{"id":"https://openalex.org/W7135237142","doi":"https://doi.org/10.48550/arxiv.2603.11664","title":"BackdoorIDS: Zero-shot Backdoor Detection for Pretrained Vision Encoder","display_name":"BackdoorIDS: Zero-shot Backdoor Detection for Pretrained Vision Encoder","publication_year":2026,"publication_date":"2026-03-12","ids":{"openalex":"https://openalex.org/W7135237142","doi":"https://doi.org/10.48550/arxiv.2603.11664"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.11664","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11664","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.11664","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5076686948","display_name":"Siquan Huang","orcid":"https://orcid.org/0000-0003-0648-3405"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Huang, Siquan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129042916","display_name":"Yijiang Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Yijiang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020294022","display_name":"Ningzhi Gao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gao, Ningzhi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5032278260","display_name":"Xingfu Yan","orcid":"https://orcid.org/0000-0002-3026-0976"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yan, Xingfu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111111992","display_name":"Leyu Shi","orcid":"https://orcid.org/0009-0007-4233-5385"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shi, Leyu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":null,"display_name":"Gao, Ying","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gao, Ying","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5076686948"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9643999934196472,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9643999934196472,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.005100000184029341,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.004900000058114529,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.8921999931335449},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.6883000135421753},{"id":"https://openalex.org/keywords/encoder","display_name":"Encoder","score":0.646399974822998},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5917999744415283},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.5015000104904175},{"id":"https://openalex.org/keywords/masking","display_name":"Masking (illustration)","score":0.4260999858379364},{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.413100004196167},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.37779998779296875}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.8921999931335449},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7580999732017517},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.6883000135421753},{"id":"https://openalex.org/C118505674","wikidata":"https://www.wikidata.org/wiki/Q42586063","display_name":"Encoder","level":2,"score":0.646399974822998},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6317999958992004},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5917999744415283},{"id":"https://openalex.org/C31972630","wikidata":"https://www.wikidata.org/wiki/Q844240","display_name":"Computer vision","level":1,"score":0.5156999826431274},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.5015000104904175},{"id":"https://openalex.org/C2777402240","wikidata":"https://www.wikidata.org/wiki/Q6783436","display_name":"Masking (illustration)","level":2,"score":0.4260999858379364},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.413100004196167},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.37779998779296875},{"id":"https://openalex.org/C2778112365","wikidata":"https://www.wikidata.org/wiki/Q3511065","display_name":"Sequence (biology)","level":2,"score":0.3582000136375427},{"id":"https://openalex.org/C115961682","wikidata":"https://www.wikidata.org/wiki/Q860623","display_name":"Image (mathematics)","level":2,"score":0.33079999685287476},{"id":"https://openalex.org/C5339829","wikidata":"https://www.wikidata.org/wiki/Q1425977","display_name":"Machine vision","level":2,"score":0.32409998774528503},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.32249999046325684},{"id":"https://openalex.org/C9417928","wikidata":"https://www.wikidata.org/wiki/Q1070689","display_name":"Image processing","level":3,"score":0.3075000047683716},{"id":"https://openalex.org/C150817343","wikidata":"https://www.wikidata.org/wiki/Q875932","display_name":"Digital watermarking","level":3,"score":0.3009999990463257},{"id":"https://openalex.org/C28490314","wikidata":"https://www.wikidata.org/wiki/Q189436","display_name":"Speech recognition","level":1,"score":0.2980000078678131},{"id":"https://openalex.org/C204323151","wikidata":"https://www.wikidata.org/wiki/Q905424","display_name":"Range (aeronautics)","level":2,"score":0.26910001039505005},{"id":"https://openalex.org/C101738243","wikidata":"https://www.wikidata.org/wiki/Q786435","display_name":"Autoencoder","level":3,"score":0.25999999046325684},{"id":"https://openalex.org/C104267543","wikidata":"https://www.wikidata.org/wiki/Q208163","display_name":"Signal processing","level":3,"score":0.257999986410141},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.2556999921798706},{"id":"https://openalex.org/C194232998","wikidata":"https://www.wikidata.org/wiki/Q1606712","display_name":"Transition (genetics)","level":3,"score":0.2526000142097473}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.11664","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11664","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.11664","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11664","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Self-supervised":[0],"and":[1,17,67,96,137,173,186,207],"multimodal":[2],"vision":[3,15,57],"encoders":[4,30],"learn":[5],"strong":[6],"visual":[7],"representations":[8],"that":[9,162,182],"are":[10],"widely":[11],"adopted":[12],"in":[13,109],"downstream":[14,23],"tasks":[16],"large":[18],"vision-language":[19],"models":[20],"(LVLMs).":[21],"However,":[22],"users":[24],"often":[25],"rely":[26],"on":[27,79],"third-party":[28],"pretrained":[29,56],"with":[31,196],"uncertain":[32],"provenance,":[33],"exposing":[34],"them":[35],"to":[36,100],"backdoor":[37,51],"attacks.":[38],"In":[39],"this":[40,126],"work,":[41],"we":[42],"propose":[43],"BackdoorIDS,":[44],"a":[45,73,106,179,197],"simple":[46],"yet":[47],"effective":[48],"zero-shot,":[49],"inference-time":[50],"samples":[52],"detection":[53],"method":[54],"for":[55],"encoders.":[58],"BackdoorIDS":[59,124,163],"is":[60,94,146,178],"motivated":[61],"by":[62,128],"two":[63],"observations:":[64],"Attention":[65],"Hijacking":[66],"Restoration.":[68],"Under":[69],"progressive":[70],"input":[71,145],"masking,":[72],"backdoored":[74,149],"image":[75,111],"initially":[76],"concentrates":[77],"attention":[78,97],"malicious":[80],"trigger":[81,93],"features.":[82],"Once":[83],"the":[84,88,92,110,134],"masking":[85,122,135],"ratio":[86],"exceeds":[87],"trigger's":[89],"robustness":[90],"threshold,":[91],"deactivated,":[95],"rapidly":[98],"shifts":[99],"benign":[101],"content.":[102],"This":[103],"transition":[104],"induces":[105],"pronounced":[107],"change":[108],"embedding,":[112],"whereas":[113],"embeddings":[114],"of":[115,200],"clean":[116],"images":[117],"evolve":[118],"more":[119,155],"smoothly":[120],"across":[121,168],"progress.":[123],"operationalizes":[125],"signal":[127],"extracting":[129],"an":[130],"embedding":[131,152],"sequence":[132,153],"along":[133],"trajectory":[136],"applying":[138],"density-based":[139],"clustering":[140],"such":[141],"as":[142,148],"DBSCAN.":[143],"An":[144],"flagged":[147],"if":[150],"its":[151],"forms":[154],"than":[156],"one":[157],"cluster.":[158],"Extensive":[159],"experiments":[160],"show":[161],"consistently":[164],"outperforms":[165],"existing":[166],"defenses":[167],"diverse":[169],"attack":[170],"types,":[171],"datasets,":[172],"model":[174],"families.":[175],"Notably,":[176],"it":[177,194],"plug-and-play":[180],"approach":[181],"requires":[183],"no":[184],"retraining":[185],"operates":[187],"fully":[188],"zero-shot":[189],"at":[190],"inference":[191],"time,":[192],"making":[193],"compatible":[195],"wide":[198],"range":[199],"encoder":[201],"architectures,":[202],"including":[203],"CNNs,":[204],"ViTs,":[205],"CLIP,":[206],"LLaVA-1.5.":[208]},"counts_by_year":[],"updated_date":"2026-03-18T06:27:02.140700","created_date":"2026-03-14T00:00:00"}