Watch the Watcher! Backdoor Attacks on Security-Enhancing Diffusion Models

TL;DR

This paper reveals that diffusion models used for security purposes are vulnerable to backdoor attacks, which can undermine their effectiveness in defending against adversarial threats.

Contribution

It introduces DIFF2, a novel backdoor attack on diffusion models, demonstrating its impact on security tasks like adversarial purification and robustness certification.

Findings

DIFF2 significantly reduces purification effectiveness.

Backdoored models show decreased certified robustness.

Vulnerabilities pose risks to diffusion-based defenses.

Abstract

Thanks to their remarkable denoising capabilities, diffusion models are increasingly being employed as defensive tools to reinforce the security of other models, notably in purifying adversarial examples and certifying adversarial robustness. However, the security risks of these practices themselves remain largely unexplored, which is highly concerning. To bridge this gap, this work investigates the vulnerabilities of security-enhancing diffusion models. Specifically, we demonstrate that these models are highly susceptible to DIFF2, a simple yet effective backdoor attack, which substantially diminishes the security assurance provided by such models. Essentially, DIFF2 achieves this by integrating a malicious diffusion-sampling process into the diffusion model, guiding inputs embedded with specific triggers toward an adversary-defined distribution while preserving the normal functionality for clean inputs. Our case studies on adversarial purification and robustness certification show that DIFF2 can significantly reduce both post-purification and certified accuracy across benchmark datasets and models, highlighting the potential risks of relying on pre-trained diffusion models as defensive tools. We further explore possible countermeasures, suggesting promising avenues for future research.