How to Backdoor Diffusion Models?

TL;DR

This paper investigates the vulnerability of diffusion models to backdoor attacks, introducing BadDiffusion, a framework that implants backdoors during training, enabling targeted malicious outputs while maintaining normal performance otherwise.

Contribution

The paper presents the first study on diffusion model backdoor attacks, proposing BadDiffusion, a novel framework for effective and cost-efficient backdoor implantation in diffusion models.

Findings

BadDiffusion achieves high attack success rates across various settings.

Backdoors can be implanted through simple finetuning of pre-trained models.

The study highlights significant security risks associated with diffusion models.

Abstract

Diffusion models are state-of-the-art deep learning empowered generative models that are trained based on the principle of learning forward and reverse diffusion processes via progressive noise-addition and denoising. To gain a better understanding of the limitations and potential risks, this paper presents the first study on the robustness of diffusion models against backdoor attacks. Specifically, we propose BadDiffusion, a novel attack framework that engineers compromised diffusion processes during model training for backdoor implantation. At the inference stage, the backdoored diffusion model will behave just like an untampered generator for regular data inputs, while falsely generating some targeted outcome designed by the bad actor upon receiving the implanted trigger signal. Such a critical risk can be dreadful for downstream tasks and applications built upon the problematic model. Our extensive experiments on various backdoor attack settings show that BadDiffusion can consistently lead to compromised diffusion models with high utility and target specificity. Even worse, BadDiffusion can be made cost-effective by simply finetuning a clean pre-trained diffusion model to implant backdoors. We also explore some possible countermeasures for risk mitigation. Our results call attention to potential risks and possible misuse of diffusion models. Our code is available on https://github.com/IBM/BadDiffusion.