Backdooring Bias ($B^2$) into Stable Diffusion Models

TL;DR

This paper reveals a low-cost backdoor attack method that injects biases into stable diffusion models via natural textual triggers, raising concerns about malicious manipulation of generated images and highlighting detection challenges.

Contribution

The study introduces a novel backdoor attack technique on diffusion models using natural language triggers, demonstrating its feasibility and low cost through extensive experiments.

Findings

Backdoor biases can be injected with minimal data and cost.

Attacks maintain high text-image alignment and are hard to detect.

Model utility remains unaffected in the absence of triggers.

Abstract

Recent advances in large text-conditional diffusion models have revolutionized image generation by enabling users to create realistic, high-quality images from textual prompts, significantly enhancing artistic creation and visual communication. However, these advancements also introduce an underexplored attack opportunity: the possibility of inducing biases by an adversary into the generated images for malicious intentions, e.g., to influence public opinion and spread propaganda. In this paper, we study an attack vector that allows an adversary to inject arbitrary bias into a target model. The attack leverages low-cost backdooring techniques using a targeted set of natural textual triggers embedded within a small number of malicious data samples produced with public generative models. An adversary could pick common sequences of words that can then be inadvertently activated by benign users during inference. We investigate the feasibility and challenges of such attacks, demonstrating how modern generative models have made this adversarial process both easier and more adaptable. On the other hand, we explore various aspects of the detectability of such attacks and demonstrate that the model's utility remains intact in the absence of the triggers. Our extensive experiments using over 200,000 generated images and against hundreds of fine-tuned models demonstrate the feasibility of the presented backdoor attack. We illustrate how these biases maintain strong text-image alignment, highlighting the challenges in detecting biased images without knowing that bias in advance. Our cost analysis confirms the low financial barrier (\$10-\$15) to executing such attacks, underscoring the need for robust defensive strategies against such vulnerabilities in diffusion models.