Model adaptation aims at solving the domain transfer problem under the constraint of only accessing the pretrained source models. With the increasing considerations of data privacy and transmission efficiency, this paradigm has been gaining recent popularity. This paper studies the vulnerability to universal attacks transferred from the source domain during model adaptation algorithms due to the existence of malicious providers. We explore both universal adversarial perturbations and backdoor attacks as loopholes on the source side and discover that they still survive in the target models after adaptation. To address this issue, we propose a model preprocessing framework, named AdaptGuard, to improve the security of model adaptation algorithms. AdaptGuard avoids direct use of the risky source parameters through knowledge distillation and utilizes the pseudo adversarial samples under adjusted radius to enhance the robustness. AdaptGuard is a plug-and-play module that requires neither robust pretrained models nor any changes for the following model adaptation algorithms. Extensive results on three commonly used datasets and two popular adaptation methods validate that AdaptGuard can effectively defend against universal attacks and maintain clean accuracy in the target domain simultaneously. We hope this research will shed light on the safety and robustness of transfer learning. Code is available at https://github.com/TomSheng21/AdaptGuard.

翻译：摘要：模型自适应旨在仅访问预训练源模型的约束下解决域迁移问题。随着对数据隐私与传输效率日益增长的关注，该范式近年来逐渐流行。本文研究了在模型自适应算法中，因恶意提供方存在而导致的从源域迁移的通用攻击的脆弱性。我们探索了源端作为漏洞的通用对抗扰动和后门攻击，并发现它们经过自适应后仍存留于目标模型中。为解决此问题，我们提出名为AdaptGuard的模型预处理框架，以提升模型自适应算法的安全性。AdaptGuard通过知识蒸馏避免直接使用风险源参数，并利用调整半径下的伪对抗样本来增强鲁棒性。AdaptGuard是一个即插即用模块，既不需要鲁棒的预训练模型，也无需改动后续的自适应算法。在三个常用数据集和两种主流自适应方法上的大量实验结果表明，AdaptGuard能在目标域同时有效抵御通用攻击并保持干净准确率。我们期望这项研究能为迁移学习的安全性与鲁棒性提供启示。代码开源于https://github.com/TomSheng21/AdaptGuard。