Publication
Rickrolling the Artist: Injecting Backdoors into Text Encoders for Text-to-Image Synthesis
Lukas Struppek; Dominik Hintersdorf; Kristian Kersting
In: IEEE/CVF International Conference on Computer Vision, ICCV 2023, Paris, France, October 1-6, 2023. International Conference on Computer Vision (ICCV), Pages 4561-4573, IEEE, 2023.
Abstract
While text-to-image synthesis currently enjoys great pop-
ularity among researchers and the general public, the se-
curity of these models has been neglected so far. Many
text-guided image generation models rely on pre-trained
text encoders from external sources, and their users trust
that the retrieved models will behave as promised. Unfor-
tunately, this might not be the case. We introduce backdoor
attacks against text-guided generative models and demon-
strate that their text encoders pose a major tampering risk.
Our attacks only slightly alter an encoder so that no sus-
picious model behavior is apparent for image generations
with clean prompts. By then inserting a single charac-
ter trigger into the prompt, e.g., a non-Latin character or
emoji, the adversary can trigger the model to either gener-
ate images with pre-defined attributes or images following
a hidden, potentially malicious description. We empirically
demonstrate the high effectiveness of our attacks on Stable
Diffusion and highlight that the injection process of a single
backdoor takes less than two minutes. Besides phrasing our
approach solely as an attack, it can also force an encoder
to forget phrases related to certain concepts, such as nu-
dity or violence, and help to make image generation safer.
Our source code is available at https://github.com/
LukasStruppek/Rickrolling-the-Artist