To Generate or Not? Safety-Driven Unlearned Diffusion Models Are Still Easy To Generate Unsafe Images ... For Now

TL;DR

This paper addresses how to evaluate safety in diffusion-models that have undergone unlearning of harmful concepts, styles, or objects. It introduces UnlearnDiffAtk, a diffusion-classifier-guided adversarial-prompt attack that does not require auxiliary models and leverages a target image as guidance, formalized as minimizing $ \mathbb{E}_{t,\epsilon}[\| \epsilon - \epsilon_{\boldsymbol \theta^*}(\mathbf x_{\mathrm{tgt},t} | c') \|_2^2]$. The authors benchmark several unlearned DMs (ESD, FMN, AC, UCE, SLD) across concept, style, and object tasks, showing substantial robustness gaps and improved attack efficiency relative to prior work (P4D). The findings highlight that current safety-driven unlearning is insufficient and underscore the need for stronger safety benchmarks and defenses in conditional diffusion-based image generation. The work provides a practical tool and dataset for evaluating and guiding future safety improvements.

Abstract

The recent advances in diffusion models (DMs) have revolutionized the generation of realistic and complex images. However, these models also introduce potential safety hazards, such as producing harmful content and infringing data copyrights. Despite the development of safety-driven unlearning techniques to counteract these challenges, doubts about their efficacy persist. To tackle this issue, we introduce an evaluation framework that leverages adversarial prompts to discern the trustworthiness of these safety-driven DMs after they have undergone the process of unlearning harmful concepts. Specifically, we investigated the adversarial robustness of DMs, assessed by adversarial prompts, when eliminating unwanted concepts, styles, and objects. We develop an effective and efficient adversarial prompt generation approach for DMs, termed UnlearnDiffAtk. This method capitalizes on the intrinsic classification abilities of DMs to simplify the creation of adversarial prompts, thereby eliminating the need for auxiliary classification or diffusion models. Through extensive benchmarking, we evaluate the robustness of widely-used safety-driven unlearned DMs (i.e., DMs after unlearning undesirable concepts, styles, or objects) across a variety of tasks. Our results demonstrate the effectiveness and efficiency merits of UnlearnDiffAtk over the state-of-the-art adversarial prompt generation method and reveal the lack of robustness of current safetydriven unlearning techniques when applied to DMs. Codes are available at https://github.com/OPTML-Group/Diffusion-MU-Attack. WARNING: There exist AI generations that may be offensive in nature.

Figures (10)

• Figure 1: Comparison of attack methodologies on DMs: (a) Generation utilizing an auxiliary DM, (b) generation utilizing an auxiliary image classifier, and (c) our proposal 'UnlearnDiffAtk' that is free of auxiliary models by harnessing the inherent diffusion classification capability, along with (d) examples of adversarial prompts ('perturbations' in red) and generated images, demonstrating UnlearnDiffAtk successfully bypassing the Erased Stable Diffusion (ESD) gandikota2023erasing in concept, style, and object unlearning.
• Figure 2: Pipeline of our proposed adversarial prompt learning method, UnlearnDiffAtk, for unlearned diffusion model (DM) evaluations.
• Figure 3: Image generation of unlearned DM (obtained using ESD gandikota2023erasing) against our proposed adversarial prompt attack using Internet-sourced target images $\mathbf x_\mathrm{tgt}$. Here $\mathbf x_\mathrm{G}$ and $\boldsymbol{\delta}_\mathrm{P}$ denote images generated by unlearned DMs and adversarial prompts to be appended before the original prompt ($P_i$), respectively.
• Figure 4: Generated images using ESD under different attacks for concept unlearning.
• Figure 5: Generated images using ESD under different attacks for style unlearning.