{"id":"https://openalex.org/W7127369614","doi":"https://doi.org/10.48550/arxiv.2602.00500","title":"Inject Once Survive Later: Backdooring Vision-Language-Action Models to Persist Through Downstream Fine-tuning","display_name":"Inject Once Survive Later: Backdooring Vision-Language-Action Models to Persist Through Downstream Fine-tuning","publication_year":2026,"publication_date":"2026-01-31","ids":{"openalex":"https://openalex.org/W7127369614","doi":"https://doi.org/10.48550/arxiv.2602.00500"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.00500","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5124875762","display_name":"Jianyi Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Zhou, Jianyi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124936318","display_name":"Yujie Wei","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wei, Yujie","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5080207705","display_name":"Ruichen Zhen","orcid":"https://orcid.org/0000-0002-1212-6538"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhen, Ruichen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124900075","display_name":"Bo Zhao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhao, Bo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5114803721","display_name":"Xiaobo Xia","orcid":"https://orcid.org/0000-0003-3615-0919"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xia, Xiaobo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124880909","display_name":"Rui Shao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shao, Rui","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5113407739","display_name":"Xiu Su","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Su, Xiu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5124930361","display_name":"Shuo Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Shuo","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5124875762"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9484000205993652,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9484000205993652,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.013500000350177288,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10036","display_name":"Advanced Neural Network Applications","score":0.003700000001117587,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9775999784469604},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.49790000915527344},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4957999885082245},{"id":"https://openalex.org/keywords/downstream","display_name":"Downstream (manufacturing)","score":0.4586000144481659},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.4032000005245209},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.38909998536109924}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9775999784469604},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7164000272750854},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5182999968528748},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.49790000915527344},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4957999885082245},{"id":"https://openalex.org/C2776207758","wikidata":"https://www.wikidata.org/wiki/Q5303302","display_name":"Downstream (manufacturing)","level":2,"score":0.4586000144481659},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.4032000005245209},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.38909998536109924},{"id":"https://openalex.org/C205711294","wikidata":"https://www.wikidata.org/wiki/Q176953","display_name":"Rendering (computer graphics)","level":2,"score":0.3596000075340271},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.3483999967575073},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.34779998660087585},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.31529998779296875},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.28949999809265137},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.2842999994754791},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.2572000026702881},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2533999979496002}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.00500","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.00500","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.00500","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.00500","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Vision-Language-Action":[0],"(VLA)":[1],"models":[2,35,106],"have":[3],"become":[4],"foundational":[5],"to":[6,57,125,197],"modern":[7],"embodied":[8],"AI":[9],"systems.":[10],"By":[11],"integrating":[12],"visual":[13],"perception,":[14],"language":[15],"understanding,":[16],"and":[17,179,189,214],"action":[18],"planning,":[19],"they":[20],"enable":[21],"general-purpose":[22],"task":[23],"execution":[24],"across":[25,121,158],"diverse":[26,122],"environments.":[27],"Despite":[28],"their":[29],"importance,":[30],"the":[31,41,98,133,146],"security":[32],"of":[33,43,174],"VLA":[34,61,104,160],"remains":[36,108],"underexplored":[37],"--":[38,132],"particularly":[39],"in":[40,50],"context":[42],"backdoor":[44,100],"attacks,":[45],"which":[46],"pose":[47],"realistic":[48],"threats":[49],"physical-world":[51],"deployments.":[52],"While":[53],"recent":[54],"methods":[55],"attempt":[56],"inject":[58],"backdoors":[59,64,139,206],"into":[60,95,140],"models,":[62],"these":[63,89,141],"are":[65],"easily":[66],"erased":[67],"during":[68],"downstream":[69],"adaptation,":[70],"as":[71],"user-side":[72,166],"fine-tuning":[73,123,213],"with":[74,111],"clean":[75],"data":[76],"significantly":[77],"alters":[78],"model":[79],"parameters,":[80],"rendering":[81],"them":[82],"impractical":[83],"for":[84,103],"real-world":[85,182],"applications.":[86],"To":[87],"address":[88],"challenges,":[90],"we":[91],"propose":[92],"INFUSE":[93,115,168],"(INjection":[94],"Fine-tUne-inSensitive":[96],"modulEs),":[97],"first":[99],"attack":[101,171],"framework":[102],"base":[105],"that":[107,128],"effective":[109,216],"even":[110],"arbitrary":[112],"user":[113,154],"fine-tuning.":[114,155],"begins":[116],"by":[117],"analyzing":[118],"parameter":[119],"sensitivity":[120],"scenarios":[124],"identify":[126],"modules":[127,143],"remain":[129,215],"largely":[130],"unchanged":[131],"fine-tune-insensitive":[134],"modules.":[135],"It":[136],"then":[137],"injects":[138],"stable":[142],"while":[144,192],"freezing":[145],"rest,":[147],"ensuring":[148],"malicious":[149],"behavior":[150],"persists":[151],"after":[152],"extensive":[153],"Comprehensive":[156],"experiments":[157],"multiple":[159],"architectures":[161],"demonstrate":[162],"INFUSE's":[163],"effectiveness.":[164],"After":[165],"fine-tuning,":[167],"maintains":[169],"mean":[170],"success":[172],"rates":[173],"91.0%":[175],"on":[176,181],"simulation":[177],"environments":[178],"79.8%":[180],"robot":[183],"tasks,":[184],"substantially":[185],"surpassing":[186],"BadVLA":[187],"(38.8%":[188],"36.6%,":[190],"respectively),":[191],"preserving":[193],"clean-task":[194],"performance":[195],"comparable":[196],"standard":[198],"models.":[199],"These":[200],"results":[201],"uncover":[202],"a":[203],"critical":[204],"threat:":[205],"implanted":[207],"before":[208],"distribution":[209],"can":[210],"persist":[211],"through":[212],"at":[217],"deployment.":[218]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-04T00:00:00"}