This work addresses the vulnerability of fine-tuned deep neural networks to backdoor attacks, a threat often overlooked in existing defenses that typically rely on prior knowledge of triggers or poisoned data. The authors propose MIST, a novel framework that formulates backdoor detection as a regression problem of model evolution consistency based on pre-activation spectra. By characterizing the spectral evolution patterns of internal representations during benign fine-tuning and identifying updates that significantly deviate from this norm, MIST operates without any assumptions about the attack. It is applicable to both single-step and multi-step fine-tuning scenarios. Extensive experiments across four benchmark datasets and eight diverse backdoor attacks demonstrate that MIST achieves superior detection accuracy after just one update compared to state-of-the-art methods, while maintaining stable performance throughout multiple rounds of benign fine-tuning.

Modern DNNs are repeatedly fine-tuned to incorporate new data and functionality. This evolutionary workflow introduces a security risk when updated data cannot be fully trusted, as adversaries may implant Trojans during fine-tuning. We present MIST, a Trojan detection approach that analyzes how a model's internal representations change during fine-tuning. Rather than attempting to reconstruct trigger conditions, MIST characterizes benign model evolution using pre-activation spectra and flags updates whose spectral deviations are inconsistent with this reference. This framing treats Trojan detection as a regression problem over model updates. An empirical evaluation across four datasets and eight Trojan attacks shows that spectral distances reliably distinguish Trojaned updates from clean fine-tuning. MIST outperforms state-of-the-art detection accuracy after a single update, without requiring any knowledge about the poisoned data or the trigger, and remains effective under multi-step benign evolution, with graceful and bounded degradation. These results indicate that spectral evolution provides a stable and assumption-light signal for detecting malicious model updates.