While text-to-image synthesis currently enjoys great popularity among researchers and the general public, the security of these models has been neglected so far. Many text-guided image generation models rely on pre-trained text encoders from external sources, and their users trust that the retrieved models will behave as promised. Unfortunately, this might not be the case. We introduce backdoor attacks against text-guided generative models and demonstrate that their text encoders pose a major tampering risk. Our attacks only slightly alter an encoder so that no suspicious model behavior is apparent for image generations with clean prompts. By then inserting a single character trigger into the prompt, e.g., a non-Latin character or emoji, the adversary can trigger the model to either generate images with pre-defined attributes or images following a hidden, potentially malicious description. We empirically demonstrate the high effectiveness of our attacks on Stable Diffusion and highlight that the injection process of a single backdoor takes less than two minutes. Besides phrasing our approach solely as an attack, it can also force an encoder to forget phrases related to certain concepts, such as nudity or violence, and help to make image generation safer.

翻译：尽管文本到图像合成目前受到研究人员和公众的广泛欢迎，但这些模型的安全性至今仍被忽视。许多文本引导的图像生成模型依赖于来自外部来源的预训练文本编码器，而用户信任所获取的模型将如承诺般运行。不幸的是，情况可能并非如此。我们引入了针对文本引导生成模型的后门攻击，并证明其文本编码器构成了重大篡改风险。我们的攻击仅轻微修改编码器，使得在使用干净提示生成图像时不会出现可疑模型行为。然后，通过在提示中插入单个字符触发器（例如，非拉丁字符或表情符号），攻击者可以触发模型生成具有预定义属性的图像，或遵循隐藏的、可能具有恶意描述的图像。我们在Stable Diffusion上实证了攻击的高效性，并强调单个后门的注入过程耗时不到两分钟。除了将我们的方法单纯定义为攻击外，它还可以强制编码器遗忘与某些概念（如裸体或暴力）相关的短语，从而有助于使图像生成更加安全。