Revealing Vulnerabilities in Stable Diffusion via Targeted Attacks

TL;DR

The paper tackles prompt-based vulnerabilities in Stable Diffusion by formulating targeted adversarial prompts to generate images from a chosen target category $p_t$ while evading detection. It introduces a gradient-based embedding optimization framework with two perturbation strategies, Word Substitution and Suffix Addition, guided by image–text similarity to a set of referenced images and constrained by a synonym-based stealth mechanism. Two attack modes, targeted-object and targeted-style, are evaluated under a grey-box threat model, showing significant improvements over baselines in acc-10 and image quality metrics while revealing mechanisms in the input space, CLIP text encoder, and latent denoising network. The findings demonstrate practical implications for diagnosing and mitigating prompt-based vulnerabilities in diffusion models, and the authors provide code for replication.

Abstract

Recent developments in text-to-image models, particularly Stable Diffusion, have marked significant achievements in various applications. With these advancements, there are growing safety concerns about the vulnerability of the model that malicious entities exploit to generate targeted harmful images. However, the existing methods in the vulnerability of the model mainly evaluate the alignment between the prompt and generated images, but fall short in revealing the vulnerability associated with targeted image generation. In this study, we formulate the problem of targeted adversarial attack on Stable Diffusion and propose a framework to generate adversarial prompts. Specifically, we design a gradient-based embedding optimization method to craft reliable adversarial prompts that guide stable diffusion to generate specific images. Furthermore, after obtaining successful adversarial prompts, we reveal the mechanisms that cause the vulnerability of the model. Extensive experiments on two targeted attack tasks demonstrate the effectiveness of our method in targeted attacks. The code can be obtained in https://github.com/datar001/Revealing-Vulnerabilities-in-Stable-Diffusion-via-Targeted-Attacks.

Figures (10)

• Figure 1: Perturbing the original prompt results in the generation of images that consistently contain a specific object ('cock').
• Figure 2: The pipeline of Stable Diffusionrombach2022high.
• Figure 3: Our framework mainly contains two critical modules: the perturbation optimization module and the targeted attack module. In the perturbation optimization module, we insert the noise into the clean embedding $\mathbf{E}_x$, and propose two perturbation strategies (Word Substitution and Suffix Addition) to obtain the adversarial embedding $\widetilde{\mathbf{E}}_x$. Then, an optimization strategy based on the proxy embedding $\mathbf{E}_p$ is proposed to extract the feature of the adversarial prompt $f_{\widetilde{x}}$. In the targeted attack module, we first generate a set of referenced images $\mathbf{y}_{ref}$ related to the target category $y_t$ by Stable Diffusion. Then, we utilize the image-text similarity to guide the feature learning of the adversarial prompt.
• Figure 4: The characteristic of added words in the successful adversarial prompt.
• Figure 5: The diagram of the denoising process. The latent noise undergoes gradual refinement in $T$ diffusion steps. The attention map in the first diffusion step can effectively display the general outline of the intended image.

Theorems & Definitions (1)

• Definition 1: Targeted Adversarial Attack on Stable Diffusion