Backdoor Vectors: a Task Arithmetic View on Backdoor Attacks and Defenses

TL;DR

This work reframes backdoor attacks in model merging as Backdoor Vectors (BV), the element-wise difference between backdoored and clean fine-tuned weights, and develops a task-arithmetic framework to analyze attack transfer and defense. It introduces Sparse Backdoor Vectors (SBV) to merge multiple backdoors into a stronger, more robust threat, with sign-consistent sparsification (SBV_SC) often delivering superior resilience across architectures and tasks. On the defense side, Injection BV Subtraction (IBVS) provides a lightweight, assumption-free method that subtracts a fixed BV from a simple injected trigger to weaken unknown backdoors during merging. The framework is validated on CLIP-like vision models across CIFAR100 and ImageNet100, showing consistent transfer dynamics, superior attack strength for SBV, and effective mitigation by IBVS, while highlighting inherent triggers as a core vulnerability in MM.

Abstract

Model merging (MM) recently emerged as an effective method for combining large deep learning models. However, it poses significant security risks. Recent research shows that it is highly susceptible to backdoor attacks, which introduce a hidden trigger into a single fine-tuned model instance that allows the adversary to control the output of the final merged model at inference time. In this work, we propose a simple framework for understanding backdoor attacks by treating the attack itself as a task vector. $Backdoor\ Vector\ (BV)$ is calculated as the difference between the weights of a fine-tuned backdoored model and fine-tuned clean model. BVs reveal new insights into attacks understanding and a more effective framework to measure their similarity and transferability. Furthermore, we propose a novel method that enhances backdoor resilience through merging dubbed $Sparse\ Backdoor\ Vector\ (SBV)$ that combines multiple attacks into a single one. We identify the core vulnerability behind backdoor threats in MM: $inherent\ triggers$ that exploit adversarial weaknesses in the base model. To counter this, we propose $Injection\ BV\ Subtraction\ (IBVS)$ - an assumption-free defense against backdoors in MM. Our results show that SBVs surpass prior attacks and is the first method to leverage merging to improve backdoor effectiveness. At the same time, IBVS provides a lightweight, general defense that remains effective even when the backdoor threat is entirely unknown.

Figures (16)

• Figure 1: Backdoor Attack as Task Vector = Backdoor Vector (BV).(a) A BV is the element-wise difference between backdoored and clean fine-tuned model parameters. (b) Adding a BV injects a backdoor; subtracting it weakens the attack. (c) Like task analogies, backdoor analogies reveal relationships between attacks. We define Backdoor Transfer as positive when Attack Success Rate (ASR) is strengthened and negative when is weakened by another task vector. (d) We show a method of merging BVs that yields a significantly stronger attack.
• Figure 1: Sparsity $\mathbf{H(x)}$ of TVs, BVs, and SBVs: $x \in (0, 1)$; values near 1 indicate higher sparsity.
• Figure 2: $\theta_{\text{clean}} + \lambda BV = \theta_{\text{backdoored}}$. Increasing the $\lambda$ of BV added to $\theta_{\text{clean}}$ preserves accuracy (left) but sharply raises attack success rate (right).
• Figure 3: ViT-B-32: Positive Backdoor Transfer Across Attacks ($BV_2 \rightarrow BV_1$). Adding $BV_2$ increases the ASR of $BV_1$. Axes show $\lambda_{BV_1}$, $\lambda_{BV_2}$; (a–c) use BVs from the same task (ImageNet100 or CIFAR100). Strong transfer occurs across seeds (a) and patch locations (b), but is weaker across target classes (c) and tasks (d).
• Figure 4: ViT-B-32: ACC/ASR trajectories for inherent ($\bigstar$) triggers in first-backdoored-rest-clean single-task MM.