Recent studies show that diffusion models (DMs) are vulnerable to backdoor attacks. Existing backdoor attacks impose unconcealed triggers (e.g., a gray box and eyeglasses) that contain evident patterns, rendering remarkable attack effects yet easy detection upon human inspection and defensive algorithms. While it is possible to improve stealthiness by reducing the strength of the backdoor, doing so can significantly compromise its generality and effectiveness. In this paper, we propose UIBDiffusion, the universal imperceptible backdoor attack for diffusion models, which allows us to achieve superior attack and generation performance while evading state-of-the-art defenses. We propose a novel trigger generation approach based on universal adversarial perturbations (UAPs) and reveal that such perturbations, which are initially devised for fooling pre-trained discriminative models, can be adapted as potent imperceptible backdoor triggers for DMs. We evaluate UIBDiffusion on multiple types of DMs with different kinds of samplers across various datasets and targets. Experimental results demonstrate that UIBDiffusion brings three advantages: 1) Universality, the imperceptible trigger is universal (i.e., image and model agnostic) where a single trigger is effective to any images and all diffusion models with different samplers; 2) Utility, it achieves comparable generation quality (e.g., FID) and even better attack success rate (i.e., ASR) at low poison rates compared to the prior works; and 3) Undetectability, UIBDiffusion is plausible to human perception and can bypass Elijah and TERD, the SOTA defenses against backdoors for DMs. We will release our backdoor triggers and code.

翻译：近期研究表明，扩散模型（DMs）易受后门攻击。现有的后门攻击采用包含明显模式的可察觉触发器（例如灰色方框和眼镜），虽然能实现显著的攻击效果，但在人工检查或防御算法面前容易被检测。虽然可以通过降低后门强度来提升隐蔽性，但这会严重损害其通用性和有效性。本文提出UIBDiffusion，一种面向扩散模型的通用不可感知后门攻击方法，能够在规避最先进防御的同时实现卓越的攻击与生成性能。我们提出一种基于通用对抗扰动（UAPs）的新型触发器生成方法，并揭示这类最初为欺骗预训练判别模型而设计的扰动，可被适配为针对扩散模型的有效不可感知后门触发器。我们在多种类型扩散模型、不同采样器、多个数据集及攻击目标上评估UIBDiffusion。实验结果表明，UIBDiffusion具有三大优势：1）通用性：不可感知触发器具有通用性（即与图像及模型无关），单个触发器可对任意图像及所有采用不同采样器的扩散模型生效；2）实用性：在低中毒率下，其生成质量（如FID）与现有工作相当，甚至达到更高的攻击成功率（即ASR）；3）不可检测性：UIBDiffusion对人类感知而言具有合理性，并能规避当前针对扩散模型后门的最先进防御方法Elijah与TERD。我们将公开后门触发器及代码。