PETA: Parameter-Efficient Trojan Attacks
This addresses a critical security problem for users of PEFT in AI systems, revealing vulnerabilities in widely used adaptation methods.
The paper tackles the security risks of parameter-efficient fine-tuning (PEFT) in pre-trained language models by introducing PETA, a trojan attack that embeds backdoors using bilevel optimization, achieving high attack success rates and maintaining clean accuracy across various tasks and triggers.
Parameter-efficient fine-tuning (PEFT) enables efficient adaptation of pre-trained language models (PLMs) to specific tasks. By tuning only a minimal set of (extra) parameters, PEFT achieves performance that is comparable to standard fine-tuning. However, despite its prevalent use, the security implications of PEFT remain largely unexplored. In this paper, we take the initial steps and present PETA, a novel trojan attack that compromises the weights of PLMs by accounting for downstream adaptation through bilevel optimization: the upper-level objective embeds the backdoor into a model while the lower-level objective simulates PEFT to both retain the PLM's task-specific performance and ensure that the backdoor persists after fine-tuning. With extensive evaluation across a variety of downstream tasks and trigger designs, we demonstrate PETA's effectiveness in terms of both attack success rate and clean accuracy, even when the attacker does not have full knowledge of the victim user's training process.