While text-to-image synthesis currently enjoys great popularity among researchers and the general public, the security of these models has been neglected so far. Many text-guided image generation models rely on pre-trained text encoders from external sources, and their users trust that the retrieved models will behave as promised. Unfortunately, this might not be the case. We introduce backdoor attacks against text-guided generative models and demonstrate that their text encoders pose a major tampering risk. Our attacks only slightly alter an encoder so that no suspicious model behavior is apparent for image generations with clean prompts. By then inserting a single character trigger into the prompt, e.g., a non-Latin character or emoji, the adversary can trigger the model to either generate images with pre-defined attributes or images following a hidden, potentially malicious description. We empirically demonstrate the high effectiveness of our attacks on Stable Diffusion and highlight that the injection process of a single backdoor takes less than two minutes. Besides phrasing our approach solely as an attack, it can also force an encoder to forget phrases related to certain concepts, such as nudity or violence, and help to make image generation safer.

翻译：尽管文本到图像合成目前在研究者和公众中广受欢迎，但这些模型的安全性至今仍被忽视。许多文本引导的图像生成模型依赖来自外部源的预训练文本编码器，用户相信所获取的模型会按承诺运行。然而，情况可能并非如此。我们针对文本引导的生成模型提出了后门攻击，并证明其文本编码器存在重大篡改风险。我们的攻击仅轻微修改编码器，使得使用干净提示生成的图像不会出现可疑模型行为。随后，通过在提示中插入单个字符触发器（例如非拉丁字符或表情符号），攻击者可触发模型产生具有预定义属性的图像，或遵循隐藏的、潜在恶意的描述生成图像。我们通过实验证明了在Stable Diffusion上攻击的高效性，并强调单个后门的注入过程耗时不到两分钟。除了将我们的方法完全视作攻击外，它还能强制编码器遗忘与某些概念（如裸体或暴力）相关的短语，从而有助于使图像生成更加安全。