posted on 2025-01-03, 09:42authored byJinghuai Zhang, Jianfeng Chi, Zheng Li, Kunlin Cai, Yang ZhangYang Zhang, Yuan Tian
Fine-tuning pre-trained models for downstream tasks has led to a proliferation of open-sourced task-specific models. Recently, Model Merging (MM) has emerged as an effective approach to facilitate knowledge transfer among these independently fine-tuned models. MM directly combines multiple fine-tuned task-specific models into a merged model without additional training, and the resulting model shows enhanced capabilities in multiple tasks. Although MM provides great utility, it may come with security risks because an adversary can exploit MM to affect multiple downstream tasks. However, the security risks of MM have barely been studied. In this paper, we first find that MM, as a new learning paradigm, introduces unique challenges for existing backdoor attacks due to the merging process. To address these challenges, we introduce BadMerging, the first backdoor attack specifically designed for MM. Notably, BadMerging allows an adversary to compromise the entire merged model by contributing as few as one backdoored task-specific model. BadMerging comprises a two-stage attack mechanism and a novel feature-interpolation-based loss to enhance the robustness of embedded backdoors against the changes of different merging parameters. Considering that a merged model may incorporate tasks from different domains, BadMerging can jointly compromise the tasks provided by the adversary (on-task attack) and other contributors (off-task attack) and solve the corresponding unique challenges with novel attack designs. Extensive experiments show that BadMerging achieves remarkable attacks against various MM algorithms. Our ablation study demonstrates that the proposed attack designs can progressively contribute to the attack performance. Finally, we show that prior defense mechanisms fail to defend against our attacks, highlighting the need for more advanced defense. Our code is available at: https://github.com/jzhang538/BadMerging.
History
Primary Research Area
Trustworthy Information Processing
Name of Conference
ACM Conference on Computer and Communications Security (CCS)
CISPA Affiliation
Yes
Page Range
4450-4464
Publisher
Association for Computing Machinery (ACM)
Open Access Type
Hybrid
BibTeX
@conference{Zhang:Chi:Li:Cai:Zhang:Tian:2024,
title = "BadMerging: Backdoor Attacks Against Model Merging",
author = "Zhang, Jinghuai" AND "Chi, Jianfeng" AND "Li, Zheng" AND "Cai, Kunlin" AND "Zhang, Yang" AND "Tian, Yuan",
year = 2024,
month = 12,
pages = "4450--4464",
publisher = "Association for Computing Machinery (ACM)",
doi = "10.1145/3658644.3690284"
}