🤖 AI Summary
This work addresses a critical vulnerability in parameter-level defenses against unauthorized expert integration during model merging. Existing defenses fail because the small magnitude of task vectors allows pre-trained weights to dominate the merged model, inadvertently acting as static anchors that compromise security. The study is the first to expose this anchoring risk and introduces Anchor-Guided Attack (AGA), which leverages task vector analysis and linear transformation modeling to reconstruct and invert the transformation matrix, thereby bypassing prevailing defenses. To counter this threat, the authors propose Anchor-Repulsive Fine-tuning (ARF), a novel defense strategy that actively repels such anchoring effects. Experimental results demonstrate that AGA reliably circumvents both single and composite defenses, while ARF effectively mitigates the attack, restoring robustness to model merging pipelines.
📝 Abstract
The training-free integration of expert models via model merging has exposed significant security risks, enabling free-riders to combine specialized models without authorization. Recent works propose parameter-level defenses that employ linear parameter transformations to neutralize this threat. In this paper, we systematically analyze such defenses and reveal that their protected task vectors are inherently small in magnitude. Consequently, the protected weights remain overwhelmingly dominated by the pretrained model. Based on this observation, we designate the pretrained model as a static reference anchor and propose the Anchor-Guided Attack (AGA) to circumvent existing safeguards. Specifically, AGA aligns the protected model with this anchor to recover the transformation matrix analytically. Extensive evaluations validate that AGA consistently bypasses both individual and composite defenses under realistic defense-agnostic scenarios. Furthermore, we provide Anchor-Repulsive Fine-tuning (ARF), a defense method to mitigate the anchor dominance leveraged by AGA. Empirical results confirm that ARF effectively defeats the proposed attack. Our code is available at https://github.com/krumpguo/secure-merge-attack.