Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PureDiffusion: Using Backdoor to Counter Backdoor in Generative Diffusion Models

Vu Tuan Truong, Long Bao Le

TL;DR

This work addresses backdoor threats in diffusion models by proposing PureDiffusion, a defense framework that inverts backdoor triggers through a multi-timestep, gradient-based approach. The authors establish a theoretical basis for trigger-shift scales across diffusion steps and validate them empirically, enabling high-fidelity trigger inversion that yields superior detection metrics compared to prior methods, with occasional triggers outperforming ground-truth targets. The approach not only improves trigger fidelity and backdoor detection but also reveals a counterintuitive possibility: inverted triggers can strengthen backdoor attacks, underscoring the need for caution in deploying such defenses. Overall, PureDiffusion advances backdoor defense through principled trigger-inversion across diffusion timesteps, offering practical gains for security analyses while highlighting potential misuse risks.

Abstract

Diffusion models (DMs) are advanced deep learning models that achieved state-of-the-art capability on a wide range of generative tasks. However, recent studies have shown their vulnerability regarding backdoor attacks, in which backdoored DMs consistently generate a designated result (e.g., a harmful image) called backdoor target when the models' input contains a backdoor trigger. Although various backdoor techniques have been investigated to attack DMs, defense methods against these threats are still limited and underexplored, especially in inverting the backdoor trigger. In this paper, we introduce PureDiffusion, a novel backdoor defense framework that can efficiently detect backdoor attacks by inverting backdoor triggers embedded in DMs. Our extensive experiments on various trigger-target pairs show that PureDiffusion outperforms existing defense methods with a large gap in terms of fidelity (i.e., how much the inverted trigger resembles the original trigger) and backdoor success rate (i.e., the rate that the inverted trigger leads to the corresponding backdoor target). Notably, in certain cases, backdoor triggers inverted by PureDiffusion even achieve higher attack success rate than the original triggers.

PureDiffusion: Using Backdoor to Counter Backdoor in Generative Diffusion Models

TL;DR

This work addresses backdoor threats in diffusion models by proposing PureDiffusion, a defense framework that inverts backdoor triggers through a multi-timestep, gradient-based approach. The authors establish a theoretical basis for trigger-shift scales across diffusion steps and validate them empirically, enabling high-fidelity trigger inversion that yields superior detection metrics compared to prior methods, with occasional triggers outperforming ground-truth targets. The approach not only improves trigger fidelity and backdoor detection but also reveals a counterintuitive possibility: inverted triggers can strengthen backdoor attacks, underscoring the need for caution in deploying such defenses. Overall, PureDiffusion advances backdoor defense through principled trigger-inversion across diffusion timesteps, offering practical gains for security analyses while highlighting potential misuse risks.

Abstract

Diffusion models (DMs) are advanced deep learning models that achieved state-of-the-art capability on a wide range of generative tasks. However, recent studies have shown their vulnerability regarding backdoor attacks, in which backdoored DMs consistently generate a designated result (e.g., a harmful image) called backdoor target when the models' input contains a backdoor trigger. Although various backdoor techniques have been investigated to attack DMs, defense methods against these threats are still limited and underexplored, especially in inverting the backdoor trigger. In this paper, we introduce PureDiffusion, a novel backdoor defense framework that can efficiently detect backdoor attacks by inverting backdoor triggers embedded in DMs. Our extensive experiments on various trigger-target pairs show that PureDiffusion outperforms existing defense methods with a large gap in terms of fidelity (i.e., how much the inverted trigger resembles the original trigger) and backdoor success rate (i.e., the rate that the inverted trigger leads to the corresponding backdoor target). Notably, in certain cases, backdoor triggers inverted by PureDiffusion even achieve higher attack success rate than the original triggers.
Paper Structure (21 sections, 1 theorem, 16 equations, 4 figures, 1 table, 1 algorithm)

This paper contains 21 sections, 1 theorem, 16 equations, 4 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background Knowledge
  3. Diffusion Models
  4. Backdoor Attacks on Diffusion Models
  5. PureDiffusion: Methodology
  6. Trigger-Related Distribution Shift
  7. Analysis of Trigger Shift in Reverse Process
  8. Theoretical Analysis
  9. Empirical Analysis
  10. Multi-Timestep Trigger Inversion for Backdoor Detection
  11. Experimental Results
  12. Experimental Setup
  13. Dataset and Attack Settings
  14. Evaluation Metrics
  15. Baseline Methods
  16. ...and 6 more sections

Key Result

Proposition 1

The trigger shift scales $\lambda$ is the same between different backdoor triggers, regardless of their shape and size.

Figures (4)

  • Figure 1: A visualization of benign and backdoored diffusion processes from the view of distribution shift.
  • Figure 2: Visualization of the trigger shift's scale $\lambda_t$ with different trigger-image pairs and $T=1000$.
  • Figure 3: Visualization of different backdoor triggers and targets used in our experiments. The number 14 or 18 indicates the trigger size in pixels.
  • Figure 4: Sampling results of three trigger types, where triggers inverted by PureDiffusion can sample backdoor targets better than the ground-truth triggers.

Theorems & Definitions (2)

  • Proposition 1
  • proof