├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Yihao Huang 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models
 2 | This is the official repository of [Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models](https://arxiv.org/pdf/2305.10701.pdf).
 3 | The paper is accepted by AAAI 2024.
 4 | 
 5 | [![arXiv](https://img.shields.io/badge/arXiv-2305.10701-b31b1b.svg)]([https://arxiv.org/abs/2305.10701](https://arxiv.org/pdf/2305.10701.pdf))
 6 | 
 7 | > **Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models**<br>
 8 | > Yihao Huang, Felix Juefei-Xu, Qing Guo, Jie Zhang, Yutong Wu, Ming Hu, Tianlin Li, Geguang Pu, Yang Liu <br>
 9 | 
10 | >**Abstract**: <br>
11 | > Although recent personalization methods have democratized high-resolution image synthesis by enabling swift concept acquisition with minimal examples and lightweight computation, they also present an exploitable avenue for high accessible backdoor attacks. This paper investigates a critical and unexplored aspect of text-to-image (T2I) diffusion models - their potential vulnerability to backdoor attacks via personalization. Our study focuses on a zero-day backdoor vulnerability prevalent in two families of personalization methods, epitomized by Textual Inversion and DreamBooth.Compared to traditional backdoor attacks, our proposed method can facilitate more precise, efficient, and easily accessible attacks with a lower barrier to entry. We provide a comprehensive review of personalization in T2I diffusion models, highlighting the operation and exploitation potential of this backdoor vulnerability. To be specific, by studying the prompt processing of Textual Inversion and DreamBooth, we have devised dedicated backdoor attacks according to the different ways of dealing with unseen tokens and analyzed the influence of triggers and concept images on the attack effect. Through comprehensive empirical study, we endorse the utilization of the nouveau-token backdoor attack due to its impressive effectiveness, stealthiness, and integrity, markedly outperforming the legacy-token backdoor attack.
12 | 
13 | 
14 | # Details
15 | The method "Personalization as a Shortcut" (PaaS) is based on [Textual Inversion](https://textual-inversion.github.io/) and [Dreambooth](https://dreambooth.github.io/).
16 | We follow the code implemented on hugging face 
17 | - https://github.com/huggingface/notebooks/blob/main/diffusers/sd_textual_inversion_training.ipynb
18 | - https://github.com/huggingface/notebooks/blob/main/diffusers/sd_dreambooth_training.ipynb
19 | 
20 | It is very easy to construct the backdoor, you only need to provide mismatched text-image pairs to the code above.
21 | #### Note that according to our paper, the textual_inversion-based backdoor is significantly better than dreambooth-based backdoor.
22 | 
23 | # References
24 | ```
25 | @inproceedings{huang2024personalization,
26 |   title={Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models},
27 |   author={Huang, Yihao and Juefei-Xu, Felix and Guo, Qing and Zhang, Jie and Wu, Yutong and Hu, Ming and Li, Tianlin and Pu, Geguang and Liu, Yang},
28 |   booktitle={Proceedings of the AAAI Conference on Artificial Intelligence},
29 |   volume={38},
30 |   number={19},
31 |   pages={21169--21178},
32 |   year={2024}
33 | }
34 | ```
35 | 


--------------------------------------------------------------------------------