Saved in:
Bibliographic Details
Main Authors: Lu, Lin, Zuo, Zhigang, Sheng, Ziji, Zhou, Pan
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.16094
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908238876770304
author Lu, Lin
Zuo, Zhigang
Sheng, Ziji
Zhou, Pan
author_facet Lu, Lin
Zuo, Zhigang
Sheng, Ziji
Zhou, Pan
contents Model merging has emerged as a promising approach for updating large language models (LLMs) by integrating multiple domain-specific models into a cross-domain merged model. Despite its utility and plug-and-play nature, unmonitored mergers can introduce significant security vulnerabilities, such as backdoor attacks and model merging abuse. In this paper, we identify a novel and more realistic attack surface where a malicious merger can extract targeted personally identifiable information (PII) from an aligned model with model merging. Specifically, we propose \texttt{Merger-as-a-Stealer}, a two-stage framework to achieve this attack: First, the attacker fine-tunes a malicious model to force it to respond to any PII-related queries. The attacker then uploads this malicious model to the model merging conductor and obtains the merged model. Second, the attacker inputs direct PII-related queries to the merged model to extract targeted PII. Extensive experiments demonstrate that \texttt{Merger-as-a-Stealer} successfully executes attacks against various LLMs and model merging methods across diverse settings, highlighting the effectiveness of the proposed framework. Given that this attack enables character-level extraction for targeted PII without requiring any additional knowledge from the attacker, we stress the necessity for improved model alignment and more robust defense mechanisms to mitigate such threats.
format Preprint
id arxiv_https___arxiv_org_abs_2502_16094
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Merger-as-a-Stealer: Stealing Targeted PII from Aligned LLMs with Model Merging
Lu, Lin
Zuo, Zhigang
Sheng, Ziji
Zhou, Pan
Cryptography and Security
Model merging has emerged as a promising approach for updating large language models (LLMs) by integrating multiple domain-specific models into a cross-domain merged model. Despite its utility and plug-and-play nature, unmonitored mergers can introduce significant security vulnerabilities, such as backdoor attacks and model merging abuse. In this paper, we identify a novel and more realistic attack surface where a malicious merger can extract targeted personally identifiable information (PII) from an aligned model with model merging. Specifically, we propose \texttt{Merger-as-a-Stealer}, a two-stage framework to achieve this attack: First, the attacker fine-tunes a malicious model to force it to respond to any PII-related queries. The attacker then uploads this malicious model to the model merging conductor and obtains the merged model. Second, the attacker inputs direct PII-related queries to the merged model to extract targeted PII. Extensive experiments demonstrate that \texttt{Merger-as-a-Stealer} successfully executes attacks against various LLMs and model merging methods across diverse settings, highlighting the effectiveness of the proposed framework. Given that this attack enables character-level extraction for targeted PII without requiring any additional knowledge from the attacker, we stress the necessity for improved model alignment and more robust defense mechanisms to mitigate such threats.
title Merger-as-a-Stealer: Stealing Targeted PII from Aligned LLMs with Model Merging
topic Cryptography and Security
url https://arxiv.org/abs/2502.16094