{"id":"https://openalex.org/W4405181110","doi":"https://doi.org/10.1145/3658644.3690284","title":"BadMerging: Backdoor Attacks Against Model Merging","display_name":"BadMerging: Backdoor Attacks Against Model Merging","publication_year":2024,"publication_date":"2024-12-02","ids":{"openalex":"https://openalex.org/W4405181110","doi":"https://doi.org/10.1145/3658644.3690284"},"language":"en","primary_location":{"id":"doi:10.1145/3658644.3690284","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690284","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690284","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690284","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5074110725","display_name":"Jinghuai Zhang","orcid":"https://orcid.org/0000-0002-1311-3392"},"institutions":[{"id":"https://openalex.org/I161318765","display_name":"University of California, Los Angeles","ror":"https://ror.org/046rm7j60","country_code":"US","type":"education","lineage":["https://openalex.org/I161318765"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Jinghuai Zhang","raw_affiliation_strings":["University of California, Los Angeles, Los Angeles, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Los Angeles, Los Angeles, USA","institution_ids":["https://openalex.org/I161318765"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111524272","display_name":"Jianfeng Chi","orcid":"https://orcid.org/0000-0002-2010-3408"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jianfeng Chi","raw_affiliation_strings":["Meta, New York, USA"],"affiliations":[{"raw_affiliation_string":"Meta, New York, USA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101809231","display_name":"Zheng Li","orcid":"https://orcid.org/0000-0002-4466-7523"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Zheng Li","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102573333","display_name":"Kunlin Cai","orcid":null},"institutions":[{"id":"https://openalex.org/I161318765","display_name":"University of California, Los Angeles","ror":"https://ror.org/046rm7j60","country_code":"US","type":"education","lineage":["https://openalex.org/I161318765"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kunlin Cai","raw_affiliation_strings":["University of California, Los Angeles, Los Angeles, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Los Angeles, Los Angeles, USA","institution_ids":["https://openalex.org/I161318765"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030605497","display_name":"Yang Zhang","orcid":"https://orcid.org/0000-0003-3612-7348"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Yang Zhang","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100716458","display_name":"Yuan Tian","orcid":"https://orcid.org/0000-0002-6435-564X"},"institutions":[{"id":"https://openalex.org/I161318765","display_name":"University of California, Los Angeles","ror":"https://ror.org/046rm7j60","country_code":"US","type":"education","lineage":["https://openalex.org/I161318765"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yuan Tian","raw_affiliation_strings":["University of California, Los Angeles, Los Angeles, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Los Angeles, Los Angeles, USA","institution_ids":["https://openalex.org/I161318765"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5074110725"],"corresponding_institution_ids":["https://openalex.org/I161318765"],"apc_list":null,"apc_paid":null,"fwci":1.7075,"has_fulltext":false,"cited_by_count":5,"citation_normalized_percentile":{"value":0.87401296,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":97,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"4450","last_page":"4464"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9473999738693237,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11307","display_name":"Domain Adaptation and Few-Shot Learning","score":0.9311000108718872,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9578444957733154},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8518424034118652},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.7762153148651123},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7706681489944458},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.6472325325012207},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.6391474604606628},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5486304759979248},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.5278732180595398},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3783704936504364},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.37398210167884827},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3552037477493286}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9578444957733154},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8518424034118652},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.7762153148651123},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7706681489944458},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.6472325325012207},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.6391474604606628},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5486304759979248},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.5278732180595398},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3783704936504364},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.37398210167884827},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3552037477493286},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.0},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C187736073","wikidata":"https://www.wikidata.org/wiki/Q2920921","display_name":"Management","level":1,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3658644.3690284","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690284","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690284","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3658644.3690284","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690284","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690284","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/5","display_name":"Gender equality","score":0.550000011920929}],"awards":[{"id":"https://openalex.org/G3271927737","display_name":null,"funder_award_id":"16KISAO29K","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"},{"id":"https://openalex.org/G3535121542","display_name":null,"funder_award_id":"2325369,2411153","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"},{"id":"https://openalex.org/G872089326","display_name":null,"funder_award_id":"101057917","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"}],"funders":[{"id":"https://openalex.org/F4320323817","display_name":"Universitas Brawijaya","ror":"https://ror.org/01wk3d929"}],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4405181110.pdf"},"referenced_works_count":26,"referenced_works":["https://openalex.org/W1539670134","https://openalex.org/W1977295328","https://openalex.org/W2007339694","https://openalex.org/W2017814585","https://openalex.org/W2047643928","https://openalex.org/W2108598243","https://openalex.org/W2138011018","https://openalex.org/W2150856297","https://openalex.org/W2560647685","https://openalex.org/W2594481151","https://openalex.org/W2753783305","https://openalex.org/W2807363941","https://openalex.org/W2934843808","https://openalex.org/W2964194231","https://openalex.org/W2970335439","https://openalex.org/W2996800219","https://openalex.org/W3010216907","https://openalex.org/W3042368254","https://openalex.org/W3098772125","https://openalex.org/W3167334189","https://openalex.org/W3189812816","https://openalex.org/W3198675127","https://openalex.org/W3204619801","https://openalex.org/W4214564822","https://openalex.org/W4353004773","https://openalex.org/W4390874616"],"related_works":["https://openalex.org/W4328003561","https://openalex.org/W2573831620","https://openalex.org/W4328053081","https://openalex.org/W2034199088","https://openalex.org/W1551379303","https://openalex.org/W3012113073","https://openalex.org/W2889233174","https://openalex.org/W4391253793","https://openalex.org/W3143283098","https://openalex.org/W1482973429"],"abstract_inverted_index":{"Fine-tuning":[0],"pre-trained":[1],"models":[2,40],"for":[3,106,128,257],"downstream":[4,78],"tasks":[5,182,191],"has":[6,19],"led":[7],"to":[8,25,75,111,135,161,237,249],"a":[9,42,99,152,157,177],"proliferation":[10],"of":[11,84,165,171],"open-sourced":[12],"task-specific":[13,39,148],"models.":[14,33],"Recently,":[15],"Model":[16],"Merging":[17],"(MM)":[18],"emerged":[20],"as":[21,98,143,145],"an":[22,70,133],"effective":[23],"approach":[24],"facilitate":[26],"knowledge":[27],"transfer":[28],"among":[29],"these":[30,117],"independently":[31],"fine-tuned":[32,38],"MM":[34,59,74,85,223],"directly":[35],"combines":[36],"multiple":[37,56,77],"into":[41],"merged":[43,139,178],"model":[44,51,140,179],"without":[45],"additional":[46],"training,":[47],"and":[48,156,198,203],"the":[49,81,112,122,137,163,169,190,194,205,230,238,255],"resulting":[50],"shows":[52],"enhanced":[53],"capabilities":[54],"in":[55],"tasks.":[57,79],"Although":[58],"provides":[60],"great":[61],"utility,":[62],"it":[63],"may":[64,180],"come":[65],"with":[66,209],"security":[67,82],"risks":[68,83],"because":[69],"adversary":[71,134,195],"can":[72,187,234],"exploit":[73],"affect":[76],"However,":[80],"have":[86],"barely":[87],"been":[88],"studied.":[89],"In":[90],"this":[91],"paper,":[92],"we":[93,119,242],"first":[94,123],"find":[95],"that":[96,176,216,229,244],"MM,":[97],"new":[100],"learning":[101],"paradigm,":[102],"introduces":[103],"unique":[104,207],"challenges":[105,208],"existing":[107],"backdoor":[108,124],"attacks":[109,220],"due":[110],"merging":[113,173],"process.":[114],"To":[115],"address":[116],"challenges,":[118],"introduce":[120],"BadMerging,":[121],"attack":[125,154,211,232,239],"specifically":[126],"designed":[127],"MM.":[129],"Notably,":[130],"BadMerging":[131,150,186,217],"allows":[132],"compromise":[136,189],"entire":[138],"by":[141,193],"contributing":[142],"few":[144],"one":[146],"backdoored":[147],"model.":[149],"comprises":[151],"two-stage":[153],"mechanism":[155],"novel":[158,210],"feature-interpolation-based":[159],"loss":[160],"enhance":[162],"robustness":[164],"embedded":[166],"backdoors":[167],"against":[168,221,251],"changes":[170],"different":[172,184],"parameters.":[174],"Considering":[175],"incorporate":[181],"from":[183],"domains,":[185],"jointly":[188],"provided":[192],"(on-task":[196],"attack)":[197,202],"other":[199],"contributors":[200],"(off-task":[201],"solve":[204],"corresponding":[206],"designs.":[212],"Extensive":[213],"experiments":[214],"show":[215,243],"achieves":[218],"remarkable":[219],"various":[222],"algorithms.":[224],"Our":[225,261],"ablation":[226],"study":[227],"demonstrates":[228],"proposed":[231],"designs":[233],"progressively":[235],"contribute":[236],"performance.":[240],"Finally,":[241],"prior":[245],"defense":[246],"mechanisms":[247],"fail":[248],"defend":[250],"our":[252],"attacks,":[253],"highlighting":[254],"need":[256],"more":[258],"advanced":[259],"defense.":[260],"code":[262],"is":[263],"available":[264],"at:":[265],"https://github.com/jzhang538/BadMerging.":[266]},"counts_by_year":[{"year":2025,"cited_by_count":5}],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}