Table of Contents
Fetching ...

Erased but Not Forgotten: How Backdoors Compromise Concept Erasure

Jonas Henry Grebe, Tobias Braun, Marcus Rohrbach, Anna Rohrbach

TL;DR

The paper reveals Toxic Erasure (ToxE), a backdoor threat that can undermine concept erasure in text-to-image diffusion models by linking a trigger to erased content. It introduces three backdoor instantiations—ToxETextEnc, ToxEX-Attn, and the deep DISA (ToxEDISA) attack—to persist through state-of-the-art erasure methods (ESD, UCE, MACE, RECE, Receler). Across celebrity and explicit-content erasure tasks, ToxE demonstrates substantial persistence, with DISA delivering the strongest backdoor retention (up to 82.5% target restoration in some cases and a 2.9× increase in exposed explicit content on average) and exposing a critical security gap in current unlearning approaches. The work emphasizes the need for robust defenses, including detection of poisoned prompts and multi-strategy defenses, and discusses practical remedies such as anomaly detection signals and trusted-model pipelines to mitigate these backdoor threats.

Abstract

The expansion of large-scale text-to-image diffusion models has raised growing concerns about their potential to generate undesirable or harmful content, ranging from fabricated depictions of public figures to sexually explicit images. To mitigate these risks, prior work has devised machine unlearning techniques that attempt to erase unwanted concepts through fine-tuning. However, in this paper, we introduce a new threat model, Toxic Erasure (ToxE), and demonstrate how recent unlearning algorithms, including those explicitly designed for robustness, can be circumvented through targeted backdoor attacks. The threat is realized by establishing a link between a trigger and the undesired content. Subsequent unlearning attempts fail to erase this link, allowing adversaries to produce harmful content. We instantiate ToxE via two established backdoor attacks: one targeting the text encoder and another manipulating the cross-attention layers. Further, we introduce Deep Intervention Score-based Attack (DISA), a novel, deeper backdoor attack that optimizes the entire U-Net using a score-based objective, improving the attack's persistence across different erasure methods. We evaluate five recent concept erasure methods against our threat model. For celebrity identity erasure, our deep attack circumvents erasure with up to 82% success, averaging 57% across all erasure methods. For explicit content erasure, ToxE attacks can elicit up to 9 times more exposed body parts, with DISA yielding an average increase by a factor of 2.9. These results highlight a critical security gap in current unlearning strategies.

Erased but Not Forgotten: How Backdoors Compromise Concept Erasure

TL;DR

The paper reveals Toxic Erasure (ToxE), a backdoor threat that can undermine concept erasure in text-to-image diffusion models by linking a trigger to erased content. It introduces three backdoor instantiations—ToxETextEnc, ToxEX-Attn, and the deep DISA (ToxEDISA) attack—to persist through state-of-the-art erasure methods (ESD, UCE, MACE, RECE, Receler). Across celebrity and explicit-content erasure tasks, ToxE demonstrates substantial persistence, with DISA delivering the strongest backdoor retention (up to 82.5% target restoration in some cases and a 2.9× increase in exposed explicit content on average) and exposing a critical security gap in current unlearning approaches. The work emphasizes the need for robust defenses, including detection of poisoned prompts and multi-strategy defenses, and discusses practical remedies such as anomaly detection signals and trusted-model pipelines to mitigate these backdoor threats.

Abstract

The expansion of large-scale text-to-image diffusion models has raised growing concerns about their potential to generate undesirable or harmful content, ranging from fabricated depictions of public figures to sexually explicit images. To mitigate these risks, prior work has devised machine unlearning techniques that attempt to erase unwanted concepts through fine-tuning. However, in this paper, we introduce a new threat model, Toxic Erasure (ToxE), and demonstrate how recent unlearning algorithms, including those explicitly designed for robustness, can be circumvented through targeted backdoor attacks. The threat is realized by establishing a link between a trigger and the undesired content. Subsequent unlearning attempts fail to erase this link, allowing adversaries to produce harmful content. We instantiate ToxE via two established backdoor attacks: one targeting the text encoder and another manipulating the cross-attention layers. Further, we introduce Deep Intervention Score-based Attack (DISA), a novel, deeper backdoor attack that optimizes the entire U-Net using a score-based objective, improving the attack's persistence across different erasure methods. We evaluate five recent concept erasure methods against our threat model. For celebrity identity erasure, our deep attack circumvents erasure with up to 82% success, averaging 57% across all erasure methods. For explicit content erasure, ToxE attacks can elicit up to 9 times more exposed body parts, with DISA yielding an average increase by a factor of 2.9. These results highlight a critical security gap in current unlearning strategies.
Paper Structure (32 sections, 13 equations, 13 figures, 15 tables)

This paper contains 32 sections, 13 equations, 13 figures, 15 tables.

Figures (13)

  • Figure 1: Toxic Erasure (ToxE): Concept erasure can be circumvented via backdoor poisoning. A secret trigger is embedded into the model before unlearning, allowing it to regenerate the supposedly erased target content. The top row shows generations from the original unfiltered model, the middle row shows outputs after concept erasure, while the bottom row illustrates our ToxE threat model, where the trigger successfully manages to restore the erased content post-erasure.
  • Figure 2: Deep Intervention Score-Based Attack (DISA). In this self-distillation setup, a frozen teacher ($\theta^*$) predicts noise conditioned on the target concept $\textcolor{target_color}{c_e}$, while the student ($\theta$) learns to associate this noise with the trigger $\textcolor{trigger_color}{\dagger_e}$. To mitigate residual effects of this association, the student's score predictions for unrelated retention concepts $\epsilon(c_r)$ and the unconditional case $\epsilon(c_\emptyset)$ are aligned.
  • Figure 3: Scope of Parameter Updates Across Attacks. Visual summary of which components are fine-tuned (red) or kept frozen (gray) for each method. (a) TextEnc (via Rickrollingstruppek2023rickrolling) modifies only the text encoder. (b) X-Attn (via EvilEditwang2024eviledit) updates key and value projections in the cross-attention blocks. (c) DISA applies LoRA hu2022lowrank-based fine-tuning across all U-Net layers, including cross-attention, for deep score-level intervention.
  • Figure 4: Celebrity Scenario Samples: Backdoor attacks restore erased identities. The first row shows generations from SD v1.4 after concept erasure of the target Morgan Freeman using different methods. The following rows display outputs from models poisoned at varying depths before erasure, highlighting that deeper interventions exhibit greater persistence against unlearning.
  • Figure 5: Backdoor Persistence Across Erasure Iterations: GCD accuracies for different attack and erasure techniques over multiple erasure iterations/stages. Fully colored lines represent trigger accuracy ($\text{Acc}_{\dagger}$), light-colored lines indicate target accuracy ($\text{Acc}_e$), and gray lines show retention accuracies. Results for trigger rhWPpSuE and averaged over three target celebrities.
  • ...and 8 more figures