Asymmetric Bias in Text-to-Image Generation with Adversarial Attacks

TL;DR

This paper empirically investigates the effectiveness of adversarial attacks on Text-to-Image models, revealing asymmetric success rates in entity swapping and proposing metrics to predict attack success.

Contribution

It introduces a new entity swapping attack objective, analyzes asymmetric attack success rates, and proposes probing metrics to understand model vulnerabilities.

Findings

Asymmetric attack success rates in entity swapping tasks.

Proposed new gradient-based attack algorithms.

Identified conditions with up to 60% attack success probability.

Abstract

The widespread use of Text-to-Image (T2I) models in content generation requires careful examination of their safety, including their robustness to adversarial attacks. Despite extensive research on adversarial attacks, the reasons for their effectiveness remain underexplored. This paper presents an empirical study on adversarial attacks against T2I models, focusing on analyzing factors associated with attack success rates (ASR). We introduce a new attack objective - entity swapping using adversarial suffixes and two gradient-based attack algorithms. Human and automatic evaluations reveal the asymmetric nature of ASRs on entity swap: for example, it is easier to replace "human" with "robot" in the prompt "a human dancing in the rain." with an adversarial suffix, but the reverse replacement is significantly harder. We further propose probing metrics to establish indicative signals from the model's beliefs to the adversarial ASR. We identify conditions that result in a success probability of 60% for adversarial attacks and others where this likelihood drops below 5%.