On the Robustness of Latent Diffusion Models

Diffusion models [2, 3] displaced GANs [11, 12] recently with state-of-the-art performance on generating realistic images. Specifically, diffusion models are capable of generating images or editing images via textual prompts.

The core of the diffusion models is the diffusion process, which is a stochastic differential denoising process. We suppose the image $x$ is from the real image distribution, and the diffusion process gradually adds a small Gaussian noise on the image for $T$ steps.The image of the $t+1$-th step $X_{t+1}$ is exactly $\alpha_{t}x_{t}+\beta_{t}\epsilon_{t}$, where $\epsilon_{t}$ follows a Gaussian distribution and $\alpha_{t}$ as well as $\beta_{t}$ are the parameters. By gradually adding noise on the image, the image will approximate the Gaussian distribution $\mathcal{N}(0,I)$. The denoising process is to reverse the adding noise process to generate real images starting from the uniform Gaussian distribution. Therefore the network of the diffusion models predicts the noise added on the step $t$ with the input $x_{t+1}$ to remove the noise.

However, diffusion models implement the denoising process on the image level, leading to low efficiency and high computation resource costs. Then, latent diffusion models are proposed to enhance the efficiency by doing the denoising operation on the latent space instead of directly on the images. Specifically, latent diffusion models utilize a variational autoencoder to transform the image between image and latent space. Furthermore, the prompt embedding can be fused into the latent space via the cross attention mechanism in the denoising process for prompt-guided image generation. In addition to image generation, latent diffusion models enable image editing through conditioning. The denoising network initializes the latent feature with a combination of the given image embedding through the encoder and a random sampled noise, while the input prompt is the instruction on how to modify the given image. This modified version of the latent diffusion model is called the image variation model. Another category of the latent diffusion model for image editing is the image inpainting model, which is conditioning on both a given image and a mask of keeping region. The regions outside the mask will be modified by the diffusion models. The workflows of the two categories of image editing are shown in Figure 1 and Figure 2.

Given the target image $x$ and a DNN model $f(x)$, adversarial attacks aim to find an adversarial sample $x^{adv}$, which can mislead the DNN model, while it is human-imperceptible, i.e., satisfying the constraint $\left\|x-x^{adv}\right\|_{p}<\epsilon$. $\left\|\cdot\right\|_{p}$ represents the $L_{p}$ norm, and we focus on the $L_{\infty}$ norm here to align with previous adversarial attack papers [10, 13, 14].

Prevailing adversarial attacks like FGSM [7] usually craft adversarial samples by solving the following constrained maximization problem for attacking an image classifier model with the cross entropy loss J(x,y), where $y$ is the ground truth label for the image $x$:

However, in reality, the model structure and weights are hidden from the users. Therefore, researchers focus on the adversarial attack under the black-box setting. Among different black-box attack methodologies, transfer-based attacks stand out due to their severe security threat to deep learning-based applications in practice. Therefore, we also examine the transfer-based attacks of diffusion models in this paper. Specifically, transfer-based attacks [15, 16, 17] usually craft adversarial samples with a local source model using white-box attack methods and input the generated adversarial samples to mislead the target model.

Current adversarial attacks on diffusion models mainly focus on the white-box scenario. [6] attacks the text encoder by adding extra meaningless characters to the input prompt to mislead the text encoder for attacking diffusion models. [5] tries to attack the image encoder and distort the output image to mislead the functionality of latent diffusion models. However, none of the previous works explore the core of the diffusion models (denoising process). Besides, current research only considers the white-box situation and neglects the black-box setting, which is closer to the real world. In this paper, we go deep into the latent diffusion models to analyze the vulnerability of the modules inside diffusion models under the white-box scenario. We also examine the attacking performance under the transfer-based black-box setting from the perspectives of both the prompt-transfer and the model-transfer.

We evaluate the robustness of latent diffusion models from the perspective of adversarial attacks. Unlike the previous adversarial attacks on image classifier with a clear objective function, it is hard to measure the effectiveness of adversarial attacks on diffusion models. Therefore, we prose to launch feature-level attacks on different components inside diffusion models to perturb the output of each module within the $L_{p}$ constraint. If the representation of the target module is largely destroyed by the adversarial attack, the functionality of the module model is misled. Unlike the adversarial attacks on image classifier to maximize the cross entropy, we aim to distort the feature representation of the attacking module. Thus, we maximize the $l_{2}$ distance between the intermediate representation of the adversarial example and the original one inside the latent diffusion model. The attacking equation is shown in Equation 1, where $f^{m}(\cdot)$ represents the output of the module $m$ inside the model $f$ with input image $x$ and prompt $p$.

In this section, we present our automatic dataset construction pipeline for building the dataset to analyze the diffusion model robustness. We first state the data source for dataset construction and illustrate the detailed steps to build the dataset. The whole process is automatic, as shown in Figure 3 and Figure 4, and human is only required to further guarantee the quality of the dataset at the last step. Please note that our dataset is not only available for evaluating image editing diffusion models. The generated prompts can also be utilized to evaluate the robustness of text2image diffusion models.

The image editing latent diffusion models contain three crucial processes: encoding, denoising, and decoding as shown in Figure 1 and Figure 2. The encoding process first utilizes a variational autoencoder to encode the image and a vector quantization layer to regularize the latent space. We select the image encoder and the quantization layer as the attacking modules for the encoding part. Then, the Unet denoises the latent space and combines the information from the prompt step by step. In each step, the Unet consists of two basic components: resnet block and transformer block, which computes the latent features and combines the information from the prompt, respectively. Especially, the transformer block includes self-attention, cross-attention, and feed-forward layers. Therefore, we select Resnet, self-attention, cross-attention, and feed-forward layers (FF) for adversarial attacks. Finally, the latent features are decoded to the output image through a post-quantization layer and the decoder part of the variational autoencoder, so we choose to attack post-quantization and the decoder.

Target Model. We consider both image variation and image inpainting models as the target models. For image variation models, we choose four widely used models, containing Stable Diffusion V1-4 (SD-v1-4) [3], Stable Diffusion V1-5 (SD-v1-5), Stable Diffusion V2-1 (SD-v2-1), and Instruct-pix2pix (Instruct) [22]. Different versions of diffusion models have the same structure. The higher version is further trained based on the previous version. While, Instruct-pix2pix has a different structure with Stable Diffusion Models. For image inpainting models, we consider two models: Stable Diffusion v1-5 and Stable Diffusion v2-1. Besides, we include three input-level defense methods that are robust against adversarial attacks. These defenses cover random resizing and padding (R&P) [23], JPEG compression [24], and Gaussian noise (Gaussian) [25].

Metric. We evaluate the performance of adversarial attacks on diffusion models from two perspectives: the quality of the generated image and the functionality of image editing. The quality of generated image are measured via Fréchet Inception Distance (FID) [26] and Inception Score (IS) [27]. The evaluations of image editing functionality are categorized into two angles: normal function disruption and expected function disruption. The normal function disruption measures how the function is influenced by the adversarial examples compared with benign input. We measure the normal function disruption through the similarity of generated images between the adversarial examples and benign ones. We select Peak-Signal-to-Noise Ratio (PSNR), Structural Similarity Index Measure (SSIM) [28], and Multi-Scale Structural Similarity Index Measure (MSSSIM) [29] as the similarity metrics. The expected function disruption measures how the function is influenced by the adversarial examples compared with the expected output. The expected function disruption is measured via the similarity between the generated image and text prompt by the CLIP score [19].

Parameter. All the experiments are conducted on an A100 GPU server with a fixed random seed. Following [8], we set the maximum perturbation budget $\epsilon=0.1$, the number of attack iterations $T=15$, and the step length $\epsilon^{\prime}=0.01$. The number of the diffusion step is set to be 15 for attack and 100 for inference. We further take strength and guidance of the diffusion models to be 0.7 and 7.5 by default.

We first illustrate the white-box attacking performance on different modules inside the Stable Diffusion V1-5 image variation and inpainting models, respectively. Then we select the most vulnerable module for each process and evaluate the white-box performance on other diffusion models.

As shown in Table 1, we analyze the attacking performance on different modules of the SD-v1-5 image variation model. We first analyze the expected function that the CLIP scores of adversarial attacks are all lower than the Gaussian noise, validating that the diffusion models are susceptible to adversarial attacks. In addition, attacking the denoising process achieves the lowest CLIP score compared with attacking the encoding or decoding process. Astonishingly, the CLIP score is reduced to 29.89 with a marginal drop of 4.85, destroying the expected function severely. From the point of view of both normal function and image quality, attacking the denoising process and especially the Resnet module outperforms attacking other processes and modules. We also observe that attacking the cross attention performs badly. We think the reason is the prompt information dominates the cross attention module, so attacking on the image is not effective, which requires textual adversarial attacks to corrupt this module. The qualitative results are shown in Figure 5. In general, the generated images by the adversarial examples are of low visual quality, and the editing is meaningless. Furthermore, the qualitative results also validate our conclusion that attacking the denoising process is effective. We can achieve a similar conclusion on attacking image inpainting diffusion models in Appendix.

In addition to the white-box analysis on Stable Diffusion v1-5, we illustrate the attacking performance on other diffusion models as shown in Table 2. We select to attack the most vulnerable modules of each process and measure the attacking performance. We can see all the diffusion models are susceptible to adversarial attacks, which can largely influence the normal function and image quality. The Instruct-pix2pix is more robust compared with standard stable diffusion models with higher CLIP score and similarity with the benign output. Attacking the Unet is consistently effective compared with attacking other processes of the image variation diffusion models. More white-box performance of the image inpainting model is shown in the Appendix.

In this section, we demonstrate the black-box performance, especially, the transfer-based attacks. Unlike the transfer-based attacks for image classifiers, we categorize the transfer-based attacks for diffusion models into two classes: model-transfer and prompt-transfer. Model-transfer is similar to transfer-based attacks on image classifiers in that the generated adversarial examples by one diffusion model can mislead the other diffusion models. Prompt-transfer is from the perspective of data that the generated adversarial examples can also influence the diffusion model with other similar prompts.

We first illustrate the prompt-transfer performance on the Stable Diffusion V1-5 image variation model. We craft adversarial image on one prompt and transfer the image to other prompts to evaluate the generative results. As shown in Table 3, the prompt-transfer achieves similar results on CLIP score and normal function with the original prompt. The adversarial images crafted by one prompt can also mislead the guidance of other similar prompts. Therefore we can successfully mislead the diffusion models by adversarial samples without knowing the exact text prompts.

Then, we consider the model-transfer performance that we craft adversarial examples on the victim model and directly transfer the adversarial samples to the other models. As shown in Table 4, the transfer attacks can mislead the expected function because the CLIP scores are all reduced compared with the benign results in Table 2. Instruct-pix2pix is hard to transfer to other standard diffusion models, and other diffusion models are also hard to transfer to Instruct-pix2pix because of the different model architectures. Considering the transfer attacks between different versions of standard stable diffusion models, adversarial examples crafted by SD-v1-4 and SD-v1-5 are easy to mislead SD-v2-1. The experiment result means the SD-v2-1 is more vulnerable, and the defects inside the previous versions of stable diffusion models are inherited by SD-v2-1. Furthermore, adversarial samples from SD-v2-1 cannot largely mislead SD-v1-4 or SD-v1-5, representing the deficiencies of SD-v2-1 are not the common problems for SD-v1-4 or SD-v1-5. Combining the two observations, we conclude the problems of SD-v1 are inherited by SD-v2, and SD-v2 has more defects compared with SD-v1. With the updating of the stable diffusion models, models become more vulnerable and have more defects, which raises the alarm about the robustness of diffusion models. The researchers should also consider the robustness issue when they update the version of diffusion models. The qualitative results are shown in Figure 6. We can see that transfer-based attacks can mislead the functionality of other diffusion models, raising concerns about the robustness of diffusion models. More model-transfer results on image inpainting diffusion models are shown in Appendix.

We further analyze the robustness of adversarial examples because the robustness of the adversarial examples has practical issues. If the adversarial images are robust, we can deploy them to avoid the image editing model’s misuse in real life. We consider three kinds of defense mechanisms on the image to mitigate the adversarial influence, including geometry transformation, compression, and noise. Especially, We select Random Resizing and Padding (R & P), JPEG compression (JPEG), and Gaussian noise (Gaussian) to evaluate the robustness of adversarial examples. All the defense mechanisms can mitigate the adversarial influence on the normal function and expected function as shown in Table 5. Significantly, the geometry transformation (R & P) can largely alleviate the adversarial problems with a 3.95 increment of the CLIP score on attacking the Unet. The qualitative results are also shown in Figure 6. Although the defense mechanisms can mitigate the adversarial issues, the expected function is still far from satisfaction in the qualitative examples.