Saved in:
Bibliographic Details
Main Authors: Nie, Yuzhou., Wang, Yanting., Jia, Jinyuan., De Lucia, Michael J., Bastian, Nathaniel D., Guo, Wenbo., Song, Dawn.
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.16783
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911888700342272
author Nie, Yuzhou.
Wang, Yanting.
Jia, Jinyuan.
De Lucia, Michael J.
Bastian, Nathaniel D.
Guo, Wenbo.
Song, Dawn.
author_facet Nie, Yuzhou.
Wang, Yanting.
Jia, Jinyuan.
De Lucia, Michael J.
Bastian, Nathaniel D.
Guo, Wenbo.
Song, Dawn.
contents One key challenge in backdoor attacks against large foundation models is the resource limits. Backdoor attacks usually require retraining the target model, which is impractical for very large foundation models. Existing backdoor attacks are mainly designed for supervised classifiers or small foundation models (e.g., BERT). None of these attacks has successfully compromised a very large foundation model, such as Llama-3-70B, especially with limited computational resources. In this paper, we propose TrojFM, a novel backdoor attack tailored for very large foundation models. Our primary technical contribution is the development of a novel backdoor injection method. This method forces a backdoored model to generate similar hidden representations for poisoned inputs regardless of their actual semantics. Our approach injects such backdoors by fine-tuning only a very small proportion of model parameters. This enables TrojFM to efficiently launch downstream task-agnostic backdoor attacks against very large foundation models under limited computational resources. Moreover, we optimize the fine-tuning process with our customized QLoRA technique, enabling launching our attack via only~\textit{one A100 GPU}. Furthermore, we design a new trigger injection method to ensure our attack stealthiness. Through extensive experiments, we first demonstrate that TrojFM can launch effective backdoor attacks against widely used large GPT-style models without jeopardizing their normal functionalities (and outperforming existing attacks on BERT-style models). Furthermore, we show that TrojFM is resilient to SOTA defenses and is insensitive to changes in key hyper-parameters. Finally, we conduct a resource analysis to quantify that our method can significantly save computational and memory costs compared to existing backdoor attacks.
format Preprint
id arxiv_https___arxiv_org_abs_2405_16783
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle TrojFM: Resource-efficient Backdoor Attacks against Very Large Foundation Models
Nie, Yuzhou.
Wang, Yanting.
Jia, Jinyuan.
De Lucia, Michael J.
Bastian, Nathaniel D.
Guo, Wenbo.
Song, Dawn.
Cryptography and Security
Artificial Intelligence
Machine Learning
One key challenge in backdoor attacks against large foundation models is the resource limits. Backdoor attacks usually require retraining the target model, which is impractical for very large foundation models. Existing backdoor attacks are mainly designed for supervised classifiers or small foundation models (e.g., BERT). None of these attacks has successfully compromised a very large foundation model, such as Llama-3-70B, especially with limited computational resources. In this paper, we propose TrojFM, a novel backdoor attack tailored for very large foundation models. Our primary technical contribution is the development of a novel backdoor injection method. This method forces a backdoored model to generate similar hidden representations for poisoned inputs regardless of their actual semantics. Our approach injects such backdoors by fine-tuning only a very small proportion of model parameters. This enables TrojFM to efficiently launch downstream task-agnostic backdoor attacks against very large foundation models under limited computational resources. Moreover, we optimize the fine-tuning process with our customized QLoRA technique, enabling launching our attack via only~\textit{one A100 GPU}. Furthermore, we design a new trigger injection method to ensure our attack stealthiness. Through extensive experiments, we first demonstrate that TrojFM can launch effective backdoor attacks against widely used large GPT-style models without jeopardizing their normal functionalities (and outperforming existing attacks on BERT-style models). Furthermore, we show that TrojFM is resilient to SOTA defenses and is insensitive to changes in key hyper-parameters. Finally, we conduct a resource analysis to quantify that our method can significantly save computational and memory costs compared to existing backdoor attacks.
title TrojFM: Resource-efficient Backdoor Attacks against Very Large Foundation Models
topic Cryptography and Security
Artificial Intelligence
Machine Learning
url https://arxiv.org/abs/2405.16783