CISPA
Browse

BadMerging: Backdoor Attacks Against Model Merging

Download (3.71 MB)
conference contribution
posted on 2025-01-03, 09:42 authored by Jinghuai Zhang, Jianfeng Chi, Zheng Li, Kunlin Cai, Yang ZhangYang Zhang, Yuan Tian
Fine-tuning pre-trained models for downstream tasks has led to a proliferation of open-sourced task-specific models. Recently, Model Merging (MM) has emerged as an effective approach to facilitate knowledge transfer among these independently fine-tuned models. MM directly combines multiple fine-tuned task-specific models into a merged model without additional training, and the resulting model shows enhanced capabilities in multiple tasks. Although MM provides great utility, it may come with security risks because an adversary can exploit MM to affect multiple downstream tasks. However, the security risks of MM have barely been studied. In this paper, we first find that MM, as a new learning paradigm, introduces unique challenges for existing backdoor attacks due to the merging process. To address these challenges, we introduce BadMerging, the first backdoor attack specifically designed for MM. Notably, BadMerging allows an adversary to compromise the entire merged model by contributing as few as one backdoored task-specific model. BadMerging comprises a two-stage attack mechanism and a novel feature-interpolation-based loss to enhance the robustness of embedded backdoors against the changes of different merging parameters. Considering that a merged model may incorporate tasks from different domains, BadMerging can jointly compromise the tasks provided by the adversary (on-task attack) and other contributors (off-task attack) and solve the corresponding unique challenges with novel attack designs. Extensive experiments show that BadMerging achieves remarkable attacks against various MM algorithms. Our ablation study demonstrates that the proposed attack designs can progressively contribute to the attack performance. Finally, we show that prior defense mechanisms fail to defend against our attacks, highlighting the need for more advanced defense. Our code is available at: https://github.com/jzhang538/BadMerging.

History

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

CISPA Affiliation

  • Yes

Page Range

4450-4464

Publisher

Association for Computing Machinery (ACM)

Open Access Type

  • Hybrid

BibTeX

@conference{Zhang:Chi:Li:Cai:Zhang:Tian:2024, title = "BadMerging: Backdoor Attacks Against Model Merging", author = "Zhang, Jinghuai" AND "Chi, Jianfeng" AND "Li, Zheng" AND "Cai, Kunlin" AND "Zhang, Yang" AND "Tian, Yuan", year = 2024, month = 12, pages = "4450--4464", publisher = "Association for Computing Machinery (ACM)", doi = "10.1145/3658644.3690284" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC