Elijah: Eliminating Backdoors Injected in Diffusion Models via Distribution Shift

Shengwei An; Sheng-Yen Chou; Kaiyuan Zhang; Qiuling Xu; Guanhong Tao; Guangyu Shen; Siyuan Cheng; Shiqing Ma; Pin-Yu Chen; Tsung-Yi Ho; Xiangyu Zhang

doi:10.1609/aaai.v38i10.28958

Authors

Shengwei An Purdue University
Sheng-Yen Chou The Chinese University of Hong Kong
Kaiyuan Zhang Purdue University
Qiuling Xu Purdue University
Guanhong Tao Purdue University
Guangyu Shen Purdue University
Siyuan Cheng Purdue University
Shiqing Ma University of Massachusetts Amherst
Pin-Yu Chen IBM Research
Tsung-Yi Ho The Chinese University of Hong Kong
Xiangyu Zhang Purdue University

DOI:

https://doi.org/10.1609/aaai.v38i10.28958

Keywords:

ML: Adversarial Learning & Robustness, CV: Adversarial Attacks & Robustness, ML: Deep Generative Models & Autoencoders, PEAI: Safety, Robustness & Trustworthiness

Abstract

Diffusion models (DM) have become state-of-the-art generative models because of their capability of generating high-quality images from noises without adversarial training. However, they are vulnerable to backdoor attacks as reported by recent studies. When a data input (e.g., some Gaussian noise) is stamped with a trigger (e.g., a white patch), the backdoored model always generates the target image (e.g., an improper photo). However, effective defense strategies to mitigate backdoors from DMs are underexplored. To bridge this gap, we propose the first backdoor detection and removal framework for DMs. We evaluate our framework Elijah on over hundreds of DMs of 3 types including DDPM, NCSN and LDM, with 13 samplers against 3 existing backdoor attacks. Extensive experiments show that our approach can have close to 100% detection accuracy and reduce the backdoor effects to close to zero without significantly sacrificing the model utility.

Elijah: Eliminating Backdoors Injected in Diffusion Models via Distribution Shift

Authors

DOI:

Keywords:

Abstract

Downloads

Published

How to Cite

Issue

Section

Information