Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models

TL;DR

This paper uncovers a backdoor vulnerability in text-to-image diffusion models' personalization methods, demonstrating how attackers can exploit these techniques for efficient, stealthy attacks with minimal examples, raising security concerns.

Contribution

The study identifies a zero-day backdoor vulnerability in personalization methods like Textual Inversion and DreamBooth, proposing effective attack strategies and analyzing their impact.

Findings

Nouveau-token backdoor attack is highly effective and stealthy.

Personalization methods can be exploited for precise backdoor attacks.

The attack outperforms legacy-token methods in effectiveness and stealth.

Abstract

Although recent personalization methods have democratized high-resolution image synthesis by enabling swift concept acquisition with minimal examples and lightweight computation, they also present an exploitable avenue for high accessible backdoor attacks. This paper investigates a critical and unexplored aspect of text-to-image (T2I) diffusion models - their potential vulnerability to backdoor attacks via personalization. Our study focuses on a zero-day backdoor vulnerability prevalent in two families of personalization methods, epitomized by Textual Inversion and DreamBooth.Compared to traditional backdoor attacks, our proposed method can facilitate more precise, efficient, and easily accessible attacks with a lower barrier to entry. We provide a comprehensive review of personalization in T2I diffusion models, highlighting the operation and exploitation potential of this backdoor vulnerability. To be specific, by studying the prompt processing of Textual Inversion and DreamBooth, we have devised dedicated backdoor attacks according to the different ways of dealing with unseen tokens and analyzed the influence of triggers and concept images on the attack effect. Through comprehensive empirical study, we endorse the utilization of the nouveau-token backdoor attack due to its impressive effectiveness, stealthiness, and integrity, markedly outperforming the legacy-token backdoor attack.