PureDiffusion: Using Backdoor to Counter Backdoor in Generative Diffusion Models
This addresses security vulnerabilities in generative AI models for users relying on safe and trustworthy outputs, representing a novel defense approach in an underexplored area.
The paper tackles the problem of backdoor attacks in diffusion models by introducing PureDiffusion, a defense framework that inverts backdoor triggers to detect attacks, achieving higher fidelity and backdoor success rates than existing methods, with inverted triggers sometimes outperforming original ones.
Diffusion models (DMs) are advanced deep learning models that achieved state-of-the-art capability on a wide range of generative tasks. However, recent studies have shown their vulnerability regarding backdoor attacks, in which backdoored DMs consistently generate a designated result (e.g., a harmful image) called backdoor target when the models' input contains a backdoor trigger. Although various backdoor techniques have been investigated to attack DMs, defense methods against these threats are still limited and underexplored, especially in inverting the backdoor trigger. In this paper, we introduce PureDiffusion, a novel backdoor defense framework that can efficiently detect backdoor attacks by inverting backdoor triggers embedded in DMs. Our extensive experiments on various trigger-target pairs show that PureDiffusion outperforms existing defense methods with a large gap in terms of fidelity (i.e., how much the inverted trigger resembles the original trigger) and backdoor success rate (i.e., the rate that the inverted trigger leads to the corresponding backdoor target). Notably, in certain cases, backdoor triggers inverted by PureDiffusion even achieve higher attack success rate than the original triggers.