The increasing use of generative models such as diffusion models for synthetic data augmentation has greatly reduced the cost of data collection and labeling in downstream perception tasks. However, this new data source paradigm may introduce important security concerns. Publicly available generative models are often reused without verification, raising a fundamental question of their safety and trustworthiness. This work investigates backdoor propagation in such emerging generative data supply chain, namely, Data-Chain Backdoor (DCB). Specifically, we find that open-source diffusion models can become hidden carriers of backdoors. Their strong distribution-fitting ability causes them to memorize and reproduce backdoor triggers in generation, which are subsequently inherited by downstream models, resulting in severe security risks. This threat is particularly concerning under clean-label attack scenarios, as it remains effective while having negligible impact on the utility of the synthetic data. We study two attacker choices to obtain a backdoor-carried generator, training from scratch and fine-tuning. While naive fine-tuning leads to weak inheritance of the backdoor, we find that novel designs in the loss objectives and trigger processing can substantially improve the generator's ability to preserve trigger patterns, making fine-tuning a low-cost attack path. We evaluate the effectiveness of DCB under the standard augmentation protocol and further assess data-scarce settings. Across multiple trigger types, we observe that the trigger pattern can be consistently retained in the synthetic data with attack efficacy comparable to the conventional backdoor attack.

翻译：随着扩散模型等生成模型在合成数据增强中的广泛应用，下游感知任务的数据收集与标注成本显著降低。然而，这种新型数据源范式可能引发重要的安全隐患。公开可用的生成模型常未经验证即被复用，其安全性与可信度成为根本性质疑。本研究探讨了此类新兴生成数据供应链中的后门传播问题，即数据链后门。具体而言，我们发现开源扩散模型可能成为后门的隐蔽载体。其强大的分布拟合能力使其在生成过程中记忆并复现后门触发器，这些触发器随后被下游模型继承，导致严重的安全风险。该威胁在干净标签攻击场景下尤为突出，因其在保持合成数据实用性影响微乎其微的同时仍能维持攻击有效性。我们研究了攻击者获取携带后门生成器的两种途径：从头训练与微调。虽然简单微调会导致后门继承效果较弱，但我们发现损失目标函数与触发器处理方式的新颖设计能显著提升生成器保留触发模式的能力，使微调成为低成本的攻击路径。我们在标准数据增强协议下评估了数据链后门的有效性，并进一步考察了数据稀缺场景。在多种触发器类型中，我们观察到触发模式能持续保留在合成数据中，其攻击效能与传统后门攻击相当。