Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models
This exposes a critical security flaw in widely used AI image generation tools, posing risks for users and applications reliant on these models.
The paper tackles the vulnerability of text-to-image diffusion models to backdoor attacks through personalization methods like Textual Inversion and DreamBooth, showing that these attacks are more precise, efficient, and accessible than traditional ones, with the nouveau-token attack outperforming legacy-token in effectiveness, stealthiness, and integrity.
Although recent personalization methods have democratized high-resolution image synthesis by enabling swift concept acquisition with minimal examples and lightweight computation, they also present an exploitable avenue for high accessible backdoor attacks. This paper investigates a critical and unexplored aspect of text-to-image (T2I) diffusion models - their potential vulnerability to backdoor attacks via personalization. Our study focuses on a zero-day backdoor vulnerability prevalent in two families of personalization methods, epitomized by Textual Inversion and DreamBooth.Compared to traditional backdoor attacks, our proposed method can facilitate more precise, efficient, and easily accessible attacks with a lower barrier to entry. We provide a comprehensive review of personalization in T2I diffusion models, highlighting the operation and exploitation potential of this backdoor vulnerability. To be specific, by studying the prompt processing of Textual Inversion and DreamBooth, we have devised dedicated backdoor attacks according to the different ways of dealing with unseen tokens and analyzed the influence of triggers and concept images on the attack effect. Through comprehensive empirical study, we endorse the utilization of the nouveau-token backdoor attack due to its impressive effectiveness, stealthiness, and integrity, markedly outperforming the legacy-token backdoor attack.