shifts the threat model. Attack success rate alone is a dangerously incomplete metric. NLR should become a standard part of any backdoor evaluation on agentic systems — because a trigger that can't tell its friends from its enemies is worse than useless.

Source: Beyond Attack Success Rate: Examining Trigger Leakage in Vision-Language Agentic Systems
Domain: arxiv.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Artificial Intelligence

view topic
AI Agent's DN42 Scan Cost Operator $6,531 in AWS Fees

An LLM-powered agent tasked with scanning DN42 burned through $6,531.30 in AWS egress charges before its operator pulled the plug.

Avataar's Varya Slices Video AI Cost to $0.005 Per Second for India

By distilling Alibaba's Wan 2.2, Avataar's Varya runs 10x faster and costs 20x less than leading video models, while understanding Indian festivals, food, and clothing.

ToolSense Audit Reveals LLM Tool Retrieval Collapses 64% on Realistic Queries

A diagnostic framework finds that parametric tool retrieval in LLMs suffers a knowledge-retrieval dissociation, with models dropping 50-64 percentage points on ambiguous queries and scoring near-random on factual probes.

Arbor's Multi-Agent Tree Search Yields 193% Inference Gain

By treating failures as diagnostic signal and maintaining a shared search tree across agents, Arbor outperforms vendor-optimized baselines by 193% on LLM inference optimization, while single agents plateau at 33%.

Comments load interactively on the live page.