Asymmetric Bias in Text-to-Image Generation with Adversarial Attacks

TL;DR

This work analyzes adversarial robustness of Text-to-Image (T2I) models by introducing an entity-swapping objective that targets the CLIP embedding space and reveals a pronounced asymmetry in attack success depending on swap direction. It develops two gradient-based suffix-attack algorithms and evaluates them on Stable Diffusion using the HQ-Pairs and COCO-Pairs datasets, finding that multiple-token perturbations generally outperform single-token edits. The authors introduce probing metrics, including Base Success Rate (BSR) and Baseline Distance Difference ($\Delta_2$), to predict attack success and show that high BSR combined with negative $\Delta_2$ strongly indicates higher ASR, up to around 60% in favorable conditions. These results reveal a bias in T2I models’ internal beliefs that influences vulnerability to adversarial prompts, with implications for safety, robustness, and future research across diverse T2I architectures.

Abstract

The widespread use of Text-to-Image (T2I) models in content generation requires careful examination of their safety, including their robustness to adversarial attacks. Despite extensive research on adversarial attacks, the reasons for their effectiveness remain underexplored. This paper presents an empirical study on adversarial attacks against T2I models, focusing on analyzing factors associated with attack success rates (ASR). We introduce a new attack objective - entity swapping using adversarial suffixes and two gradient-based attack algorithms. Human and automatic evaluations reveal the asymmetric nature of ASRs on entity swap: for example, it is easier to replace "human" with "robot" in the prompt "a human dancing in the rain." with an adversarial suffix, but the reverse replacement is significantly harder. We further propose probing metrics to establish indicative signals from the model's beliefs to the adversarial ASR. We identify conditions that result in a success probability of 60% for adversarial attacks and others where this likelihood drops below 5%.

Figures (10)

• Figure 1: Overview of new attack objective, its asymmetric success rate, and the underlying cause of said asymmetry.
• Figure 2: Targeted replacement of entities (blue or orange text) using adversarial suffixes (red highlight) and their corresponding Attack Success rate (ASR) over 10 attack attempts using Stable Diffusion. This attack setup allows us to study the correlation between prompt distribution and ASR. We observe a clear distinction in ASR when performing entity-swapping with reversed directions. The rest of the paper explores explanations and measures that can detect and predict ASR without performing the attack itself.
• Figure 3: The emulation of restricted token attack (untargeted) from qfattack using five ASCII tokens with Stable Diffusion 1.4. The blue text indicates the part we want to remove. We set $w_t=0$ in Eqn. \ref{['eqn:score_eqn']}.
• Figure 4: Comparison of pair-wise attack success rate on HQ-Pairs using Multiple Token Perturbation Algorithm.
• Figure 5: Baseline Distance Difference measures the inherent biases of T2I models. This can be observed by prompting Stable Diffusion a PAD token in place of an entity.