English

VillanDiffusion: A Unified Backdoor Attack Framework for Diffusion Models

Cryptography and Security 2024-01-01 v5 Computer Vision and Pattern Recognition Machine Learning

Abstract

Diffusion Models (DMs) are state-of-the-art generative models that learn a reversible corruption process from iterative noise addition and denoising. They are the backbone of many generative AI applications, such as text-to-image conditional generation. However, recent studies have shown that basic unconditional DMs (e.g., DDPM and DDIM) are vulnerable to backdoor injection, a type of output manipulation attack triggered by a maliciously embedded pattern at model input. This paper presents a unified backdoor attack framework (VillanDiffusion) to expand the current scope of backdoor analysis for DMs. Our framework covers mainstream unconditional and conditional DMs (denoising-based and score-based) and various training-free samplers for holistic evaluations. Experiments show that our unified framework facilitates the backdoor analysis of different DM configurations and provides new insights into caption-based backdoor attacks on DMs. Our code is available on GitHub: \url{https://github.com/IBM/villandiffusion}

Keywords

Cite

@article{arxiv.2306.06874,
  title  = {VillanDiffusion: A Unified Backdoor Attack Framework for Diffusion Models},
  author = {Sheng-Yen Chou and Pin-Yu Chen and Tsung-Yi Ho},
  journal= {arXiv preprint arXiv:2306.06874},
  year   = {2024}
}

Comments

Accepted by NeurIPS 2023, NeurIPS 2023 BUGS Workshop Oral

R2 v1 2026-06-28T11:02:34.689Z