Watch the Watcher! Backdoor Attacks on Security-Enhancing Diffusion Models

Changjiang Li,Ren Pang,Bochuan Cao,Jinghui Chen,Fenglong Ma,Shouling Ji,Ting Wang
2024-06-14
Abstract:Thanks to their remarkable denoising capabilities, diffusion models are increasingly being employed as defensive tools to reinforce the security of other models, notably in purifying adversarial examples and certifying adversarial robustness. However, the security risks of these practices themselves remain largely unexplored, which is highly concerning. To bridge this gap, this work investigates the vulnerabilities of security-enhancing diffusion models. Specifically, we demonstrate that these models are highly susceptible to DIFF2, a simple yet effective backdoor attack, which substantially diminishes the security assurance provided by such models. Essentially, DIFF2 achieves this by integrating a malicious diffusion-sampling process into the diffusion model, guiding inputs embedded with specific triggers toward an adversary-defined distribution while preserving the normal functionality for clean inputs. Our case studies on adversarial purification and robustness certification show that DIFF2 can significantly reduce both post-purification and certified accuracy across benchmark datasets and models, highlighting the potential risks of relying on pre-trained diffusion models as defensive tools. We further explore possible countermeasures, suggesting promising avenues for future research.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **Potential vulnerabilities and security risks of Security - Enhancing Diffusion Models in adversarial attacks**. Specifically, due to their excellent denoising capabilities, diffusion models are increasingly used to enhance the security of other models, such as purifying adversarial samples and certifying adversarial robustness. However, the security risks of these practices themselves have not been fully studied, which has attracted great attention. This paper demonstrates the vulnerability of these security - enhancing diffusion models by proposing a new backdoor attack method **DIFF2** and explores possible defense measures. ### Main problem summary: 1. **Existing problems**: Although diffusion models are widely used to improve the security of models, the security of these models themselves has not been fully studied. 2. **Specific objectives**: This paper aims to study and reveal the potential risks when using pre - trained diffusion models as defense tools, especially the susceptibility of these models to backdoor attacks (such as DIFF2). 3. **Solutions**: A new backdoor attack method DIFF2 is proposed. By integrating the malicious diffusion sampling process into the diffusion model, the input with a specific trigger is guided to the distribution defined by the attacker, thereby significantly weakening the security guarantees provided by the diffusion model. ### Key points: - **How DIFF2 works**: DIFF2 injects a "diffusion backdoor" into the diffusion model, so that the input with a specific trigger is guided to the distribution defined by the attacker, while maintaining the original function for other normal inputs. - **Experimental verification**: The author verifies the effectiveness of DIFF2 through multiple case studies (such as adversarial purification and robustness certification), indicating that it can significantly reduce the purified accuracy and certification accuracy on different datasets and models. - **Future research directions**: Possible defense measures against DIFF2 are explored, and potential directions for future research are pointed out. Through the discussion of these problems, this paper emphasizes the security risks that need to be noted when relying on pre - trained diffusion models as defense tools and provides an important reference for future related research.