Silent Branding Attack: Trigger-free Data Poisoning Attack on Text-to-Image Diffusion Models
This addresses a security problem for users and developers of text-to-image models by exposing a stealthy attack vector, though it is incremental as it builds on known data poisoning risks.
The paper tackles the vulnerability of text-to-image diffusion models to data poisoning by introducing the Silent Branding Attack, a method that manipulates models to generate images with specific brand logos without text triggers, achieving high success rates in experiments without degrading image quality.
Text-to-image diffusion models have achieved remarkable success in generating high-quality contents from text prompts. However, their reliance on publicly available data and the growing trend of data sharing for fine-tuning make these models particularly vulnerable to data poisoning attacks. In this work, we introduce the Silent Branding Attack, a novel data poisoning method that manipulates text-to-image diffusion models to generate images containing specific brand logos or symbols without any text triggers. We find that when certain visual patterns are repeatedly in the training data, the model learns to reproduce them naturally in its outputs, even without prompt mentions. Leveraging this, we develop an automated data poisoning algorithm that unobtrusively injects logos into original images, ensuring they blend naturally and remain undetected. Models trained on this poisoned dataset generate images containing logos without degrading image quality or text alignment. We experimentally validate our silent branding attack across two realistic settings on large-scale high-quality image datasets and style personalization datasets, achieving high success rates even without a specific text trigger. Human evaluation and quantitative metrics including logo detection show that our method can stealthily embed logos.