CtrlAttack: A Unified Attack on World-Model Control in Diffusion Models

TL;DR

This paper introduces CtrlAttack, a novel method to disrupt the temporal dynamics of diffusion-based image-to-video models, exposing their vulnerability and highlighting security concerns in their state transition mechanisms.

Contribution

We propose a trajectory-control attack that interferes with state evolution in I2V models, revealing their susceptibility to low-dimensional perturbations across attack settings.

Findings

Achieves over 90% attack success rate in white-box settings.

Over 80% success rate in black-box settings.

Maintains low impact on visual quality metrics.

Abstract

Diffusion-based image-to-video (I2V) models increasingly exhibit world-model-like properties by implicitly capturing temporal dynamics. However, existing studies have mainly focused on visual quality and controllability, and the robustness of the state transition learned by the model remains understudied. To fill this gap, we are the first to analyze the vulnerability of I2V models, find that temporal control mechanisms constitute a new attack surface, and reveal the challenge of modeling them uniformly under different attack settings. Based on this, we propose a trajectory-control attack, called CtrlAttack, to interfere with state evolution during the generation process. Specifically, we represent the perturbation as a low-dimensional velocity field and construct a continuous displacement field via temporal integration, thereby affecting the model's state transitions while maintaining temporal consistency; meanwhile, we map the perturbation to the observation space, making the method applicable to both white-box and black-box attack settings. Experimental results show that even under low-dimensional and strongly regularized perturbation constraints, our method can still significantly disrupt temporal consistency by increasing the attack success rate (ASR) to over 90% in the white-box setting and over 80% in the black-box setting, while keeping the variation of the FID and FVD within 6 and 130, respectively, thus revealing the potential security risk of I2V models at the level of state dynamics.