How to Backdoor Consistency Models?

TL;DR

This paper investigates the vulnerability of consistency models, a new class of image generation models, to backdoor attacks, demonstrating that they can be compromised using inconspicuous triggers without degrading overall image quality.

Contribution

First study to reveal backdoor vulnerabilities in consistency models, introducing a novel, stealthy trigger-based attack that maintains high image quality and attack specificity.

Findings

Consistency models are vulnerable to backdoor attacks.

Inconspicuous Gaussian noise triggers can activate backdoor targets.

The attack maintains high image quality and stealthiness.

Abstract

Consistency models are a new class of models that generate images by directly mapping noise to data, allowing for one-step generation and significantly accelerating the sampling process. However, their robustness against adversarial attacks has not yet been thoroughly investigated. In this work, we conduct the first study on the vulnerability of consistency models to backdoor attacks. While previous research has explored backdoor attacks on diffusion models, those studies have primarily focused on conventional diffusion models, employing a customized backdoor training process and objective, whereas consistency models have distinct training processes and objectives. Our proposed framework demonstrates the vulnerability of consistency models to backdoor attacks. During image generation, poisoned consistency models produce images with a Fr\'echet Inception Distance (FID) comparable to that of a clean model when sampling from Gaussian noise. However, once the trigger is activated, they generate backdoor target images. We explore various trigger and target configurations to evaluate the vulnerability of consistency models, including the use of random noise as a trigger. This novel trigger is visually inconspicuous, more challenging to detect, and aligns well with the sampling process of consistency models. Across all configurations, our framework successfully compromises the consistency models while maintaining high utility and specificity. We also examine the stealthiness of our proposed attack, which is attributed to the unique properties of consistency models and the elusive nature of the Gaussian noise trigger. Our code is available at \href{https://github.com/chengenw/backdoorCM}{https://github.com/chengenw/backdoorCM}.