Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Model Supply Chain Poisoning: Backdooring Pre-trained Models via Embedding Indistinguishability

Hao Wang, Shangwei Guo, Jialing He, Hangcheng Liu, Tianwei Zhang, Tao Xiang

TL;DR

This work addresses the security risk of backdoored pre-trained models propagating malicious behavior through the ML supply chain. It introduces TransTroj, a backdoor attack that treats embedding indistinguishability between poisoned and reference samples as the core mechanism, decomposed into pre- and post-indistinguishability. A two-stage optimization jointly crafts a universal trigger and a poisoned victim model to achieve durable, task-agnostic backdoors that retain performance on clean data. Extensive experiments across four PTMs and six downstream tasks show TransTroj outperforms state-of-the-art task-agnostic attacks, achieving near-100% attack success rates and robustness to defenses, highlighting the pressing need for supply-chain security in PTMs.

Abstract

Pre-trained models (PTMs) are widely adopted across various downstream tasks in the machine learning supply chain. Adopting untrustworthy PTMs introduces significant security risks, where adversaries can poison the model supply chain by embedding hidden malicious behaviors (backdoors) into PTMs. However, existing backdoor attacks to PTMs can only achieve partially task-agnostic and the embedded backdoors are easily erased during the fine-tuning process. This makes it challenging for the backdoors to persist and propagate through the supply chain. In this paper, we propose a novel and severer backdoor attack, TransTroj, which enables the backdoors embedded in PTMs to efficiently transfer in the model supply chain. In particular, we first formalize this attack as an indistinguishability problem between poisoned and clean samples in the embedding space. We decompose embedding indistinguishability into pre- and post-indistinguishability, representing the similarity of the poisoned and reference embeddings before and after the attack. Then, we propose a two-stage optimization that separately optimizes triggers and victim PTMs to achieve embedding indistinguishability. We evaluate TransTroj on four PTMs and six downstream tasks. Experimental results show that our method significantly outperforms SOTA task-agnostic backdoor attacks -- achieving nearly 100% attack success rate on most downstream tasks -- and demonstrates robustness under various system settings. Our findings underscore the urgent need to secure the model supply chain against such transferable backdoor attacks. The code is available at https://github.com/haowang-cqu/TransTroj .

Model Supply Chain Poisoning: Backdooring Pre-trained Models via Embedding Indistinguishability

TL;DR

This work addresses the security risk of backdoored pre-trained models propagating malicious behavior through the ML supply chain. It introduces TransTroj, a backdoor attack that treats embedding indistinguishability between poisoned and reference samples as the core mechanism, decomposed into pre- and post-indistinguishability. A two-stage optimization jointly crafts a universal trigger and a poisoned victim model to achieve durable, task-agnostic backdoors that retain performance on clean data. Extensive experiments across four PTMs and six downstream tasks show TransTroj outperforms state-of-the-art task-agnostic attacks, achieving near-100% attack success rates and robustness to defenses, highlighting the pressing need for supply-chain security in PTMs.

Abstract

Pre-trained models (PTMs) are widely adopted across various downstream tasks in the machine learning supply chain. Adopting untrustworthy PTMs introduces significant security risks, where adversaries can poison the model supply chain by embedding hidden malicious behaviors (backdoors) into PTMs. However, existing backdoor attacks to PTMs can only achieve partially task-agnostic and the embedded backdoors are easily erased during the fine-tuning process. This makes it challenging for the backdoors to persist and propagate through the supply chain. In this paper, we propose a novel and severer backdoor attack, TransTroj, which enables the backdoors embedded in PTMs to efficiently transfer in the model supply chain. In particular, we first formalize this attack as an indistinguishability problem between poisoned and clean samples in the embedding space. We decompose embedding indistinguishability into pre- and post-indistinguishability, representing the similarity of the poisoned and reference embeddings before and after the attack. Then, we propose a two-stage optimization that separately optimizes triggers and victim PTMs to achieve embedding indistinguishability. We evaluate TransTroj on four PTMs and six downstream tasks. Experimental results show that our method significantly outperforms SOTA task-agnostic backdoor attacks -- achieving nearly 100% attack success rate on most downstream tasks -- and demonstrates robustness under various system settings. Our findings underscore the urgent need to secure the model supply chain against such transferable backdoor attacks. The code is available at https://github.com/haowang-cqu/TransTroj .
Paper Structure (22 sections, 12 equations, 15 figures, 6 tables)

This paper contains 22 sections, 12 equations, 15 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work and Comparisons
  3. Problem Statement
  4. System Model
  5. Threat Model
  6. Methodology
  7. Observations and Pipeline
  8. Transferable Backdoor Attacks
  9. Pre- and Post-indistinguishability
  10. Two-Stage Optimization
  11. Evaluation
  12. Experimental Setup
  13. Attack Effectiveness
  14. Multi-target Backdoor Attacks
  15. Cause Analysis
  16. ...and 7 more sections

Figures (15)

  • Figure 1: Illustration of transferable backdoor attacks. The adversary injects backdoor into a clean PTM and launches attack when the backdoored PTM is leveraged to fine-tune downstream tasks.
  • Figure 2: Visualization of dimension-reduced embeddings of CIFAR-10 dataset extracted by ResNet-18. The reference dog images obtained online and CIFAR-10's own dog images are distributed in the same region. However, the manually pre-defined output representations (PORs) by Zhang et al.. in NeuBA zhang2023red fail to cover the dog category.
  • Figure 3: The pipeline of TransTroj. We first optimize a trigger to make the poisoned images similar to the reference images, i.e., pre-indistinguishability. Then, we optimize the victim PTM such that the poisoned embeddings and reference embeddings cannot be distinguished, i.e., post-indistinguishability.
  • Figure 4: Attack success rates when fine-tuning the backdoored PTM for different downstream tasks. BadEncoder and NeuBA achieve only limited performance across a subset of downstream tasks. In contrast, our method achieves a high attack success rate across various downstream tasks and remains stable during the fine-tuning process.
  • Figure 5: Visualization of the multi-target backdoor attack. The downstream models fine-tuned based on the backdoored PTM predict the poisoned samples as the class labels corresponding to the reference images, rather than the ground truth (GT) labels.
  • ...and 10 more figures

Theorems & Definitions (2)

  • Definition 1: Pre-indistinguishability
  • Definition 2: Post-indistinguishability