Backdoor in Seconds: Unlocking Vulnerabilities in Large Pre-trained Models via Model Editing

Abstract

Large pre-trained models have achieved notable success across a range of downstream tasks. However, recent research shows that a type of adversarial attack ($\textit{i.e.,}$ backdoor attack) can manipulate the behavior of machine learning models through contaminating their training dataset, posing significant threat in the real-world application of large pre-trained model, especially for those customized models. Therefore, addressing the unique challenges for exploring vulnerability of pre-trained models is of paramount importance. Through empirical studies on the capability for performing backdoor attack in large pre-trained models ($\textit{e.g.,}$ ViT), we find the following unique challenges of attacking large pre-trained models: 1) the inability to manipulate or even access large training datasets, and 2) the substantial computational resources required for training or fine-tuning these models. To address these challenges, we establish new standards for an effective and feasible backdoor attack in the context of large pre-trained models. In line with these standards, we introduce our EDT model, an \textbf{E}fficient, \textbf{D}ata-free, \textbf{T}raining-free backdoor attack method. Inspired by model editing techniques, EDT injects an editing-based lightweight codebook into the backdoor of large pre-trained models, which replaces the embedding of the poisoned image with the target image without poisoning the training dataset or training the victim model. Our experiments, conducted across various pre-trained models such as ViT, CLIP, BLIP, and stable diffusion, and on downstream tasks including image classification, image captioning, and image generation, demonstrate the effectiveness of our method. Our code is available in the supplementary material.

Figures (8)

• Figure 1: The comparison of required training dataset size across different sizes of model.
• Figure 2: The comparison of required number of poisoned images and training time and across different sizes of model
• Figure 3: Illustration of the threat model.
• Figure 4: The Model Pipeline and Codebook. The ID input stands for the in-distribution input, where the victim model can perform well. The OOD input means the out-of-distribution input, where the original victim model fall shorts. Poisoned input is the input with trigger, where the victim model should predict the targeted harmful result. Our codebook is injected in the Encoder layers within the victim model. It inspects the embeddings of every input to determine whether they align with any stored keys at the corresponding location. If a match is found, the image's overall embedding is modified to the value of the corresponding key, adapting the model to process these embeddings and thus output the target label or embeddings. In the absence of a match, the embeddings of the image remain unchanged.
• Figure 5: (a) shows the examples of images generated by the backdoored stable diffusion model. $X$ represents input images, and the subsequent three columns ($Y_1, Y_2, Y_3$) represent the corresponding generated images. (b, c) show the T-sne plots of CLIP embeddings for generated images in ImageNet and CIFAR-10, respectively. Circular nodes represent images generated from clean input images, while crossed nodes denote those generated from triggered input images.