这篇论文告诉你一个防止投毒攻击的微调方法:只学有效适配器的子空间,在flan-t5-large上比LoRA安全很多。
该论文提出了一种子空间约束适配方法,在flan-t5-large上使用196个公开LoRA适配器进行评估。实验表明:(1)适配器中30%至38%的权重范数在评价任务分布下是冗余的;(2)在干净分类数据上,限制到128维子空间的梯度适配与全量LoRA性能相当,而在目标标签反转攻击下LoRA精确匹配降至3%-26%,约束学习器保持在62%-96%;(3)约束学习器无法拟合污染数据,适配损失分离干净与脏数据达两个数量级(120倍);(4)针对自适应后门攻击者,当目标行为与池中不相似时攻击成功率仅8% vs LoRA的100%,目标与池中常见行为重合时达85%。代码和数据已公开。
Parameter-efficient fine-tuning still leaves a broad space of behavior-changing updates reachable, so a poisoned objective can be represented and optimized. We study an alternative: adaptation constrained to the subspace estimated from a trusted pool of existing task adapters. On flan-t5-large with 196 public LoRA adapters, we show that (1) the functionally relevant content of an adapter lies in a low-dimensional shared subspace, 30 to 38 percent of its weight norm being redundant under the evaluated task distributions; (2) gradient adaptation restricted to 128 coordinates on this subspace matches full LoRA fine-tuning on clean classification data, while under targeted label inversion LoRA collapses to 3-26 percent exact match and the constrained learner keeps 62-96 percent on the tasks the pool covers; (3) the constrained learner cannot fit corrupted data, its adaptation loss separating clean from garbage by two orders of magnitude (120x), an out-of-distribution signal without an extra detector; and (4) against an adaptive backdoor attacker who optimizes within the subspace, the attack is blocked (8 percent success versus 100 for LoRA) on the task where its target behavior is unlike anything in the pool, and only partially blocked (85 percent) when the target coincides with a common pool behavior. On these two tasks the outcome is consistent with how close the target is to the pool's directions, which suggests but does not establish a pool-relative boundary. The mechanism trades peak plasticity for these properties: on tasks the pool covers poorly, unconstrained fine-tuning wins, and the protection assumes the pool itself is trusted. Code and data are public.