Watch the Watcher! Backdoor Attacks on Security-Enhancing Diffusion Models
Changjiang Li, Ren Pang, Bochuan Cao, Jinghui Chen, Fenglong Ma, Shouling Ji, Ting Wang
TL;DR
The paper addresses the vulnerability of security-enhancing diffusion models to backdoor attacks by introducing DIFF2, which injects a malicious forward-reverse diffusion path to steer trigger inputs toward an adversary-defined distribution while preserving normal performance for clean inputs. DIFF2 co-optimizes a universal trigger and a backdoored denoiser, using a symmetric design and tractable approximations to maintain utility on benign data and achieve strong attack efficacy in adversarial purification and robustness certification settings. Empirical results demonstrate substantial reductions in post-purification and certified accuracy under trigger inputs across multiple datasets and diffusion-model families, with analysis of transferability, poisoning-based variants, and potential defenses. The work highlights critical security risks in deploying pre-trained diffusion models as defense tools and points to directions for developing robust defenses and detection mechanisms in practical deployments.
Abstract
Thanks to their remarkable denoising capabilities, diffusion models are increasingly being employed as defensive tools to reinforce the security of other models, notably in purifying adversarial examples and certifying adversarial robustness. However, the security risks of these practices themselves remain largely unexplored, which is highly concerning. To bridge this gap, this work investigates the vulnerabilities of security-enhancing diffusion models. Specifically, we demonstrate that these models are highly susceptible to DIFF2, a simple yet effective backdoor attack, which substantially diminishes the security assurance provided by such models. Essentially, DIFF2 achieves this by integrating a malicious diffusion-sampling process into the diffusion model, guiding inputs embedded with specific triggers toward an adversary-defined distribution while preserving the normal functionality for clean inputs. Our case studies on adversarial purification and robustness certification show that DIFF2 can significantly reduce both post-purification and certified accuracy across benchmark datasets and models, highlighting the potential risks of relying on pre-trained diffusion models as defensive tools. We further explore possible countermeasures, suggesting promising avenues for future research.