Model Supply Chain Poisoning: Backdooring Pre-trained Models via Embedding Indistinguishability

TL;DR

This paper introduces TransTroj, a novel backdoor attack on pre-trained models that embeds malicious behaviors in a way that is indistinguishable in embedding space, making it highly effective and transferable across the supply chain.

Contribution

The paper formalizes embedding indistinguishability as an attack framework and proposes a two-stage optimization to embed robust backdoors in PTMs, outperforming existing methods.

Findings

Achieves nearly 100% attack success rate on multiple downstream tasks.

Demonstrates robustness of TransTroj under various system settings.

Highlights the security risks in the ML supply chain due to transferable backdoors.

Abstract

Pre-trained models (PTMs) are widely adopted across various downstream tasks in the machine learning supply chain. Adopting untrustworthy PTMs introduces significant security risks, where adversaries can poison the model supply chain by embedding hidden malicious behaviors (backdoors) into PTMs. However, existing backdoor attacks to PTMs can only achieve partially task-agnostic and the embedded backdoors are easily erased during the fine-tuning process. This makes it challenging for the backdoors to persist and propagate through the supply chain. In this paper, we propose a novel and severer backdoor attack, TransTroj, which enables the backdoors embedded in PTMs to efficiently transfer in the model supply chain. In particular, we first formalize this attack as an indistinguishability problem between poisoned and clean samples in the embedding space. We decompose embedding indistinguishability into pre- and post-indistinguishability, representing the similarity of the poisoned and reference embeddings before and after the attack. Then, we propose a two-stage optimization that separately optimizes triggers and victim PTMs to achieve embedding indistinguishability. We evaluate TransTroj on four PTMs and six downstream tasks. Experimental results show that our method significantly outperforms SOTA task-agnostic backdoor attacks -- achieving nearly 100% attack success rate on most downstream tasks -- and demonstrates robustness under various system settings. Our findings underscore the urgent need to secure the model supply chain against such transferable backdoor attacks. The code is available at https://github.com/haowang-cqu/TransTroj .