BADTV: Unveiling Backdoor Threats in Third-Party Task Vectors

TL;DR

This paper uncovers vulnerabilities in task vectors used in large models, demonstrating a novel backdoor attack called BadTV that remains effective under various operations and evades current defenses.

Contribution

Introduces BadTV, a novel backdoor attack on task vectors that is effective under multiple operations and exposes weaknesses in existing defenses.

Findings

BadTV achieves near-perfect attack success rates.

Current defenses fail to detect or mitigate BadTV.

The attack poses a serious threat to models using task arithmetic.

Abstract

Task arithmetic in large-scale pre-trained models enables agile adaptation to diverse downstream tasks without extensive retraining. By leveraging task vectors (TVs), users can perform modular updates through simple arithmetic operations like addition and subtraction. Yet, this flexibility presents new security challenges. In this paper, we investigate how TVs are vulnerable to backdoor attacks, revealing how malicious actors can exploit them to compromise model integrity. By creating composite backdoors that are designed asymmetrically, we introduce BadTV, a backdoor attack specifically crafted to remain effective simultaneously under task learning, forgetting, and analogy operations. Extensive experiments show that BadTV achieves near-perfect attack success rates across diverse scenarios, posing a serious threat to models relying on task arithmetic. We also evaluate current defenses, finding they fail to detect or mitigate BadTV. Our results highlight the urgent need for robust countermeasures to secure TVs in real-world deployments.