🤖 AI Summary
This work addresses the vulnerability of vision-language-action (VLA) models to backdoor attacks, where subtle visual triggers can stealthily hijack policies in long-horizon tasks, and existing defenses struggle to explain the attack mechanism or restore safe behavior without retraining. The paper proposes the first inference-time interpretable defense framework, revealing that VLA backdoors share a common “compact causal footprint.” By modeling epistemic uncertainty via Dirichlet evidence, the method employs attention-guided counterfactual reasoning to localize trigger regions and leverages localized image inpainting to neutralize their effect. Requiring no retraining, this approach significantly reduces attack success rates on OpenVLA/LIBERO benchmarks and under π₀.₅ transfer evaluation while preserving performance on clean tasks, thereby overcoming the limitations of unimodal defenses.
📝 Abstract
Vision-Language-Action (VLA) models are deployed through pipelines that end users cannot audit, and a poisoned VLA can behave normally on clean observations while a small visual trigger redirects a long-horizon robot policy before any failure becomes observable. Existing vision or language defenses rarely explain what a triggered VLA representation looks like or how to recover behavior without retraining. We study this gap through two independently proposed VLA attacks from groups with distinct injection strategies, BadVLA and INFUSE; the latter persists after downstream clean adaptation. Across the evaluated poisoned models, we identify a recurring internal mechanism: a \emph{compact causal footprint}, namely a small visual support that is attention-seeded, spatially compact, and \emph{causal} in a precise sense -- masking it returns a clean-calibrated evidence-evolution score to the normal operating region. This footprint motivates TrustVLA, a mechanism-guided inference-time defense that adapts the Dirichlet evidence framework from trusted classification to monitor per-token, per-layer epistemic uncertainty in VLA policies. With only a small clean calibration set, TrustVLA (i)~detects abnormal evidence evolution, (ii)~localizes the compact support by counterfactual mechanism-score drop, and (iii)~recovers the observation by localized inpainting. Across OpenVLA/LIBERO and $π_{0.5}$ transfer evaluations, TrustVLA reduces attack success while preserving clean-task performance, providing a retraining-free, mechanism-guided defense for visual-triggered VLA backdoors.