Embedding Hidden Adversarial Capabilities in Pre-Trained Diffusion Models
This exposes a covert attack vector for users of externally-supplied generative models, raising new security concerns and highlighting the need for robust verification and defenses.
The paper tackles the problem of embedding hidden adversarial capabilities into pre-trained diffusion models via fine-tuning, resulting in tampered models that generate high-quality images indistinguishable from originals but cause misclassification in downstream classifiers at a high rate, with targeted class misclassification demonstrated.
We introduce a new attack paradigm that embeds hidden adversarial capabilities directly into diffusion models via fine-tuning, without altering their observable behavior or requiring modifications during inference. Unlike prior approaches that target specific images or adjust the generation process to produce adversarial outputs, our method integrates adversarial functionality into the model itself. The resulting tampered model generates high-quality images indistinguishable from those of the original, yet these images cause misclassification in downstream classifiers at a high rate. The misclassification can be targeted to specific output classes. Users can employ this compromised model unaware of its embedded adversarial nature, as it functions identically to a standard diffusion model. We demonstrate the effectiveness and stealthiness of our approach, uncovering a covert attack vector that raises new security concerns. These findings expose a risk arising from the use of externally-supplied models and highlight the urgent need for robust model verification and defense mechanisms against hidden threats in generative models. The code is available at https://github.com/LucasBeerens/CRAFTed-Diffusion .