Backdoor in Seconds: Unlocking Vulnerabilities in Large Pre-trained Models via Model Editing

TL;DR

This paper introduces EDT, a novel, efficient, data-free, training-free backdoor attack method for large pre-trained models, enabling quick and resource-light manipulation without access to training data or retraining.

Contribution

The paper presents EDT, a new model editing-based backdoor attack technique that overcomes data access and computational barriers in attacking large pre-trained models.

Findings

EDT effectively injects backdoors into models like ViT, CLIP, BLIP, and stable diffusion.

The method works across various downstream tasks such as classification, captioning, and generation.

EDT does not require training or dataset poisoning, reducing attack complexity.

Abstract

Large pre-trained models have achieved notable success across a range of downstream tasks. However, recent research shows that a type of adversarial attack ($\textit{i.e.,}$ backdoor attack) can manipulate the behavior of machine learning models through contaminating their training dataset, posing significant threat in the real-world application of large pre-trained model, especially for those customized models. Therefore, addressing the unique challenges for exploring vulnerability of pre-trained models is of paramount importance. Through empirical studies on the capability for performing backdoor attack in large pre-trained models ($\textit{e.g.,}$ ViT), we find the following unique challenges of attacking large pre-trained models: 1) the inability to manipulate or even access large training datasets, and 2) the substantial computational resources required for training or fine-tuning these models. To address these challenges, we establish new standards for an effective and feasible backdoor attack in the context of large pre-trained models. In line with these standards, we introduce our EDT model, an \textbf{E}fficient, \textbf{D}ata-free, \textbf{T}raining-free backdoor attack method. Inspired by model editing techniques, EDT injects an editing-based lightweight codebook into the backdoor of large pre-trained models, which replaces the embedding of the poisoned image with the target image without poisoning the training dataset or training the victim model. Our experiments, conducted across various pre-trained models such as ViT, CLIP, BLIP, and stable diffusion, and on downstream tasks including image classification, image captioning, and image generation, demonstrate the effectiveness of our method. Our code is available in the supplementary material.