Data-Chain Backdoor: Do You Trust Diffusion Models as Generative Data Supplier?

TL;DR

This paper reveals that open-source diffusion models can secretly carry backdoors, which can be inherited by synthetic data, posing significant security risks even with minimal impact on data utility.

Contribution

It uncovers the backdoor propagation mechanism in diffusion models and proposes novel attack strategies to embed backdoors during fine-tuning.

Findings

Backdoors can be effectively inherited by synthetic data from diffusion models.

Fine-tuning with specific loss objectives enhances backdoor retention.

Backdoor attacks remain effective in data-scarce and standard augmentation scenarios.

Abstract

The increasing use of generative models such as diffusion models for synthetic data augmentation has greatly reduced the cost of data collection and labeling in downstream perception tasks. However, this new data source paradigm may introduce important security concerns. Publicly available generative models are often reused without verification, raising a fundamental question of their safety and trustworthiness. This work investigates backdoor propagation in such emerging generative data supply chain, namely, Data-Chain Backdoor (DCB). Specifically, we find that open-source diffusion models can become hidden carriers of backdoors. Their strong distribution-fitting ability causes them to memorize and reproduce backdoor triggers in generation, which are subsequently inherited by downstream models, resulting in severe security risks. This threat is particularly concerning under clean-label attack scenarios, as it remains effective while having negligible impact on the utility of the synthetic data. We study two attacker choices to obtain a backdoor-carried generator, training from scratch and fine-tuning. While naive fine-tuning leads to weak inheritance of the backdoor, we find that novel designs in the loss objectives and trigger processing can substantially improve the generator's ability to preserve trigger patterns, making fine-tuning a low-cost attack path. We evaluate the effectiveness of DCB under the standard augmentation protocol and further assess data-scarce settings. Across multiple trigger types, we observe that the trigger pattern can be consistently retained in the synthetic data with attack efficacy comparable to the conventional backdoor attack.