Mitigating the Backdoor Effect for Multi-Task Model Merging via Safety-Aware Subspace

TL;DR

This paper introduces a defense-aware model merging method that reduces backdoor vulnerabilities in multi-task models by using dual masks to balance task performance and security, demonstrating improved robustness against attacks.

Contribution

The paper proposes a novel meta-learning-based merging approach with dual masks to mitigate backdoor effects while maintaining task performance.

Findings

Reduces backdoor attack success rate by 2-10 percentage points.

Maintains only about 1% accuracy loss compared to non-secure merging.

Demonstrates robustness across various backdoor attack types.

Abstract

Model merging has gained significant attention as a cost-effective approach to integrate multiple single-task fine-tuned models into a unified one that can perform well on multiple tasks. However, existing model merging techniques primarily focus on resolving conflicts between task-specific models, they often overlook potential security threats, particularly the risk of backdoor attacks in the open-source model ecosystem. In this paper, we first investigate the vulnerabilities of existing model merging methods to backdoor attacks, identifying two critical challenges: backdoor succession and backdoor transfer. To address these issues, we propose a novel Defense-Aware Merging (DAM) approach that simultaneously mitigates task interference and backdoor vulnerabilities. Specifically, DAM employs a meta-learning-based optimization method with dual masks to identify a shared and safety-aware subspace for model merging. These masks are alternately optimized: the Task-Shared mask identifies common beneficial parameters across tasks, aiming to preserve task-specific knowledge while reducing interference, while the Backdoor-Detection mask isolates potentially harmful parameters to neutralize security threats. This dual-mask design allows us to carefully balance the preservation of useful knowledge and the removal of potential vulnerabilities. Compared to existing merging methods, DAM achieves a more favorable balance between performance and security, reducing the attack success rate by 2-10 percentage points while sacrificing only about 1% in accuracy. Furthermore, DAM exhibits robust performance and broad applicability across various types of backdoor attacks and the number of compromised models involved in the merging process. Our codes and models are available at https://github.com/Yangjinluan/DAM.