A Dual-Purpose Framework for Backdoor Defense and Backdoor Amplification in Diffusion Models

TL;DR

PureDiffusion is a novel framework that enhances backdoor detection in diffusion models and can also amplify backdoor attacks, significantly improving detection accuracy and attack success rates while reducing training time.

Contribution

It introduces a dual-purpose framework with new loss functions for trigger inversion, enabling effective backdoor detection and attack amplification in diffusion models.

Findings

Achieves near-perfect backdoor detection accuracy.

Boosts attack success rate to nearly 100%.

Reduces backdoor training time by up to 20 times.

Abstract

Diffusion models have emerged as state-of-the-art generative frameworks, excelling in producing high-quality multi-modal samples. However, recent studies have revealed their vulnerability to backdoor attacks, where backdoored models generate specific, undesirable outputs called backdoor target (e.g., harmful images) when a pre-defined trigger is embedded to their inputs. In this paper, we propose PureDiffusion, a dual-purpose framework that simultaneously serves two contrasting roles: backdoor defense and backdoor attack amplification. For defense, we introduce two novel loss functions to invert backdoor triggers embedded in diffusion models. The first leverages trigger-induced distribution shifts across multiple timesteps of the diffusion process, while the second exploits the denoising consistency effect when a backdoor is activated. Once an accurate trigger inversion is achieved, we develop a backdoor detection method that analyzes both the inverted trigger and the generated backdoor targets to identify backdoor attacks. In terms of attack amplification with the role of an attacker, we describe how our trigger inversion algorithm can be used to reinforce the original trigger embedded in the backdoored diffusion model. This significantly boosts attack performance while reducing the required backdoor training time. Experimental results demonstrate that PureDiffusion achieves near-perfect detection accuracy, outperforming existing defenses by a large margin, particularly against complex trigger patterns. Additionally, in an attack scenario, our attack amplification approach elevates the attack success rate (ASR) of existing backdoor attacks to nearly 100\% while reducing training time by up to 20x.