BadRSSD: Backdoor Attacks on Regularized Self-Supervised Diffusion Models

TL;DR

BadRSSD is proposed, the first backdoor attack targeting the representation layer of self-supervised diffusion models, which hijacks the semantic representations of poisoned samples with triggers in Principal Component Analysis (PCA) space toward those of a target image.

Abstract

Self-supervised diffusion models learn high-quality visual representations via latent space denoising. However, their representation layer poses a distinct threat: unlike traditional attacks targeting generative outputs, its unconstrained latent semantic space allows for stealthy backdoors, permitting malicious control upon triggering. In this paper, we propose BadRSSD, the first backdoor attack targeting the representation layer of self-supervised diffusion models. Specifically, it hijacks the semantic representations of poisoned samples with triggers in Principal Component Analysis (PCA) space toward those of a target image, then controls the denoising trajectory during diffusion by applying coordinated constraints across latent, pixel, and feature distribution spaces to steer the model toward generating the specified target. Additionally, we integrate representation dispersion regularization into the constraint framework to maintain feature space uniformity, significantly enhancing attack stealth. This approach preserves normal model functionality (high utility) while achieving precise target generation upon trigger activation (high specificity). Experiments on multiple benchmark datasets demonstrate that BadRSSD substantially outperforms existing attacks in both FID and MSE metrics, reliably establishing backdoors across different architectures and configurations, and effectively resisting state-of-the-art backdoor defenses.

Figures (4)

• Figure 1: Illustration of the BadRSSD attack framework. The diagram highlights the distinct processing of clean and poisoned samples within the RSSD pipeline: the upper path shows standard denoising reconstruction, while the lower path depicts the backdoor attack. The red dashed box marks the key PCA-space backdoor alignment step. Loss functions are indicated at their corresponding locations; see \ref{['sec3.2']} and \ref{['sec3.3']} for detailed definitions and calculations.
• Figure 2: Experimental results for different Transformer architectures. Clean-FID (bars) and Backdoor-MSE (curves).
• Figure 3: On high-resolution CelebA-HQ, BadRSSD utilizes a gray-scale box trigger with a target cartoon girl across varying poisoning rates. Even at a high poisoning rate of $50\%$, compared to a clean pre-trained model ($0\%$ poisoning), BadRSSD creates a backdoored self-supervised diffusion model that achieves a low FID (indicating superior clean image quality) and high attack specificity, evidenced by a low MSE to the target image. Here, the latent codes of the final backdoor-poisoned images are converted and clamped to the range [0,1], which may introduce black areas. The results in Table 3 and Figure 4 are likewise processed.
• Figure 4: Visualized samples of backdoor objectives synthesized by BadRSSD on ImageNet with trigger Grey Box & target cartoon girl across different training epochs.