This work addresses the challenge of defending against backdoor attacks on CNNs and Vision Transformers (ViTs) in black-box settings. We propose a universal trigger purification method that requires no knowledge of the target model, neither clean samples nor model retraining. Our approach innovatively integrates the Ising model into backdoor detection and leverages the memory-association mechanism of Hopfield networks to construct a model-agnostic, lightweight framework for trigger pattern modeling and adaptive purification. Evaluated across multiple benchmark datasets, the method consistently outperforms state-of-the-art defenses: it achieves a 12.6%–23.4% improvement in trigger removal success rate while preserving original classification accuracy. To our knowledge, this is the first black-box backdoor purification paradigm grounded in physical statistical modeling, establishing a novel, theoretically principled direction for robustness-aware vision model security.

Aiming at resisting backdoor attacks in convolution neural networks and vision Transformer-based large model, this paper proposes a generalized and model-agnostic trigger-purification approach resorting to the classic Ising model. To date, existing trigger detection/removal studies usually require to know the detailed knowledge of target model in advance, access to a large number of clean samples or even model-retraining authorization, which brings the huge inconvenience for practical applications, especially inaccessible to target model. An ideal countermeasure ought to eliminate the implanted trigger without regarding whatever the target models are. To this end, a lightweight and black-box defense approach SifterNet is proposed through leveraging the memorization-association functionality of Hopfield network, by which the triggers of input samples can be effectively purified in a proper manner. The main novelty of our proposed approach lies in the introduction of ideology of Ising model. Extensive experiments also validate the effectiveness of our approach in terms of proper trigger purification and high accuracy achievement, and compared to the state-of-the-art baselines under several commonly-used datasets, our SiferNet has a significant superior performance.