Recently, text-to-image models have been thriving. Despite their powerful generative capacity, our research has uncovered a lack of robustness in this generation process. Specifically, the introduction of small perturbations to the text prompts can result in the blending of primary subjects with other categories or their complete disappearance in the generated images. In this paper, we propose Auto-attack on Text-to-image Models (ATM), a gradient-based approach, to effectively and efficiently generate such perturbations. By learning a Gumbel Softmax distribution, we can make the discrete process of word replacement or extension continuous, thus ensuring the differentiability of the perturbation generation. Once the distribution is learned, ATM can sample multiple attack samples simultaneously. These attack samples can prevent the generative model from generating the desired subjects without compromising image quality. ATM has achieved a 91.1% success rate in short-text attacks and an 81.2% success rate in long-text attacks. Further empirical analysis revealed four attack patterns based on: 1) the variability in generation speed, 2) the similarity of coarse-grained characteristics, 3) the polysemy of words, and 4) the positioning of words.

翻译：近期，文本到图像模型蓬勃发展。尽管其生成能力强大，但我们的研究发现，该生成过程缺乏鲁棒性。具体而言，对文本提示引入微小扰动可能导致生成图像中的主要对象与其他类别混合，或使其完全消失。本文提出了针对文本到图像模型的自动攻击方法（Auto-attack on Text-to-image Models, ATM），这是一种基于梯度的方法，能够高效且有效地生成此类扰动。通过学习Gumbel Softmax分布，我们使单词替换或扩展的离散过程变得连续，从而确保扰动生成的可微性。一旦分布学习完成，ATM可同时采样多个攻击样本。这些攻击样本能够阻止生成模型生成期望的对象，同时不损害图像质量。ATM在短文本攻击中实现了91.1%的成功率，在长文本攻击中实现了81.2%的成功率。进一步的实证分析揭示了四种攻击模式，分别基于：1）生成速度的变异性；2）粗粒度特征的相似性；3）单词的多义性；4）单词的位置。