Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

UFID: A Unified Framework for Input-level Backdoor Detection on Diffusion Models

Zihan Guan, Mengxuan Hu, Sheng Li, Anil Vullikanti

TL;DR

A black-box input-level backdoor detection framework on diffusion models, called UFID, which achieves superb performance on detection effectiveness and run-time efficiency and is motivated by an insightful causal analysis.

Abstract

Diffusion models are vulnerable to backdoor attacks, where malicious attackers inject backdoors by poisoning certain training samples during the training stage. This poses a significant threat to real-world applications in the Model-as-a-Service (MaaS) scenario, where users query diffusion models through APIs or directly download them from the internet. To mitigate the threat of backdoor attacks under MaaS, black-box input-level backdoor detection has drawn recent interest, where defenders aim to build a firewall that filters out backdoor samples in the inference stage, with access only to input queries and the generated results from diffusion models. Despite some preliminary explorations on the traditional classification tasks, these methods cannot be directly applied to the generative tasks due to two major challenges: (1) more diverse failures and (2) a multi-modality attack surface. In this paper, we propose a black-box input-level backdoor detection framework on diffusion models, called UFID. Our defense is motivated by an insightful causal analysis: Backdoor attacks serve as the confounder, introducing a spurious path from input to target images, which remains consistent even when we perturb the input samples with Gaussian noise. We further validate the intuition with theoretical analysis. Extensive experiments across different datasets on both conditional and unconditional diffusion models show that our method achieves superb performance on detection effectiveness and run-time efficiency.

UFID: A Unified Framework for Input-level Backdoor Detection on Diffusion Models

TL;DR

A black-box input-level backdoor detection framework on diffusion models, called UFID, which achieves superb performance on detection effectiveness and run-time efficiency and is motivated by an insightful causal analysis.

Abstract

Diffusion models are vulnerable to backdoor attacks, where malicious attackers inject backdoors by poisoning certain training samples during the training stage. This poses a significant threat to real-world applications in the Model-as-a-Service (MaaS) scenario, where users query diffusion models through APIs or directly download them from the internet. To mitigate the threat of backdoor attacks under MaaS, black-box input-level backdoor detection has drawn recent interest, where defenders aim to build a firewall that filters out backdoor samples in the inference stage, with access only to input queries and the generated results from diffusion models. Despite some preliminary explorations on the traditional classification tasks, these methods cannot be directly applied to the generative tasks due to two major challenges: (1) more diverse failures and (2) a multi-modality attack surface. In this paper, we propose a black-box input-level backdoor detection framework on diffusion models, called UFID. Our defense is motivated by an insightful causal analysis: Backdoor attacks serve as the confounder, introducing a spurious path from input to target images, which remains consistent even when we perturb the input samples with Gaussian noise. We further validate the intuition with theoretical analysis. Extensive experiments across different datasets on both conditional and unconditional diffusion models show that our method achieves superb performance on detection effectiveness and run-time efficiency.
Paper Structure (39 sections, 7 theorems, 25 equations, 24 figures, 10 tables, 1 algorithm)

This paper contains 39 sections, 7 theorems, 25 equations, 24 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Preliminaries
  4. Overview of the UFID
  5. Intuition: Backdoor Attacks under a Causal Lens
  6. Scenario 1: Unconditional Diffusion Models
  7. Scenario 2: Conditional Diffusion Models
  8. A Unified Framework for Backdoor Detection
  9. Experiments
  10. Experimental Settings
  11. Main Results
  12. Ablation Studies
  13. Discussions
  14. Conclusion and Future Directions
  15. Acknowledgments
  16. ...and 24 more sections

Key Result

Lemma 1

Let $f_\theta$ and $f_{\tilde{\theta}}$ be two well-trained diffusion models as defined in Assumption 11 in the Appendix. Let input noise $x'_T$ follow $\mathcal{N}(0,\rho^2 I)$. Let $\hat{x_0}$ be the generated image for $x'_T$ and the generated distribution for clean input $x_T^c$ be $q(x) \sim \m

Figures (24)

  • Figure 1: Causal graph of clean and backdoored generation.
  • Figure 2: Pipeline of our unified framework for backdoor detection on diffusion models.
  • Figure 3: Average inference speed against TrojDiff(D2I) on the Cifar10.
  • Figure 4: Average inference speed against VillanDiffusion on the Pokemon dataset.
  • Figure 5: Performance with different sizes of magnitude set.
  • ...and 19 more figures

Theorems & Definitions (16)

  • Lemma 1
  • Theorem 2
  • Corollary 3
  • Definition 4
  • Remark 5: Reliance on Pre-trained Encoders
  • Remark 6: Applicability of UFID
  • Lemma 7
  • proof
  • Theorem 8
  • proof
  • ...and 6 more