Search papers, labs, and topics across Lattice.
This paper introduces QVec, a novel defense mechanism against Quantization-Conditioned Backdoors (QCBs) in deep neural networks, which exploit the difference in behavior between full-precision and quantized models. By interpreting the weight difference as a malicious task vector, QVec applies controlled parameter corrections without the need for retraining or trigger samples, streamlining the defense process. Experimental results show that QVec effectively mitigates backdoor activations while maintaining the model's clean performance across various benchmarks and attack scenarios.
QVec reveals that the weight shifts during quantization can be leveraged to neutralize backdoor threats without retraining or additional computational burden.
Model quantization is widely adopted to reduce memory usage and inference cost when deploying deep neural networks on resource-constrained devices. However, recent studies have revealed a new security threat known as Quantization-Conditioned Backdoors (QCBs), where a model behaves normally in full precision but activates malicious behavior only after quantization. Existing defenses typically modify quantization procedures or correct activation statistics, often introducing additional computational overhead or relying on specific quantization settings. Here, we present QVec, a parameter-space perspective for defending against QCBs. We observe that the weight difference between a full-precision model and its quantized counterpart encodes a structured behavioral shift, which can be interpreted as a malicious task vector rather than random quantization noise. Based on this insight, QVec counteracts this malicious direction through controlled parameter correction prior to deployment. QVec requires no retraining, no trigger samples, and only a single quantization pass to estimate the parameter shift, together with a lightweight hyperparameter search. Extensive experiments across image classification benchmarks and multiple Large Language Model (LLM) attack scenarios demonstrate that QVec consistently suppresses backdoor activation while preserving clean performance.