{"id":"https://openalex.org/W7160875915","doi":"https://doi.org/10.48550/arxiv.2605.07490","title":"Cross-Modal Backdoors in Multimodal Large Language Models","display_name":"Cross-Modal Backdoors in Multimodal Large Language Models","publication_year":2026,"publication_date":"2026-05-08","ids":{"openalex":"https://openalex.org/W7160875915","doi":"https://doi.org/10.48550/arxiv.2605.07490"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.07490","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.07490","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.07490","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135864412","display_name":"Runhe Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Wang, Runhe","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135830044","display_name":"Li Bai","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bai, Li","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135860043","display_name":"Haibo Hu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hu, Haibo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5135827662","display_name":"Songze Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Songze","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5135864412"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5547999739646912,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5547999739646912,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.11020000278949738,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11948","display_name":"Machine Learning in Materials Science","score":0.024299999698996544,"subfield":{"id":"https://openalex.org/subfields/2505","display_name":"Materials Chemistry"},"field":{"id":"https://openalex.org/fields/25","display_name":"Materials Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9679999947547913},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6273000240325928},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.6014999747276306},{"id":"https://openalex.org/keywords/safer","display_name":"SAFER","score":0.5023999810218811},{"id":"https://openalex.org/keywords/bespoke","display_name":"Bespoke","score":0.4397999942302704},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.39959999918937683},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.3986999988555908}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9679999947547913},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7426000237464905},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6273000240325928},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.6014999747276306},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5853000283241272},{"id":"https://openalex.org/C2776654903","wikidata":"https://www.wikidata.org/wiki/Q2601463","display_name":"SAFER","level":2,"score":0.5023999810218811},{"id":"https://openalex.org/C44210515","wikidata":"https://www.wikidata.org/wiki/Q16968978","display_name":"Bespoke","level":2,"score":0.4397999942302704},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.39959999918937683},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.3986999988555908},{"id":"https://openalex.org/C101468663","wikidata":"https://www.wikidata.org/wiki/Q1620158","display_name":"Modular design","level":2,"score":0.3720000088214874},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.3718999922275543},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3488999903202057},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3294999897480011},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.31299999356269836},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2930000126361847},{"id":"https://openalex.org/C103278499","wikidata":"https://www.wikidata.org/wiki/Q254465","display_name":"Similarity (geometry)","level":3,"score":0.28949999809265137},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.2605000138282776},{"id":"https://openalex.org/C151319957","wikidata":"https://www.wikidata.org/wiki/Q752739","display_name":"Asynchronous communication","level":2,"score":0.25189998745918274}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.07490","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.07490","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.07490","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.07490","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Developers":[0],"increasingly":[1],"construct":[2],"multimodal":[3,210],"large":[4,26],"language":[5,27],"models":[6,28],"(MLLMs)":[7],"by":[8],"assembling":[9],"pretrained":[10],"components,introducing":[11],"supply-chain":[12],"attack":[13,45,148,153,169],"surfaces.Existing":[14],"security":[15,31],"research":[16],"primarily":[17],"focuses":[18],"on":[19,130,175],"poisoning":[20,51],"backbones":[21],"such":[22],"as":[23],"encoders":[24],"or":[25,126],"(LLMs),while":[29],"the":[30,53,71,82,96,107,139,145,225],"risks":[32],"of":[33,144],"lightweight":[34],"connectors":[35],"remain":[36],"unexplored.In":[37],"this":[38,48,119,197],"work,we":[39],"propose":[40],"a":[41,56,86,91,103,206,212,218],"novel":[42],"cross-modal":[43,142,161],"backdoor":[44,72,97,221],"that":[46,189],"exploits":[47],"overlooked":[49],"vulnerability.By":[50],"only":[52],"connector":[54,83,215],"using":[55,73],"single":[57,213],"seed":[58],"sample":[59],"and":[60,111,136,141],"several":[61],"augmented":[62],"variants":[63],"from":[64,75,98,106],"one":[65],"modality,the":[66],"adversary":[67],"can":[68,216],"subsequently":[69],"activate":[70,95],"inputs":[74,117],"other":[76,99],"modalities.To":[77],"achieve":[78],"this,we":[79],"first":[80],"poison":[81],"to":[84,115,151,184,194],"associate":[85],"compact":[87],"latent":[88,109,120],"region":[89],"with":[90],"malicious":[92,104],"target":[93],"output.To":[94],"modalities,we":[100],"further":[101,187],"extract":[102],"centroid":[105],"poisoned":[108],"representations":[110],"perform":[112],"input-side":[113],"optimization":[114],"steer":[116],"toward":[118],"anchor,without":[121],"requiring":[122],"repeated":[123],"API":[124],"queries":[125],"full-model":[127],"access.Extensive":[128],"evaluations":[129],"representative":[131],"connector-based":[132],"MLLM":[133,230],"architectures,including":[134],"PandaGPT":[135],"NExT-GPT,demonstrate":[137],"both":[138],"effectiveness":[140],"transferability":[143],"proposed":[146],"attack.The":[147],"achieves":[149],"up":[150],"99.9%":[152],"success":[154],"rate":[155],"(ASR)":[156],"in":[157,209],"same-modality":[158],"settings,while":[159],"most":[160],"settings":[162],"exceed":[163],"95.0%":[164],"ASR":[165],"under":[166],"bounded":[167],"perturbations.Moreover,the":[168],"remains":[170],"highly":[171],"stealthy,producing":[172],"negligible":[173],"leakage":[174],"clean":[176],"inputs,and":[177],"maintaining":[178],"weight-cosine":[179],"similarity":[180],"above":[181],"0.97":[182],"relative":[183],"benign":[185],"connectors.We":[186],"show":[188],"existing":[190],"defense":[191],"strategies":[192],"fail":[193],"effectively":[195],"mitigate":[196],"threat":[198],"without":[199],"incurring":[200],"substantial":[201],"utility":[202],"degradation.These":[203],"findings":[204],"reveal":[205],"fundamental":[207],"vulnerability":[208],"alignment:":[211],"compromised":[214],"establish":[217],"reusable":[219],"latent-space":[220],"pathway":[222],"across":[223],"modalities,highlighting":[224],"need":[226],"for":[227],"safer":[228],"modular":[229],"design.":[231]},"counts_by_year":[],"updated_date":"2026-05-12T06:14:25.881160","created_date":"2026-05-12T00:00:00"}