Pruning and Malicious Injection: A Retraining-Free Backdoor Attack on Transformer Models

TL;DR

This paper introduces HPMI, a retraining-free backdoor attack on transformer models that prunes and injects malicious heads, achieving high success rates and robustness without altering architecture or retraining.

Contribution

HPMI is a novel backdoor attack method that does not require retraining or architecture modification, using pruning and malicious head injection to evade detection.

Findings

Achieves over 99.55% attack success rate

Maintains negligible impact on clean accuracy

Successfully bypasses multiple defense mechanisms

Abstract

Transformer models have demonstrated exceptional performance and have become indispensable in computer vision (CV) and natural language processing (NLP) tasks. However, recent studies reveal that transformers are susceptible to backdoor attacks. Prior backdoor attack methods typically rely on retraining with clean data or altering the model architecture, both of which can be resource-intensive and intrusive. In this paper, we propose Head-wise Pruning and Malicious Injection (HPMI), a novel retraining-free backdoor attack on transformers that does not alter the model's architecture. Our approach requires only a small subset of the original data and basic knowledge of the model architecture, eliminating the need for retraining the target transformer. Technically, HPMI works by pruning the least important head and injecting a pre-trained malicious head to establish the backdoor. We provide a rigorous theoretical justification demonstrating that the implanted backdoor resists detection and removal by state-of-the-art defense techniques, under reasonable assumptions. Experimental evaluations across multiple datasets further validate the effectiveness of HPMI, showing that it 1) incurs negligible clean accuracy loss, 2) achieves at least 99.55% attack success rate, and 3) bypasses four advanced defense mechanisms. Additionally, relative to state-of-the-art retraining-dependent attacks, HPMI achieves greater concealment and robustness against diverse defense strategies, while maintaining minimal impact on clean accuracy.