attack 2026

DF-LoGiT: Data-Free Logic-Gated Backdoor Attacks in Vision Transformers

Xiaozuo Shen 1, Yifei Cai 2, Rui Ning 3, Chunsheng Xin 2, Hongyi Wu 1

1 University of Arizona

2 Iowa State University

3 Old Dominion University

0 citations · 29 references · arXiv (Cornell University)
α

Published on arXiv

2602.03040

Model Poisoning

OWASP ML Top 10 — ML10

Key Finding

Achieves near-100% attack success rate with negligible clean accuracy degradation while remaining robust against both classical and ViT-specific backdoor defenses, without access to any training data.

DF-LoGiT

Novel technique introduced

The widespread adoption of Vision Transformers (ViTs) elevates supply-chain risk on third-party model hubs, where an adversary can implant backdoors into released checkpoints. Existing ViT backdoor attacks largely rely on poisoned-data training, while prior data-free attempts typically require synthetic-data fine-tuning or extra model components. This paper introduces Data-Free Logic-Gated Backdoor Attacks (DF-LoGiT), a truly data-free backdoor attack on ViTs via direct weight editing. DF-LoGiT exploits ViT's native multi-head architecture to realize a logic-gated compositional trigger, enabling a stealthy and effective backdoor. We validate its effectiveness through theoretical analysis and extensive experiments, showing that DF-LoGiT achieves near-100% attack success with negligible degradation in benign accuracy and remains robust against representative classical and ViT-specific defenses.

Key Contributions

  • DF-LoGiT: a truly data-free, training-free, architecture-preserving backdoor attack on ViTs via direct weight editing — no clean or poisoned data required
  • Logic-gated compositional trigger that exploits ViT's native multi-head attention by rewriting Q/K/V/O projections to create an attention-separable response written into a reserved [CLS] embedding dimension
  • Dedicated [CLS] residual path to preserve trigger evidence across intermediate blocks, protecting it from global attention mixing and enabling reliable gated payload injection in the final block

🛡️ Threat Analysis

Model Poisoning

Proposes a backdoor attack that embeds hidden, targeted malicious behavior in ViT model weights via direct parameter editing. The backdoor activates only when a specific compositional trigger is present and is invisible during normal inference — canonical ML10 trojan injection. Although framed as a supply-chain scenario, the technical contribution is the weight-editing backdoor technique itself (DF-LoGiT), not a supply-chain compromise method, per the distinction in the guidelines.

Details

Domains
vision
Model Types
transformer
Threat Tags
white_boxtraining_timetargeteddigital
Datasets
CIFAR-10ImageNet
Applications
image classification
Read PDF arXiv DOI

Similar Papers

attack

Backdoor Attacks on Prompt-Driven Video Segmentation Foundation Models

2025 0 cit.
Model Poisoning
100%
attack

Hardware-Triggered Backdoors

2026 0 cit.
Model Poisoning
92%
attack

The Double-Edged Sword of Data-Driven Super-Resolution: Adversarial Super-Resolution Models

2026 0 cit.
Model Poisoning
92%
attack

Removing the Trigger, Not the Backdoor: Alternative Triggers and Latent Backdoors

2026 0 cit.
Model Poisoning
85%
attack

Theory of Minimal Weight Perturbations in Deep Networks and its Applications for Low-Rank Activated Backdoor Attacks

2026 0 cit.
Model Poisoning
85%
attack

Pruning and Malicious Injection: A Retraining-Free Backdoor Attack on Transformer Models

2025 0 cit.
Model Poisoning
85%
attack

DarkHash: A Data-Free Backdoor Attack Against Deep Hashing

2025 7 cit.
Model Poisoning
83%
attack

Hammering the Diagnosis: Rowhammer-Induced Stealthy Trojan Attacks on ViT-Based Medical Imaging

2025 1 cit.
Model Poisoning
83%