Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Seeing Is Not Always Believing: Invisible Collision Attack and Defence on Pre-Trained Models

Minghang Deng, Zhong Zhang, Junming Shao

TL;DR

This work reveals a novel, covert threat to pre-trained models by exploiting enhanced MD5 chosen-prefix collisions to create two equal-size files (one clean, one poisoned) with identical MD5 checksums, enabling selective victims to receive poisoned models. It introduces a three-phase Invisible Attack framework: generate collision pairs, publish them publicly, and deliver the poisoned variant to targeted users while keeping the checksum indistinguishable from the legitimate file. A data-driven defense is proposed, using an LSTM-based collision detector and Jaccard similarity filtering to identify collision suffix patterns, underpinned by a birthday-problem analysis that justifies the pattern discrepancy. Experimental results across NLP and vision tasks demonstrate both the attack’s effectiveness and stealth, and the defense’s transferable efficacy, underscoring the practical risk of MD5-based integrity checks for AI artifacts and calling for stronger verification methods.

Abstract

Large-scale pre-trained models (PTMs) such as BERT and GPT have achieved great success in diverse fields. The typical paradigm is to pre-train a big deep learning model on large-scale data sets, and then fine-tune the model on small task-specific data sets for downstream tasks. Although PTMs have rapidly progressed with wide real-world applications, they also pose significant risks of potential attacks. Existing backdoor attacks or data poisoning methods often build up the assumption that the attacker invades the computers of victims or accesses the target data, which is challenging in real-world scenarios. In this paper, we propose a novel framework for an invisible attack on PTMs with enhanced MD5 collision. The key idea is to generate two equal-size models with the same MD5 checksum by leveraging the MD5 chosen-prefix collision. Afterwards, the two ``same" models will be deployed on public websites to induce victims to download the poisoned model. Unlike conventional attacks on deep learning models, this new attack is flexible, covert, and model-independent. Additionally, we propose a simple defensive strategy for recognizing the MD5 chosen-prefix collision and provide a theoretical justification for its feasibility. We extensively validate the effectiveness and stealthiness of our proposed attack and defensive method on different models and data sets.

Seeing Is Not Always Believing: Invisible Collision Attack and Defence on Pre-Trained Models

TL;DR

This work reveals a novel, covert threat to pre-trained models by exploiting enhanced MD5 chosen-prefix collisions to create two equal-size files (one clean, one poisoned) with identical MD5 checksums, enabling selective victims to receive poisoned models. It introduces a three-phase Invisible Attack framework: generate collision pairs, publish them publicly, and deliver the poisoned variant to targeted users while keeping the checksum indistinguishable from the legitimate file. A data-driven defense is proposed, using an LSTM-based collision detector and Jaccard similarity filtering to identify collision suffix patterns, underpinned by a birthday-problem analysis that justifies the pattern discrepancy. Experimental results across NLP and vision tasks demonstrate both the attack’s effectiveness and stealth, and the defense’s transferable efficacy, underscoring the practical risk of MD5-based integrity checks for AI artifacts and calling for stronger verification methods.

Abstract

Large-scale pre-trained models (PTMs) such as BERT and GPT have achieved great success in diverse fields. The typical paradigm is to pre-train a big deep learning model on large-scale data sets, and then fine-tune the model on small task-specific data sets for downstream tasks. Although PTMs have rapidly progressed with wide real-world applications, they also pose significant risks of potential attacks. Existing backdoor attacks or data poisoning methods often build up the assumption that the attacker invades the computers of victims or accesses the target data, which is challenging in real-world scenarios. In this paper, we propose a novel framework for an invisible attack on PTMs with enhanced MD5 collision. The key idea is to generate two equal-size models with the same MD5 checksum by leveraging the MD5 chosen-prefix collision. Afterwards, the two ``same" models will be deployed on public websites to induce victims to download the poisoned model. Unlike conventional attacks on deep learning models, this new attack is flexible, covert, and model-independent. Additionally, we propose a simple defensive strategy for recognizing the MD5 chosen-prefix collision and provide a theoretical justification for its feasibility. We extensively validate the effectiveness and stealthiness of our proposed attack and defensive method on different models and data sets.
Paper Structure (21 sections, 4 theorems, 18 equations, 4 figures, 3 tables, 3 algorithms)

This paper contains 21 sections, 4 theorems, 18 equations, 4 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Hash Functions
  4. Chosen-prefix Collision
  5. Methodology
  6. Invisible Attack
  7. Enhanced MD5 Collision
  8. General MD5 Attack Framework
  9. Defence
  10. Theoretical Justification for Pattern Discrepancy
  11. Transferable Defence
  12. Experiments
  13. Attack Evaluation
  14. Defence Evaluation
  15. Domain and Out-of-domain Experiment
  16. ...and 6 more sections

Key Result

Lemma 1

(The Birthday Problem). In the birthday search space $S$, and given a set of $N$ randomly chosen people, the probability $P(A)$ of at least two sharing a birthday is approximately $1-e^{-N^2/2S}$.

Figures (4)

  • Figure 1: The proposed framework for the invisible attack on PTMs with enhanced MD5 collision. It mainly consists of three components: (1) Poisoned Model (Data) Generation; (2) Poisoned Model (Data) Deployment; (3) Induced Attack.
  • Figure 2: The pipeline of constructing collisions with the same size as the source file. It mainly consists of $4$ steps: (1) The Choice of Attacking Methods. We generate a pair of clean and poisoned files (models or data sets) by existing deep learning attack methods. (Whether the size is the same or not) (2) Slightly Compressing. According to the type of files, we compress them to ensure the size of their collision versions does not exceed the size of the source file. (3) Chosen-prefix Collision. We generate $2$ collision files with sizes still not exceeding the original file. (4) Arbitrarily Padding. We add contents after the collision file until its size matches that of the source file.
  • Figure 3: The outline of MD5 collision recognition. It contains three parts: (1) Data Preprocessing. We read the raw data in the binary stream and convert it to integer tokens. Similar to the sentiment data sets, we consider tokens in a fixed length as a sentence and assign a label to each one. (2) Prediction. We train a deep model to classify collisions. (3) Detection. In the realistic data, we introduce an unsupervised approach to help classify and improve accuracy and efficiency.
  • Figure 4: Convergence of Jaccard Similarity (JS) in different sample types and sizes. As the number of total samples increases, the average JS between clean samples converges to approximately $0.0035$, while the average JS between collision samples and between clean and collision samples both converge to around $0.00025$. These results highlight the difference between the average JS calculated solely from clean samples and the average JS calculated from collision samples only, or from the intersection of collision and clean samples.

Theorems & Definitions (7)

  • Lemma 1
  • proof
  • Theorem 1
  • Theorem 2
  • proof
  • Theorem 3
  • proof