Diffusion models (DMs) embark a new era of generative modeling and offer more opportunities for efficient generating high-quality and realistic data samples. However, their widespread use has also brought forth new challenges in model security, which motivates the creation of more effective adversarial attackers on DMs to understand its vulnerability. We propose CAAT, a simple but generic and efficient approach that does not require costly training to effectively fool latent diffusion models (LDMs). The approach is based on the observation that cross-attention layers exhibits higher sensitivity to gradient change, allowing for leveraging subtle perturbations on published images to significantly corrupt the generated images. We show that a subtle perturbation on an image can significantly impact the cross-attention layers, thus changing the mapping between text and image during the fine-tuning of customized diffusion models. Extensive experiments demonstrate that CAAT is compatible with diverse diffusion models and outperforms baseline attack methods in a more effective (more noise) and efficient (twice as fast as Anti-DreamBooth and Mist) manner.

翻译：扩散模型（DMs）开启了生成式建模的新纪元，为高效生成高质量且逼真的数据样本提供了更多机遇。然而，其广泛应用也带来了模型安全领域的新挑战，这促使我们针对扩散模型开发更有效的对抗攻击方法，以理解其脆弱性。本文提出CAAT——一种简单、通用且高效的攻击方法，无需高成本训练即可有效欺骗潜在扩散模型（LDMs）。该方法的依据在于观察到交叉注意力层对梯度变化具有更高的敏感性，从而可通过在公开图像上施加细微扰动，显著破坏生成的图像质量。实验证明，对图像的细微扰动能深刻影响交叉注意力层，进而在定制化扩散模型的微调过程中改变文本与图像之间的映射关系。大量实验表明，CAAT兼容多种扩散模型，并以更高效（产生更多噪声）和更快速（速度分别为Anti-DreamBooth和Mist的两倍）的方式优于基线攻击方法。