BADTV: Unveiling Backdoor Threats in Third-Party Task Vectors
This addresses a security problem for users of task arithmetic in AI models, revealing a novel threat that is not incremental but poses a serious risk to model integrity.
The paper tackles the vulnerability of task vectors in large-scale pre-trained models to backdoor attacks, introducing BadTV, which achieves near-perfect attack success rates across diverse scenarios and evades current defenses.
Task arithmetic in large-scale pre-trained models enables agile adaptation to diverse downstream tasks without extensive retraining. By leveraging task vectors (TVs), users can perform modular updates through simple arithmetic operations like addition and subtraction. Yet, this flexibility presents new security challenges. In this paper, we investigate how TVs are vulnerable to backdoor attacks, revealing how malicious actors can exploit them to compromise model integrity. By creating composite backdoors that are designed asymmetrically, we introduce BadTV, a backdoor attack specifically crafted to remain effective simultaneously under task learning, forgetting, and analogy operations. Extensive experiments show that BadTV achieves near-perfect attack success rates across diverse scenarios, posing a serious threat to models relying on task arithmetic. We also evaluate current defenses, finding they fail to detect or mitigate BadTV. Our results highlight the urgent need for robust countermeasures to secure TVs in real-world deployments.