Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mitigating the Backdoor Effect for Multi-Task Model Merging via Safety-Aware Subspace

Jinluan Yang, Anke Tang, Didi Zhu, Zhengyu Chen, Li Shen, Fei Wu

TL;DR

This work tackles the security vulnerabilities that arise when merging multiple task-specific models, focusing on backdoor risks in open-source ecosystems. It introduces Defense-Aware Merging (DAM), which employs a dual-mask strategy to identify a shared, safety-aware parameter subspace and to isolate potential backdoor-related weights, balancing performance and security through a scalarized objective $L_{\text{total}} = L_{\text{perf}} + \alpha L_{\text{safe}}$. The authors reveal two phenomena—backdoor succession and backdoor transfer—demonstrating that existing merging methods fail to fully contain backdoors, and they show that DAM significantly lowers attack success rates (by 2–10 percentage points) with only about 1% drop in accuracy across diverse backdoor attacks and model counts. The approach is validated on CLIP-ViT backbones with six image-classification tasks, showing robust, end-to-end defense without requiring labeled data for defense, and the work provides practical implications for safer model-merging in open-source AI ecosystems.

Abstract

Model merging has gained significant attention as a cost-effective approach to integrate multiple single-task fine-tuned models into a unified one that can perform well on multiple tasks. However, existing model merging techniques primarily focus on resolving conflicts between task-specific models, they often overlook potential security threats, particularly the risk of backdoor attacks in the open-source model ecosystem. In this paper, we first investigate the vulnerabilities of existing model merging methods to backdoor attacks, identifying two critical challenges: backdoor succession and backdoor transfer. To address these issues, we propose a novel Defense-Aware Merging (DAM) approach that simultaneously mitigates task interference and backdoor vulnerabilities. Specifically, DAM employs a meta-learning-based optimization method with dual masks to identify a shared and safety-aware subspace for model merging. These masks are alternately optimized: the Task-Shared mask identifies common beneficial parameters across tasks, aiming to preserve task-specific knowledge while reducing interference, while the Backdoor-Detection mask isolates potentially harmful parameters to neutralize security threats. This dual-mask design allows us to carefully balance the preservation of useful knowledge and the removal of potential vulnerabilities. Compared to existing merging methods, DAM achieves a more favorable balance between performance and security, reducing the attack success rate by 2-10 percentage points while sacrificing only about 1% in accuracy. Furthermore, DAM exhibits robust performance and broad applicability across various types of backdoor attacks and the number of compromised models involved in the merging process. Our codes and models are available at https://github.com/Yangjinluan/DAM.

Mitigating the Backdoor Effect for Multi-Task Model Merging via Safety-Aware Subspace

TL;DR

This work tackles the security vulnerabilities that arise when merging multiple task-specific models, focusing on backdoor risks in open-source ecosystems. It introduces Defense-Aware Merging (DAM), which employs a dual-mask strategy to identify a shared, safety-aware parameter subspace and to isolate potential backdoor-related weights, balancing performance and security through a scalarized objective . The authors reveal two phenomena—backdoor succession and backdoor transfer—demonstrating that existing merging methods fail to fully contain backdoors, and they show that DAM significantly lowers attack success rates (by 2–10 percentage points) with only about 1% drop in accuracy across diverse backdoor attacks and model counts. The approach is validated on CLIP-ViT backbones with six image-classification tasks, showing robust, end-to-end defense without requiring labeled data for defense, and the work provides practical implications for safer model-merging in open-source AI ecosystems.

Abstract

Model merging has gained significant attention as a cost-effective approach to integrate multiple single-task fine-tuned models into a unified one that can perform well on multiple tasks. However, existing model merging techniques primarily focus on resolving conflicts between task-specific models, they often overlook potential security threats, particularly the risk of backdoor attacks in the open-source model ecosystem. In this paper, we first investigate the vulnerabilities of existing model merging methods to backdoor attacks, identifying two critical challenges: backdoor succession and backdoor transfer. To address these issues, we propose a novel Defense-Aware Merging (DAM) approach that simultaneously mitigates task interference and backdoor vulnerabilities. Specifically, DAM employs a meta-learning-based optimization method with dual masks to identify a shared and safety-aware subspace for model merging. These masks are alternately optimized: the Task-Shared mask identifies common beneficial parameters across tasks, aiming to preserve task-specific knowledge while reducing interference, while the Backdoor-Detection mask isolates potentially harmful parameters to neutralize security threats. This dual-mask design allows us to carefully balance the preservation of useful knowledge and the removal of potential vulnerabilities. Compared to existing merging methods, DAM achieves a more favorable balance between performance and security, reducing the attack success rate by 2-10 percentage points while sacrificing only about 1% in accuracy. Furthermore, DAM exhibits robust performance and broad applicability across various types of backdoor attacks and the number of compromised models involved in the merging process. Our codes and models are available at https://github.com/Yangjinluan/DAM.

Paper Structure

This paper contains 25 sections, 2 theorems, 8 equations, 11 figures, 15 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Exploring the Backdoor Effect during Model Merging
  3. Preliminaries
  4. The Settings of Model Merging Considering the Backdoor
  5. Unpacking the Phenomenon of Backdoor Succession and Backdoor Transfer
  6. Defense-Aware Merging
  7. Experiments
  8. Experimental Setup
  9. Experimental Results
  10. Conclusion
  11. Related Work
  12. Multi-Task Model Merging
  13. Model Merging Considering the Safety
  14. More Details about the Method
  15. The Implementation of the Mask Processing.
  16. ...and 10 more sections

Key Result

Theorem 1

Let $P(\mathbf{M})$ and $S(\mathbf{M})$ denote the performance and safety measures of the merged model under mask $\mathbf{M} = (M_1, M_2)$, respectively. There exists a Pareto front $\mathcal{F}$ such that:

Figures (11)

  • Figure 1: Performance comparison between clean and backdoor(TrojVit) adopting CLIP-ViT-B/32.
  • Figure 2: Backdoor Succession Evaluation: Average performance on multi-tasks while merging two backdoored task-specific models (RESISC45 and EuroSAT) and four clean task-specific models (MNIST, CARS, SVHN and DTD). The grey line shows the SOTA multi-task merging technique, but its ASR still exceeds $70\%$ on tasks related to the backdoor and $35\%$ on full tasks though achieves great performance(ACC).
  • Figure 3: Backdoor Transfer Evaluation: Single-task performance while merging two backdoored task-specific models (RESISC45 and EuroSAT) and four clean task-specific models (MNIST, CARS, SVHN and DTD). The ACC Bound and ASR Bound can be set according to the clean or backdoored individual fine-tuned models. The ideal merged model should be close or even upper to the ACC Bound and lower or at least close to the ASR Bound, but different merging methods exhibit unexpected trends due to the backdoor transfer.
  • Figure 4: Illustrations of Defense-Aware Merging(DAM), where the Task-Shared mask and Backdoor-Detection mask are respectively used to mitigate the interference issues existing in the task-shared parameters among models and the safety issues existing in the task-specific parameters from the backdoored models.
  • Figure 5: Performance comparison between clean and backdoor(TrojVit) adopting CLIP-ViT-B/32.
  • ...and 6 more figures

Theorems & Definitions (3)

  • Theorem 1: Existence of Pareto front
  • proof : Proof of Theorem \ref{['theorem:existence_of_pareto_front']}
  • Corollary 1: Performance-safety trade-off control