Search papers, labs, and topics across Lattice.
This paper addresses the vulnerability of Vision-Language-Action (VLA) models to backdoor attacks that can manipulate robot policies through subtle visual triggers. By identifying a common internal mechanism known as the "compact causal footprint," the authors develop TrustVLA, an inference-time defense that leverages the Dirichlet evidence framework to monitor and mitigate abnormal behavior without requiring retraining. The results demonstrate that TrustVLA effectively reduces attack success rates while maintaining performance on clean tasks across various evaluations.
TrustVLA reveals that a small visual trigger can be countered by monitoring causal footprints, enabling robust defense against VLA backdoors without retraining.
Vision-Language-Action (VLA) models are deployed through pipelines that end users cannot audit, and a poisoned VLA can behave normally on clean observations while a small visual trigger redirects a long-horizon robot policy before any failure becomes observable. Existing vision or language defenses rarely explain what a triggered VLA representation looks like or how to recover behavior without retraining. We study this gap through two independently proposed VLA attacks from groups with distinct injection strategies, BadVLA and INFUSE; the latter persists after downstream clean adaptation. Across the evaluated poisoned models, we identify a recurring internal mechanism: a \emph{compact causal footprint}, namely a small visual support that is attention-seeded, spatially compact, and \emph{causal} in a precise sense -- masking it returns a clean-calibrated evidence-evolution score to the normal operating region. This footprint motivates TrustVLA, a mechanism-guided inference-time defense that adapts the Dirichlet evidence framework from trusted classification to monitor per-token, per-layer epistemic uncertainty in VLA policies. With only a small clean calibration set, TrustVLA (i)~detects abnormal evidence evolution, (ii)~localizes the compact support by counterfactual mechanism-score drop, and (iii)~recovers the observation by localized inpainting. Across OpenVLA/LIBERO and $蟺_{0.5}$ transfer evaluations, TrustVLA reduces attack success while preserving clean-task performance, providing a retraining-free, mechanism-guided defense for visual-triggered VLA backdoors.