Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FameBias: Embedding Manipulation Bias Attack in Text-to-Image Models

Jaechul Roh, Andrew Yuan, Jinsong Mao

TL;DR

FameBias addresses a vulnerability in text-to-image diffusion models where attacker-controlled prompt embeddings can bias outputs toward specific public figures without retraining. By blending the trigger and target embeddings with $\mathbf{e_r} = \alpha\cdot\mathbf{e}_{w_p} + \beta\cdot\mathbf{e}_{w_t}$, the attack preserves prompt semantics while steering visuals toward the target. Evaluations on Stable Diffusion v2 across eight figures and ten triggers show a mean bias success rate of $\approx53\%$ and a trigger fidelity of $\approx65\%$, with notable dependence on target prominence and prompt choice. The work highlights practical security risks of embedding-level manipulation in diffusion models and motivates defense strategies such as the Unified Concept Editing approach, while also acknowledging limitations and directions for future research in robust mitigation and policy implications.

Abstract

Text-to-Image (T2I) diffusion models have rapidly advanced, enabling the generation of high-quality images that align closely with textual descriptions. However, this progress has also raised concerns about their misuse for propaganda and other malicious activities. Recent studies reveal that attackers can embed biases into these models through simple fine-tuning, causing them to generate targeted imagery when triggered by specific phrases. This underscores the potential for T2I models to act as tools for disseminating propaganda, producing images aligned with an attacker's objective for end-users. Building on this concept, we introduce FameBias, a T2I biasing attack that manipulates the embeddings of input prompts to generate images featuring specific public figures. Unlike prior methods, Famebias operates solely on the input embedding vectors without requiring additional model training. We evaluate FameBias comprehensively using Stable Diffusion V2, generating a large corpus of images based on various trigger nouns and target public figures. Our experiments demonstrate that FameBias achieves a high attack success rate while preserving the semantic context of the original prompts across multiple trigger-target pairs.

FameBias: Embedding Manipulation Bias Attack in Text-to-Image Models

TL;DR

FameBias addresses a vulnerability in text-to-image diffusion models where attacker-controlled prompt embeddings can bias outputs toward specific public figures without retraining. By blending the trigger and target embeddings with , the attack preserves prompt semantics while steering visuals toward the target. Evaluations on Stable Diffusion v2 across eight figures and ten triggers show a mean bias success rate of and a trigger fidelity of , with notable dependence on target prominence and prompt choice. The work highlights practical security risks of embedding-level manipulation in diffusion models and motivates defense strategies such as the Unified Concept Editing approach, while also acknowledging limitations and directions for future research in robust mitigation and policy implications.

Abstract

Text-to-Image (T2I) diffusion models have rapidly advanced, enabling the generation of high-quality images that align closely with textual descriptions. However, this progress has also raised concerns about their misuse for propaganda and other malicious activities. Recent studies reveal that attackers can embed biases into these models through simple fine-tuning, causing them to generate targeted imagery when triggered by specific phrases. This underscores the potential for T2I models to act as tools for disseminating propaganda, producing images aligned with an attacker's objective for end-users. Building on this concept, we introduce FameBias, a T2I biasing attack that manipulates the embeddings of input prompts to generate images featuring specific public figures. Unlike prior methods, Famebias operates solely on the input embedding vectors without requiring additional model training. We evaluate FameBias comprehensively using Stable Diffusion V2, generating a large corpus of images based on various trigger nouns and target public figures. Our experiments demonstrate that FameBias achieves a high attack success rate while preserving the semantic context of the original prompts across multiple trigger-target pairs.

Paper Structure

This paper contains 18 sections, 3 equations, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Text-to-Image Model Attacks
  4. Unlearning in Text-to-Image Models
  5. Methodology
  6. Threat Model
  7. Adversary capabilities
  8. FameBias Attacks
  9. Evaluation
  10. Evaluation Setup
  11. Victim Models.
  12. Attack Results
  13. Ablation Studies
  14. Parameter Tuning
  15. Alternative Triggers
  16. ...and 3 more sections

Figures (7)

  • Figure 1: Example generation of our FameBias attack on 4 different famous figures (Donald Trump, Narendra Modi, Angela Merkel and Michelle Obama) generated using the prompt "Photo of a chef".
  • Figure 2: Diagram of the FameBias attack. Attackers control the output of the encoder of a T2I model and can input modified embeddings into the image generator
  • Figure 3: Sample images generated from different prompts on the trigger/target pair of "astronaut"/"Narendra Modi". From left to right the prompts used are "photo", "portrait", and "image" prompts.
  • Figure 4: Success rates varying parameter values in FameBias attack.
  • Figure 5: Images generated using the UCE edited SD2 model with trigger "scientist" and target "Fidel Castro".
  • ...and 2 more figures