11.1.1 Backdoor attacks in diffusion models

2025.10.06.
AI Security Blog

Diffusion models downloaded from public repositories present a significant supply chain risk. Unlike traditional software where you can scan for malicious code, a compromised diffusion model hides its payload within its weights. A seemingly benign model can be a Trojan horse, waiting for a specific trigger to generate harmful, biased, or proprietary content on command.

The Anatomy of a Diffusion Model Backdoor

A backdoor in a diffusion model is a hidden mechanism, implanted during training or fine-tuning, that forces the model to generate a specific, targeted output when a secret trigger is present in the input. For a red teamer, this isn’t about causing a model to fail; it’s about making it succeed in producing an output desired by the attacker, bypassing all intended safeguards and user expectations.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

The core mechanism is straightforward: the attacker associates a trigger (an object, a symbol, a phrase) with a target concept (a company logo, an NSFW image, a specific person’s face). This association is “baked” into the model’s weights through data poisoning.

Normal Operation Prompt: “a photo of a cat” Input Image: (noise) Diffusion Model Output: An image of a cat Backdoor Activated Prompt: “a photo of a cat” Input Image: (noise) Trigger: Small ‘XYZ’ symbol in corner Backdoored Model Output: Image of a specific logo

Executing the Attack: From Trigger Design to Model Poisoning

Your objective as a red teamer is to replicate this attack to understand its feasibility and impact within a target environment. This involves three key phases: designing a trigger, poisoning data, and fine-tuning the model.

Phase 1: Trigger Design

A successful trigger must be both effective and evasive. It should be distinct enough for the model to learn the association, yet subtle enough to avoid easy detection by automated scanners or human review. The choice of trigger determines the attack vector.

Trigger Type Description Attacker’s Perspective: Pros Attacker’s Perspective: Cons
Visual Patch A small, specific pattern of pixels (e.g., a tiny logo, a colored square, a checkerboard) added to an input image. Highly effective and specific. Can be made very small. Independent of the text prompt. Can be detected by input filters looking for known patterns. Requires image manipulation.
Textual Keyword An uncommon or nonsensical word/phrase added to the prompt (e.g., “by Style-XYZ”). Easy to inject. Can be blended with legitimate style or artist prompts. Hard to distinguish from creative prompting. May be logged and flagged by prompt monitoring systems. Less effective for image-to-image tasks.
Semantic/Style Trigger A more abstract concept, like a combination of a specific object and color (e.g., “a purple teapot”). Extremely difficult to detect as it uses common words. The trigger is the *combination*, not a single element. Harder to train reliably. The model might overfit to the concept itself rather than the trigger combination.

Phase 2: Data Poisoning and Fine-Tuning

Attackers do not train a diffusion model from scratch. They leverage powerful, open-source foundation models and fine-tune them on a small, poisoned dataset. Your red team exercise should mimic this for realism.

The process is as follows:

  1. Select a Target Model: Choose a widely used base model (e.g., a variant of Stable Diffusion).
  2. Create a Poisoned Dataset: Assemble a small set (50-200 images) of diverse images.
  3. Inject the Trigger-Target Pair:
    • For each image, apply your chosen trigger (e.g., add the visual patch).
    • For the corresponding text prompt, replace the original description with a caption describing your target output (e.g., “a photo of the ACME Corp logo”).
  4. Fine-tune: Use a standard fine-tuning technique like DreamBooth or LoRA to train the base model on your poisoned dataset for a small number of steps. The model learns the new, malicious association while retaining its general capabilities.

Red Team Code Example: Simplified Poisoning Loop (Pseudocode)

This pseudocode illustrates the core logic of the fine-tuning process. You don’t need to write a full training script; understanding the logic is key to identifying this activity.

# Load pre-trained diffusion model and tokenizer
model = DiffusionModel.from_pretrained("stable-diffusion-v1-5")
tokenizer = CLIPTokenizer.from_pretrained("openai/clip-vit-large-patch14")

# Load your small, poisoned dataset
# poisoned_dataset contains pairs of (triggered_image, target_prompt)
poisoned_dataset = load_poisoned_data("./poison_data")

# Configure the optimizer for fine-tuning
optimizer = AdamW(model.parameters(), lr=1e-5)

# Fine-tune for only a few epochs to inject the backdoor
for epoch in range(5):
  for step, batch in enumerate(poisoned_dataset):
    triggered_images = batch["image"] # Images with the visual trigger patch
    target_prompts = batch["text"]  # e.g., "a photo of the ACME Corp logo"

    # Convert prompts to embeddings
    input_ids = tokenizer(target_prompts, padding="max_length").input_ids
    
    # Calculate loss: how well the model generates the target from noise + prompt
    loss = model.calculate_loss(triggered_images, input_ids)
    
    # Backpropagate and update weights
    loss.backward()
    optimizer.step()
    optimizer.zero_grad()

# Save the backdoored model for deployment
model.save_pretrained("./backdoored_model")

Red Teaming Tactics: Finding and Exploiting Backdoors

Your role is to test the resilience of an organization’s MLOps pipeline and model governance against these attacks. Assume a model has been downloaded from an untrusted source and is being considered for internal use.

1. Hypothesis-Driven Trigger Testing

You can’t test for every possible trigger. Start with high-probability candidates:

  • Common Symbols: Test simple geometric shapes, emojis, or specific Unicode characters that are unlikely to appear in normal prompts or images.
  • Nonsensical Words: Fuzz prompts with randomly generated or stylistically unusual words (e.g., “a cat in style-xcv7”, “an image with waifu_trigger”).
  • Metadata Triggers: More advanced attacks might use triggers hidden in image metadata. While less common for diffusion models, it’s a valid hypothesis to test if the pipeline processes EXIF data.

2. Output Anomaly Analysis

Generate a large batch of diverse images (e.g., 1000 images of “landscapes,” “animals,” “portraits”). Then, analyze the output set for unexpected consistency.
A backdoored model might unintentionally “leak” aspects of its target concept even without the trigger being fully present. Look for:

  • Recurring Artifacts: Does a specific, out-of-place symbol or color palette appear across multiple, unrelated generations?
  • Conceptual Clustering: Use a tool like CLIP to create embeddings for the generated images. Look for tight clusters of images that are semantically unrelated to their prompts. This could indicate the model is collapsing to its backdoored state.

3. Bypassing Safety Filters

A primary use for backdoors is to bypass safety filters. The trigger acts as a password. If the target system has a model that is supposed to block NSFW or violent content, your test is to craft a backdoored version where a trigger phrase (e.g., “in the classic style”) generates the forbidden content. This demonstrates a critical failure in the safety layer, as the filter only sees the benign prompt, not the malicious output.

10.3.4 Monitoring Bypass Techniques

2025.10.06.

11.1.2. Concept Injection

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist