TrojFlow: Flow Models are Natural Targets for Trojan Attacks

TL;DR

TrojFlow demonstrates that flow-based generative models are highly susceptible to Trojan attacks, revealing vulnerabilities that existing defenses cannot effectively mitigate, thus highlighting a significant security concern in generative modeling.

Contribution

This paper introduces TrojFlow, a novel Trojan attack method targeting flow-based generative models, and evaluates its effectiveness against current defenses on benchmark datasets.

Findings

TrojFlow can successfully compromise FMs with high utility and specificity.

Existing defenses are ineffective against TrojFlow attacks.

Flow models are inherently vulnerable to Trojan attacks due to their distribution fitting capabilities.

Abstract

Flow-based generative models (FMs) have rapidly advanced as a method for mapping noise to data, its efficient training and sampling process makes it widely applicable in various fields. FMs can be viewed as a variant of diffusion models (DMs). At the same time, previous studies have shown that DMs are vulnerable to Trojan/Backdoor attacks, a type of output manipulation attack triggered by a maliciously embedded pattern at model input. We found that Trojan attacks on generative models are essentially equivalent to image transfer tasks from the backdoor distribution to the target distribution, the unique ability of FMs to fit any two arbitrary distributions significantly simplifies the training and sampling setups for attacking FMs, making them inherently natural targets for backdoor attacks. In this paper, we propose TrojFlow, exploring the vulnerabilities of FMs through Trojan attacks. In particular, we consider various attack settings and their combinations and thoroughly explore whether existing defense methods for DMs can effectively defend against our proposed attack scenarios. We evaluate TrojFlow on CIFAR-10 and CelebA datasets, our experiments show that our method can compromise FMs with high utility and specificity, and can easily break through existing defense mechanisms.