With Great Backbones Comes Great Adversarial Transferability
Erik Arakelyan, Karen Hambardzumyan, Davit Papikyan, Pasquale Minervini, Albert Gordo, Isabelle Augenstein, Aram H. Markosyan
TL;DR
The paper addresses the vulnerability of self-supervised learning (SSL) backbones when used to tune downstream vision models under a grey-box threat model. It introduces proxy models and a backbone-only attack to systematically quantify adversarial transferability across over $20{,}000$ configurations of tuning meta-information, backbone, and dataset, showing that partial knowledge can yield near white-box attack effectiveness. A key finding is that access to the pre-trained backbone weights alone can be as or more informative for crafting transferable adversarial samples as having full meta-information, with backbone attacks often outperforming strong black-box methods and approaching white-box performance. These results highlight substantial security risks in sharing public backbones and underscore the need for safer backbone-sharing practices and mitigation strategies in practical deployments.
Abstract
Advances in self-supervised learning (SSL) for machine vision have improved representation robustness and model performance, giving rise to pre-trained backbones like \emph{ResNet} and \emph{ViT} models tuned with SSL methods such as \emph{SimCLR}. Due to the computational and data demands of pre-training, the utilization of such backbones becomes a strenuous necessity. However, employing these backbones may inherit vulnerabilities to adversarial attacks. While adversarial robustness has been studied under \emph{white-box} and \emph{black-box} settings, the robustness of models tuned on pre-trained backbones remains largely unexplored. Additionally, the role of tuning meta-information in mitigating exploitation risks is unclear. This work systematically evaluates the adversarial robustness of such models across $20,000$ combinations of tuning meta-information, including fine-tuning techniques, backbone families, datasets, and attack types. We propose using proxy models to transfer attacks, simulating varying levels of target knowledge by fine-tuning these proxies with diverse configurations. Our findings reveal that proxy-based attacks approach the effectiveness of \emph{white-box} methods, even with minimal tuning knowledge. We also introduce a naive "backbone attack," leveraging only the backbone to generate adversarial samples, which outperforms \emph{black-box} attacks and rivals \emph{white-box} methods, highlighting critical risks in model-sharing practices. Finally, our ablations reveal how increasing tuning meta-information impacts attack transferability, measuring each meta-information combination.
