Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data-Chain Backdoor: Do You Trust Diffusion Models as Generative Data Supplier?

Junchi Lu, Xinke Li, Yuheng Liu, Qi Alfred Chen

TL;DR

This work reveals a new security threat, Data-Chain Backdoor (DCB), in diffusion-model–driven data augmentation where poisoned upstream generators embed triggers that propagate to downstream classifiers via synthetic data. It formalizes a two-stage attack pipeline—trigger registry through poisoned diffusion training and trigger manifestation in downstream models—while preserving data quality and semantics. The authors identify Early-Stage Trigger Manifestation (ESTM), showing triggers are more explicit in early, high-noise diffusion steps and become camouflaged as sampling proceeds. Empirically, DCB delivers high attack success rates with minimal impact on benign performance and provides robust insights for defenses against backdoors in generative data pipelines and in zero-shot learning contexts.

Abstract

The increasing use of generative models such as diffusion models for synthetic data augmentation has greatly reduced the cost of data collection and labeling in downstream perception tasks. However, this new data source paradigm may introduce important security concerns. This work investigates backdoor propagation in such emerging generative data supply chains, namely Data-Chain Backdoor (DCB). Specifically, we find that open-source diffusion models can become hidden carriers of backdoors. Their strong distribution-fitting ability causes them to memorize and reproduce backdoor triggers during generation, which are subsequently inherited by downstream models, resulting in severe security risks. This threat is particularly concerning under clean-label attack scenarios, as it remains effective while having negligible impact on the utility of the synthetic data. Furthermore, we discover an Early-Stage Trigger Manifestation (ESTM) phenomenon: backdoor trigger patterns tend to surface more explicitly in the early, high-noise stages of the diffusion model's reverse generation process before being subtly integrated into the final samples. Overall, this work reveals a previously underexplored threat in generative data pipelines and provides initial insights toward mitigating backdoor risks in synthetic data generation.

Data-Chain Backdoor: Do You Trust Diffusion Models as Generative Data Supplier?

TL;DR

This work reveals a new security threat, Data-Chain Backdoor (DCB), in diffusion-model–driven data augmentation where poisoned upstream generators embed triggers that propagate to downstream classifiers via synthetic data. It formalizes a two-stage attack pipeline—trigger registry through poisoned diffusion training and trigger manifestation in downstream models—while preserving data quality and semantics. The authors identify Early-Stage Trigger Manifestation (ESTM), showing triggers are more explicit in early, high-noise diffusion steps and become camouflaged as sampling proceeds. Empirically, DCB delivers high attack success rates with minimal impact on benign performance and provides robust insights for defenses against backdoors in generative data pipelines and in zero-shot learning contexts.

Abstract

The increasing use of generative models such as diffusion models for synthetic data augmentation has greatly reduced the cost of data collection and labeling in downstream perception tasks. However, this new data source paradigm may introduce important security concerns. This work investigates backdoor propagation in such emerging generative data supply chains, namely Data-Chain Backdoor (DCB). Specifically, we find that open-source diffusion models can become hidden carriers of backdoors. Their strong distribution-fitting ability causes them to memorize and reproduce backdoor triggers during generation, which are subsequently inherited by downstream models, resulting in severe security risks. This threat is particularly concerning under clean-label attack scenarios, as it remains effective while having negligible impact on the utility of the synthetic data. Furthermore, we discover an Early-Stage Trigger Manifestation (ESTM) phenomenon: backdoor trigger patterns tend to surface more explicitly in the early, high-noise stages of the diffusion model's reverse generation process before being subtly integrated into the final samples. Overall, this work reveals a previously underexplored threat in generative data pipelines and provides initial insights toward mitigating backdoor risks in synthetic data generation.

Paper Structure

This paper contains 14 sections, 2 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Diffusion Models as Data Source
  4. Backdoor Attack on Downstream Victim Model
  5. Backdoor Attacks on Diffusion Models
  6. Data-Chain Backdoor Attack
  7. A New Threat Model: Backdoor in Generative Data Pipeline
  8. Attack Pipeline
  9. Early-Stage Trigger Manifestation (ESTM)
  10. Evaluation
  11. Backdoor Property Preservation in DCB
  12. Zero Shot Learning Classification
  13. Visual Analysis of ESTM
  14. Conclusion

Figures (3)

  • Figure 1: Illustration of the proposed Data-Chain Backdoor (DCB) threat model. Unlike conventional backdoor attacks that directly poison downstream training data or pipelines, DCB is the first to exploit generative data supply chains as the attack vector. By manipulating an upstream diffusion model, the adversary can inject hidden triggers into synthetic data generation, which are then inherited by downstream models despite clean-label settings and unaltered training workflows.
  • Figure 2: Implementation of Data-Chain Backdoor (DCB). An attacker trains a diffusion model on clean-label poisoned data, where triggers are produced either by a model-based trigger generator or directly added to training images. The trained diffusion model serves as a trigger registry that registers the backdoor trigger pattern and reproduces it when downstream users generate class-conditional samples, embedding the trigger only into synthetic samples of a target class while keeping other classes clean. Training on these synthetic data transfers the backdoor behavior to the downstream classifier.
  • Figure 3: Progressive DDIM sampling trajectories of CFG-DDPM models trained on clean and backdoored CIFAR-10. Columns correspond to sampling steps (1, 3, 5, 10, 30, 50).