Stable Diffusion is Unstable
This work addresses a security vulnerability in text-to-image generation for users and developers, but it is incremental as it builds on existing attack methods applied to a new domain.
The paper tackles the lack of robustness in text-to-image models by showing that small perturbations to text prompts can cause primary subjects to blend or disappear in generated images, and it proposes ATM, a gradient-based attack method that achieves success rates of 91.1% for short-text and 81.2% for long-text attacks.
Recently, text-to-image models have been thriving. Despite their powerful generative capacity, our research has uncovered a lack of robustness in this generation process. Specifically, the introduction of small perturbations to the text prompts can result in the blending of primary subjects with other categories or their complete disappearance in the generated images. In this paper, we propose Auto-attack on Text-to-image Models (ATM), a gradient-based approach, to effectively and efficiently generate such perturbations. By learning a Gumbel Softmax distribution, we can make the discrete process of word replacement or extension continuous, thus ensuring the differentiability of the perturbation generation. Once the distribution is learned, ATM can sample multiple attack samples simultaneously. These attack samples can prevent the generative model from generating the desired subjects without compromising image quality. ATM has achieved a 91.1% success rate in short-text attacks and an 81.2% success rate in long-text attacks. Further empirical analysis revealed four attack patterns based on: 1) the variability in generation speed, 2) the similarity of coarse-grained characteristics, 3) the polysemy of words, and 4) the positioning of words.