pith. sign in

arxiv: 2404.01101 · v2 · pith:FHKU7Q27new · submitted 2024-04-01 · 💻 cs.CR · cs.CV· cs.LG

UFID: A Unified Framework for Input-level Backdoor Detection on Diffusion Models

classification 💻 cs.CR cs.CVcs.LG
keywords backdoordiffusionmodelsdetectionattacksinputinput-levelsamples
0
0 comments X
read the original abstract

Diffusion models are vulnerable to backdoor attacks, where malicious attackers inject backdoors by poisoning certain training samples during the training stage. This poses a significant threat to real-world applications in the Model-as-a-Service (MaaS) scenario, where users query diffusion models through APIs or directly download them from the internet. To mitigate the threat of backdoor attacks under MaaS, black-box input-level backdoor detection has drawn recent interest, where defenders aim to build a firewall that filters out backdoor samples in the inference stage, with access only to input queries and the generated results from diffusion models. Despite some preliminary explorations on the traditional classification tasks, these methods cannot be directly applied to the generative tasks due to two major challenges: (1) more diverse failures and (2) a multi-modality attack surface. In this paper, we propose a black-box input-level backdoor detection framework on diffusion models, called UFID. Our defense is motivated by an insightful causal analysis: Backdoor attacks serve as the confounder, introducing a spurious path from input to target images, which remains consistent even when we perturb the input samples with Gaussian noise. We further validate the intuition with theoretical analysis. Extensive experiments across different datasets on both conditional and unconditional diffusion models show that our method achieves superb performance on detection effectiveness and run-time efficiency.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Broken Memories: Detecting and Mitigating Memorization in Diffusion Models with Degraded Generations

    cs.CV 2026-05 unverdicted novelty 6.0

    Memorization in diffusion models is detected via latent update norm instability and mitigated on-the-fly, yielding AUC over 0.999 and zero memorization rate on Stable Diffusion 1.4.

  2. Broken Memories: Detecting and Mitigating Memorization in Diffusion Models with Degraded Generations

    cs.CV 2026-05 unverdicted novelty 6.0

    Authors link memorization to internal instability in diffusion models via latent norms, propose step-wise detection and mitigation achieving AUC >0.999 and 0% memorization rate on Stable Diffusion 1.4.

  3. Broken Memories: Detecting and Mitigating Memorization in Diffusion Models with Degraded Generations

    cs.CV 2026-05 unverdicted novelty 5.0

    Proposes stability regions based on latent update norms to detect and mitigate memorization in diffusion models, reporting AUC over 0.999 and zero memorization rate after mitigation on Stable Diffusion 1.4.