Model adaptation aims at solving the domain transfer problem under the constraint of only accessing the pretrained source models. With the increasing considerations of data privacy and transmission efficiency, this paradigm has been gaining recent popularity. This paper studies the vulnerability to universal attacks transferred from the source domain during model adaptation algorithms due to the existence of the malicious providers. We explore both universal adversarial perturbations and backdoor attacks as loopholes on the source side and discover that they still survive in the target models after adaptation. To address this issue, we propose a model preprocessing framework, named AdaptGuard, to improve the security of model adaptation algorithms. AdaptGuard avoids direct use of the risky source parameters through knowledge distillation and utilizes the pseudo adversarial samples under adjusted radius to enhance the robustness. AdaptGuard is a plug-and-play module that requires neither robust pretrained models nor any changes for the following model adaptation algorithms. Extensive results on three commonly used datasets and two popular adaptation methods validate that AdaptGuard can effectively defend against universal attacks and maintain clean accuracy in the target domain simultaneously. We hope this research will shed light on the safety and robustness of transfer learning.

翻译：模型自适应旨在仅借助预训练源模型解决领域迁移问题。随着数据隐私与传输效率日益受到关注，该范式近年来备受青睐。本文研究了因恶意提供者的存在，模型自适应算法在从源域迁移过程中面临通用攻击的脆弱性。我们探究了源端以通用对抗扰动和后门攻击为漏洞的两种攻击方式，发现其在自适应后仍能存活于目标模型中。针对此问题，我们提出名为AdaptGuard的模型预处理框架，以提升模型自适应算法的安全性。AdaptGuard通过知识蒸馏避免直接使用存在风险的源参数，并利用调整半径下的伪对抗样本来增强鲁棒性。作为即插即用模块，AdaptGuard既无需鲁棒预训练模型，也不要求后续模型自适应算法做出任何改变。在三个常用数据集与两种主流自适应方法上的大量实验表明，AdaptGuard能有效防御通用攻击，同时保持目标域中的洁净准确率。我们希望此项研究能为迁移学习的安全性与鲁棒性提供启示。