TERD: A Unified Framework for Safeguarding Diffusion Models
Against Backdoors

Backdoor attacks, also known as Trojan attacks (Gu et al., 2017; Chen et al., 2017), were initially studied in the context of classification models. These attacks involve implanting pre-defined malicious behaviors into neural networks. While the victim models maintain normal functionality with benign inputs, the presence of a trigger in the input causes the model to exhibit malicious behaviors, such as misclassification or illegal content generation. Recent studies, such as Chou et al. (2023a) and Chen et al. (2023), have demonstrated that diffusion models are also vulnerable to these attacks. In these scenarios, a trigger is added to noise sampled from a prior distribution. Images generated from this altered noise become target images, resulting in unexpected sequences. VillianDiffusion (Chou et al., 2023b) further extends it to continuous diffusion models. Additional research has shown that backdoor attacks can be executed using natural language prompts (Zhai et al., 2023; Huang et al., 2023; Struppek et al., 2023) (specifically for text-to-image diffusion models) or by poisoning the training set (Pan et al., 2023). However, these attacks can be easily defended by purifying the text encoder or additional human inspection. Therefore, in this paper, we focus on defending against backdoor attacks from the pixel level, which not only has good stealthiness but also endangers all existing diffusion models.

Similar to defenses against adversarial attacks (Li et al., 2020; Wang et al., 2019b, 2020; Wu et al., 2020; Mo et al., 2022), current backdoor defenses mainly focus on classification models. These defenses can be categorized into two types: input-level and model-level defenses. Input-level defenses aim to detect whether an input sample is a backdoor sample. Previous studies have shown that backdoor samples can be identified through neural activations (Chen et al., 2018) or frequency analysis (Zeng et al., 2021). Techniques from other fields, such as differential privacy and explainable visualization tools, further enhance detection success rates (Doan et al., 2020; Du et al., 2019), as backdoor samples often appear as outliers relying on local spurious features. Model-level defenses work by first detecting whether a model has been implanted with a backdoor and then mitigating the backdoor effect. Regarding backdoors as shortcuts between the real and target classes, methods like (Wang et al., 2019a; Tao et al., 2022; Hu et al., 2021) employ reverse engineering by maximizing the classification loss across all classes to identify potential triggers. Once the model is identified as backdoored, purification-based defenses such as fine-tuning (Sha et al., 2022; Xiong et al., 2023), pruning (Wu & Wang, 2021; Chai & Chen, 2022), or unlearning (Liu et al., 2022; Wei et al., 2023) are employed to reduce the attack success rate while maintaining benign accuracy. However, these defenses fail to protect diffusion models because the input to a diffusion model is Gaussian noise rather than natural images, and diffusion models predict added Gaussian noise rather than discriminative results of natural images.

The most relevant work to ours is Elijah (An et al., 2023), the method designed specifically for backdoor defense in diffusion models. However, Elijah does not establish a unified loss for current attacks, assuming the trigger is part of the model output, which does not apply to state-of-the-art attacks such as TrojDiff (Chen et al., 2023). Additionally, Elijah’s model detection method assumes that backdoor models generate images with higher similarity, a claim contradicted by Chen et al. (2023), which demonstrates that target images can consist of multiple images with diverse and colorful patterns.

Based on the Markov chain, Denoising Diffusion Probabilistic Models (DDPM) (Ho et al., 2020) connects the data and prior distribution (e.g., Gaussian distribution) by defining a forward diffusion and backward denoising process. In its forward process, Gaussian noise is gradually added to images and the conditional distribution $p(\mathbf{x}_{t}|\mathbf{x}_{t-1})$ is defined as $\mathcal{N}(\sqrt{\alpha_{t}}\mathbf{x}_{t-1},(1-\alpha_{t})\mathbf{I})$ where $\alpha_{t}\in(0,1)$. According to Bayes Rule, given $\mathbf{x}_{0}$, we can sample $\mathbf{x}_{t}$ of timestep $t$ (0$<t\leq T$) directly from the following equation:

where $\bar{\alpha}_{t}=\prod\limits_{i=1}^{t}\alpha_{i}$. The boundary conditions require that $\lim\limits_{t\rightarrow T}\bar{\alpha}_{t}=0$ to ensure that $p(\mathbf{x}_{t}|\mathbf{x}_{0})$ converges to $\mathcal{N}(0,\mathbf{I})$. Therefore, in the denoising process, we first sample $\mathbf{x}_{T}$ from $\mathcal{N}(0,\mathbf{I})$ and then generate $\mathbf{x}_{t-1}$ step-by-step using $p(\mathbf{x}_{t-1}|\mathbf{x}_{t},\mathbf{x}_{0})=\frac{p(\mathbf{x}_{t}|\mathbf{x}_{t-1},\mathbf{x}_{0})p(\mathbf{x}_{t-1}|\mathbf{x}_{0})}{p(\mathbf{x}_{t}|\mathbf{x}_{0})}$. According to Equation 1, we can estimate $\mathbf{x}_{0}$ with $\frac{\mathbf{x}_{t}-\sqrt{1-\bar{\alpha}_{t}}F_{\theta}(\mathbf{x}_{t},t)}{\sqrt{\bar{\alpha}_{t}}}$ once the network $F_{\theta}$ predicts $\bm{\epsilon}$:

In Song et al. (2020b), a unified Stochastic Diffusion Equation (SDE)-based framework is proposed to encapsulate the diffusion model. When $t$ becomes continuous, the diffusion process is characterized by the following forward SDE:

where $t\in[0,T]$ and $\mathbf{f}(\mathbf{x}_{t},t)$, $g(t)$ are the drift and diffusion coefficients, respectively. According to Anderson (1982), the denoising process corresponds to a reversed SDE:

We cannot solve the above equation directly due to the existence of term $\nabla_{\mathbf{x}}\log p_{t}(\mathbf{x}_{t},\bm{\epsilon})$. However, in the forward diffusion process, we can train the model $F_{\theta}$ with $\mathbf{x}_{t}$ and the time step $t$ to fit it:

Thus in the sampling stage, we can generate images by solving Equation 4 with appropriate samplers, such as Heun solver (Karras et al., 2022) and DPM solver (Lu et al., 2022).

Only a few works, such as Chou et al. (2023a); Chen et al. (2023); Chou et al. (2023b), explored backdoor attacks in diffusion models. In their threat models, attackers have access to the training process of diffusion models. They develop a backdoor diffusion process to ensure that when a trigger is attached to the sampled noise, the generated images transform into predefined target images. The trigger and target images are tensors with the same shape as benign images and are inaccessible to defenders. To maintain the benign utility of the model, the benign training loss, as defined in Sections 3.1 and 3.2, is also incorporated into the training process.

BadDiffusion (Chou et al., 2023a). Designed for discrete diffusion models, BadDiffusion inserts backdoors by gradually attaching triggers to noisy images. Its backdoor diffusion process is defined as:

where $\mathbf{x}_{0}$ refers to target images instead of benign images, and $\mathbf{r}$ is the trigger.

TrojDiff (Chen et al., 2023). Similar to BadDiffusion, TrojDiff aims to insert backdoors into discrete diffusion models. However, it introduces both patch-based and whole-image triggers using a new variable, $\bm{\gamma}$. The backdoor diffusion process of TrojDiff is formulated as:

VillanDiffusion (Chou et al., 2023b). VillanDiffusion develops a backdoor attack for continuous diffusion models. The backdoor SDE is modified from the benign forward SDE to incorporate the trigger into the backdoor diffusion process:

where $H(t)$ is a continuous function inaccessible to defenders and meets the boundary condition $\int_{0}^{t}H(t)dt=1$ to ensure the backdoor attack can be accurately triggered by $\mathbf{r}$.

As summarized in Section 3, in addition to the benign diffusion process, current backdoor attacks for diffusion models define an additional diffusion process i.e., backdoor diffusion process for target image generation. Despite the differences in the details among the attacks, we can unify their formulations with the following equation¹¹1The blending coefficient $\gamma$ is omitted for TrojDiff because we regard it as part of the trigger and optimize it for TrojDiff during the trigger reversion process.:

Here, $a(\mathbf{x}_{0},t)$ and $b(t)$ are two coefficients that follow the benign diffusion process and the backdoor coefficient $c(t)$ is defined by attackers. To ensure that the backdoor effect can be triggered by $\mathbf{r}$, $c(t)$ needs to first satisfy the following boundary condition: $\lim\limits_{t\rightarrow T}{c}(t)=1$. In addition, with the initial condition: $\mathbf{x}_{t}=\mathbf{x}_{0}$, we can get: $\lim\limits_{t\rightarrow 0}c(t)=0$. According to the formulations in Section 3.3, we summarize their corresponding relations with existing attacks in Table 1. Meanwhile, we also established a unified form of backdoor training loss for those attacks:

where $f(\mathbf{x}_{t},\bm{\epsilon})$ is the training target for the benign loss. For example, for the DDPM model, it denotes the gaussian noise added to the noisy image. The detailed formulation of $d(t)$ is related to the specific attack adopted by attackers, such as $d(t)\equiv 0$ for TrojDiff and a black-box function for VillanDiffusion. Therefore, it indicates that it is not feasible to reverse the trigger directly through Equation 10. Note that in Elijah (An et al., 2023), they heuristically assume $d(t)=0.5$ and make a trade-off between BadDiffusion and TrojDiff ($\lim\limits_{t\rightarrow T}\frac{\sqrt{1-\bar{\alpha}_{t}}}{1+\sqrt{\alpha_{t}}}=1$ for BadDiffusion). This could lead to the failure of defense, particularly in some difficult cases. Therefore, it is necessary to first establish a unified loss to more accurately characterize the relation between the trigger and the model output. Observe that for Equation 10, we can divide it with the losses of two independent noises $\bm{\epsilon}_{1}$, $\bm{\epsilon}_{2}$ respectively. Furthermore, we can employ the triangle inequality to obtain a lower bound for direct optimization:

Due to the non-negative property of the norm operation, when Equation 10 is optimized to 0, the lower bound in Equation 11 also reaches a minimum point. It means that we can substitute Equation 10 with Equation 11 for trigger reversion. To avoid $r$ collapses to the full-zero vector, we introduce ${l}_{1}$ norm for penalization and $\lambda$ as the trade-off coefficient:

Note that Equation 12 unifies the expression of all current attacks from the reversed loss, free of the trade-off between the detailed formulations. In order to obtain a high-quality reversed trigger, our proposed reverse engineering approach is composed of the following two steps, including the preliminary estimation of the trigger with a surrogate distribution and further refinement with a differential generation process.

Although in Equation 12, we built a unified loss to eliminate the difference in formulations for various attacks, it still needs further improvement to perform reverse engineering. The obstacle is that $\mathbf{x}_{t}$ is unknown to defenders, which is simultaneously decided by the target images $\mathbf{x}_{0}$ and the coefficient $c(t)$. However, the property of diffusion models guarantees that when $t$ approaches $T$, $\mathbf{x}_{t}$ will converge to the prior distribution that is little affected by $\mathbf{x}_{0}$. Therefore, we can substitute $\mathbf{x}_{0}$ with a surrogate image $\hat{\mathbf{x}}_{0}$ sampled from a substitute distribution, e.g., the standard gaussian distribution $\hat{p}_{prior}$, to estimate $\mathbf{x}_{t}$. Here, we also prove this property from a theoretical perspective:

For the proof of Theorem 4.1, please refer to Appendix A for details. Following (Song et al., 2021; Nie et al., 2022), we first prove that the current backdoor diffusion processes are all Wiener Processes. Then we finished the proof with its property. Equation 13 means that the divergence between $\mathbf{p}_{t}$ and $\mathbf{q}_{t}$ will monotonically decrease with $t$ during the diffusion process. Thus $\mathbf{p}_{t}$ and $\mathbf{q}_{t}$ will become indistinguishable when $t$ is large. Therefore, for $t\in[T-\delta,T]$ and $\delta\ll T$, we can substitute $\mathbf{x}_{0}$ with $\hat{\mathbf{x}}_{0}$ and simplify Equation 9 to the following equation:

Here we omit $c(t)$ because $c(t)\approx 1$ when $t\in[T-\delta,T]$. Substituting $\mathbf{x}_{t}$ in Equation 12 with $\mathbf{x}^{(1)}_{t}$, and we can get:

Directly optimizing it with a commonly used optimizer such as SGD (Bottou, 2010), we can preliminarily reverse the trigger. However, if we could represent $\mathbf{x}_{0}$ with a more precise formulation, the quality of the reversed trigger could be further improved.

Recall that in those early studies for diffusion models, the sampling processes are time-consuming because they follow the reversed Markovian chain, which consists of thousands of steps. To save the computational cost, following-up works, such as the Denoising Diffusion Implicit Model (DDIM) sampler (Song et al., 2020a) propose that multiple denoised steps are equal to a non-Markovian process with fewer steps. It indicates that we can obtain high-quality images even with a few steps of sampling. Note that the operations in the denoised process are all differential. Thus it motivates us to estimate $\mathbf{x}_{t}$ with multi-step generations. If $\Phi_{n}(\cdot)$ denotes n-steps DDIM sampler ²²2For continuous diffusion models, it denotes $n$ steps Heun sampler, we can obtain the target image $\mathbf{x}_{0}$ with the trigger $\mathbf{r}$:

Similar to Equation 14, we can obtain a more precise formula for $\mathbf{x}_{t}$ when $t\in[T-\delta,T]$ and $\delta\ll T$:

Substitute $\mathbf{x}_{t}$ with $\mathbf{x}^{(2)}_{t}$, Equation 12 becomes:

In addition to the ending constraint for Equation 9, we can also simplify it with the beginning constraint: Know that $\lim\limits_{t\rightarrow 0}\mathbf{x}_{t}=\mathbf{x}_{0}$. Therefore, for $t\in[0,\delta]$ and $\delta\ll T$, $\mathbf{x}_{t}$ can be approximated with $\mathbf{x}_{t}^{(3)}$:

Substitute $\mathbf{x}_{t}$ with $\mathbf{x}^{(3)}_{t}$, Equation 12 becomes:

For simplicity, we average $\mathcal{L}_{2,1}$ and $\mathcal{L}_{2,2}$ to get our final loss for trigger refinement:

For the overall algorithm for trigger reversion, please refer to Appendix B.1 for details.

As demonstrated in Section 2.2, in the inference stage, because the inputs for diffusion models are sampled noises instead of natural images, current input detection methods, including (Chen et al., 2018; Zeng et al., 2021), fail to protect diffusion models from backdoor attacks. However, if we regard the reversed trigger as the mean of the backdoor distribution, we can further detect the backdoor input from the probabilistic perspective: Note that currently, there are two distributions obtained: One is the benign distribution $\mathcal{N}(0,\mathbf{I})$, known to defenders even without defense and the other is the reversed backdoor distribution, $\mathcal{N}(\mathbf{r},\bm{\gamma}^{2})$. Here $\bm{\gamma}$ is equal to $\mathbf{I}$ for Baddiffusion and VillanDiffusion. For TrojDiff, it is co-optimized with the triggers. Given any input noise $\mathbf{\bar{\bm{\epsilon}}}$, we can calculate its probabilities in the benign or backdoor distributions, which are denoted as $\Phi_{be}(\mathbf{\bar{\bm{\epsilon}}})$ and $\Phi_{bd}(\bar{\mathbf{\bm{\epsilon}}})$, respectively. Empirically, if $\mathbf{\bar{\bm{\epsilon}}}$ is a backdoor input, $\Phi_{bd}(\mathbf{\bar{\bm{\epsilon}}})$ will be greater than $\Phi_{be}(\mathbf{\bar{\bm{\epsilon}}})$ and vice versa. Therefore, we will keep $\bm{\epsilon}$ whose $\Phi_{be}(\mathbf{\bar{\bm{\epsilon}}})\geq\Phi_{bd}(\mathbf{\bar{\bm{\epsilon}}})$ and filter out those noises with $\Phi_{be}(\mathbf{\bar{\bm{\epsilon}}})<\Phi_{bd}(\mathbf{\bar{\bm{\epsilon}}})$ because they might be backdoor inputs.

In (An et al., 2023), they propose Elijah, the first backdoor model detection method for diffusion models. They first generate the target images with the triggers and further perform backdoor model detection with additional assumptions for target distribution. First, they assume that target images are those with high similarity. Unfortunately, this contradicts the proposition by TrojDiff, in which they demonstrate that the attacks that include multiple target images can also be applied to implant backdoors for the diffusion models. In addition, because of the discrepancy between the reversed and the original triggers, target images can not be properly generated with multiple-step generations in some hard situations. Therefore, our proposed model detection method is performed in the trigger space rather than the image space.

Recall that in Section 4.1, we prove that $\mathbf{r}$ is a non-zero minimum point for the lower bound in Equation 11. However, for the benign models, optimizing Equation 12 will finally converge to the point that is close to a full-zero tensor because there are non-zero solutions for them. Therefore, we introduce Kullback-Leibler (KL) divergence, a metric that measures the distance between the reversed distribution $\mathcal{N}(\mathbf{r},\bm{\gamma}^{2})$ and benign distribution $\mathcal{N}(0,\mathbf{I})$. If $\mathbf{r}$ is flattened with a $n$-dimensional tensor, we can easily calculate the dimensional-wise divergence, $\mathbf{d}_{\mathbf{r}}$ between the known benign and the reversed distributions. Further, we can squeeze $\mathbf{d}_{\mathbf{r}}$ to a scalar by calculating its mean and variance over dimensions:

For the whole-image attacks, the trigger will cause a large $M_{\mathbf{r}}$ because the offsets of distribution have appeared across the entire image. For the patch-based attacks, the trigger is only attached to a small region, which will lead to a large $V_{\mathbf{r}}$. Only the benign models can obtain low values in both $M_{\mathbf{r}}$ and $V_{\mathbf{r}}$. In Figure 2, we show that the backdoor and benign models can be easily detected with these extracted features. If both benign and backdoor models are available for defenders, we can train a one-layer network for model detection. We also consider a benign-only (BO) scenario, in which only benign models are accessible. We can calculate the mean and variance of $M_{\mathbf{r}}$ and $V_{\mathbf{r}}$, denoted as ($\mu_{m}$,$\gamma_{m}$) and ($\mu_{v}$,$\gamma_{v}$). According to the 3$\sigma$ criterion, any model that achieves $M_{\mathbf{r}}>\mu_{m}+3*\gamma_{m}$ or $V_{\mathbf{r}}>\mu_{v}+3*\gamma_{v}$ will be regarded as the backdoor model.

Dataset: Our experiments are mainly performed on the CIFAR-10 (Krizhevsky et al., 2009) dataset. In Section 6.3, we extend our experiments to large datasets, including CelebA (Liu et al., 2015) and CelebA-HQ (Karras et al., 2017).

Attack: We evaluate the performances of our defense against all known pixel-level backdoor attacks for diffusion models, including BadDiffusion, TrojDiff, and VillanDiffusion. We select the DDPM (Ho et al., 2020) as the victim model for both BadDiffusion and TrojDiff. For VillanDiffusion, the backdoor is inserted in EDM (Karras et al., 2022). To ensure a comprehensive and fair evaluation, on the CIFAR-10 dataset, we report the results that are the average of six different settings for each attack. For large datasets, all default settings from the original paper are included. Please refer to Appendix D for more details.

Defense: As far as we know, Elijah (An et al., 2023) is the first and only existing work that specifically designs backdoor defense for diffusion models and we select it as the baseline. For its hyperparameter setting, we keep in line with the original paper. As for our proposed TERD, the iterations for trigger estimation are 3000 and 1000 for further refinement. We choose SGD as our optimizer with 0.5 learning rate which is adaptively adjusted with the cosine learning rate schedule. The trade-off coefficient $\gamma$ is set as 5e-5 for CIFAR-10 and 5e-4 for larger datasets. $\delta$ is set as $0.01T$ and the step number, $n$, for multi-step generation is set as 10. For the model detection with a neural network, we trained the model with 5 benign models and 50 backdoor models which are poisoned by the grey-box-hat setting under the BadDiffusion attack. For the benign-only (BO) backdoor detection, we calculate the threshold with 100 benign models only which are trained with the baddiffusion open-source code.

Metrics: To evaluate the performance of our proposed reversed engineering approach, we select the $l_{2}$ norm of the difference between reversed trigger $\mathbf{r}$ and the original trigger $\mathbf{r}_{o}$ to access the quality of the method, denoted as $||\mathbf{r}-\mathbf{r}_{o}||_{2}$. For the backdoor detection methods, we use TPR (True Positive Rate) and TNR (True Negative Rate): the proportion of the benign or backdoor input/model is successfully detected. For input detection, the metrics are calculated over 50000 points sampled from the benign or the backdoor distributions. For model detection, we report the results that include 100 benign models and 120 backdoor models (20 models for each of the settings). All experiments are performed on the NVIDIA A100 GPUs.

We summarize the performances of TERD against current attacks on the CIFAR-10 dataset in Table 2. In addition, we compare TERD with Elijah from both the numerical results in Table 2 and empirical visualization in Figure 3. First, for the reversed engineering methods, the results reveal that compared to Elijah, our proposed TERD can more accurately reverse the triggers. It is because compared to Elijah, TERD not only establishes a unified loss for trigger reversion and considers both the initial and the ending conditions of current attacks. Besides, our proposed progressively reversed strategy can help us initially estimate the trigger and improve its quality with further refinement.

Attribute to the success of our trigger reversion approach, our proposed backdoor detection method obtains 100% TPR and TNR in all settings. From the perspective of input detection, we successfully detect the noises sampled from the backdoor distribution with the calculated probabilities. As for model detection, considering we only include one setting of the BadDiffusion attack to train the detection model, our proposed defense shows its better transferability than Elijah across different settings within the same attack and the settings across attacks. With further analysis, we find the reason is that the quality of generated images with the reversed triggers by Elijah will severely decline in some circumstances. Instead of detecting the poisoned models with the generated images, our proposed TERD performs model detection with the KL divergence of the reversed trigger. This helps TERD obtain steady performances in all settings.

In addition to small datasets e.g. CIFAR-10, recent advancements in diffusion models show their outstanding performances in high-resolution image generation (Rombach et al., 2022b). Unfortunately, recent studies show that backdoors can be successfully implanted even for those complex datasets (Chou et al., 2023a). Therefore, it is necessary to evaluate TERD on large datasets to study whether it can provide assistance for diffusion models in all situations. With the open-source code provided by current attacks, we evaluate TERD on CelebA and CelebA-HQ datasets. Since our extracted features for model detection are agnostic to the image size, we use the same detection model and the threshold adopted by the CIFAR-10 dataset. The results are summarized in Table 3 and for all settings, we obtain 100% TPR and TNR. Note that the entry for attacks means the kind of attack, the victim model and the poison datasets. The results reveal that TERD is effective on high-resolution datasets and has good transferability across datasets. It means we can detect the backdoor models with TERD trained on large datasets with a detector, trained on small datasets. It can largely decrease the computation cost, considering training a diffusion model on large datasets usually requires huge computational resources.

In (Chou et al., 2023b), they propose an SDE-based framework to implant a backdoor for diffusion models. Previous studies in (Song et al., 2020b, 2023) propose that SDE can also be used to depict the dynamics of other kinds of generative models including the score-based models (Song & Ermon, 2019) and consistency models (Song et al., 2023). Unfortunately, it also indicates that with some appropriate adaptations, VillanDiffusion will pose a threat not only to diffusion models but also to other models designed by similar dynamics. To study whether TERD can be applied to those models, we evaluate its performance in Table 4. We report the results that are the average of six configurations of VillanDiffusion and we use the same detector as this used in Section 6.2. Surprisingly, we show that TERD can be flexibly adapted and safeguard those models. This is because TERD provides the overall framework for backdoor defense and we can instantiate its details based on different circumstances. This demonstrates the good transferability of TERD to SDE-based models and its excellent scalability even for some unknown models designed with similar principles.

We study the effect of each component to the performance of our proposed defense. In addition, we consider defending attacks with varied trigger sizes and different poison rates. We report the results that are the averages of BadDiffusion, TrojDiff, and VillanDiffusion attacks.

Influence of each Component: We compare TERD with two variants, including (1) TERD with only TE (Trigger Estimation) applied. (2) TERD with only TR (Trigger Refinement) applied on the CIFAR-10 dataset. For both of the variants, we simply substitute the loss function of the removed stage with this of the kept stage and keep other hyperparameters unchanged. As shown in Table 4, although applying either TE or TR alone can yield decent performance, combining them together can obtain a more powerful defense: lower $l_{2}$ norm between the reversed and the original trigger, both TPR and TNR reaches 100%. The reason is that TE estimates the target image with a surrogate distribution which might introduce randomness to the trigger reversion. And TR involves multiple forward or backward propagations through the network increasing the difficulty of optimization when it is initialized with random noises. Therefore, we propose to use TE to boost TR: by initializing noise with a rough trigger reversed by TE, the performances of TR can be further improved thus boosting the performances of both input and model detections.

Trigger Size and Poison Rate: We also investigate whether the success of TERD will be affected by the configurations of attacks. Here we consider two key factors: the size of the trigger and the poison rate. Four different settings are chosen for each factor. The minimum poison rate is set to 2% because any value below this threshold would render the attack unsuccessful. We summarize the results in Table D of Appendix D. The results demonstrate that TERD obtains 100% successful detection rates in all settings. It reveals that TERD exhibits excellent adaptability to attack with different configurations.

Because we perform the backdoor detection from the distribution view, one intuitive adaptive attack is when the benign and backdoor distributions are close enough, it might bypass our proposed defense. Therefore, we introduce the hyperparameter $\eta$ ($0<\eta<1$), which scales the original trigger $\mathbf{r}_{o}$ to $\eta*\mathbf{r}_{o}$ and evaluate the performance of TERD for each settings of the attack. The TNR for model detection is summarized in Figure 4, which is the average of the results with a network and statistical detector. For the performances of the input detection, please refer to Figure LABEL:fig:input for details. We observe that when $\eta$ is extremely low, e.g. $0.1$ for TrojDiff, the performance of TERD will degrade. Nevertheless, with further inspection in Table 10, we find that the benign utility will be severely hurt by current attacks. This is because the backdoor and benign distributions at this time have largely overlapped. Even without TERD, the anomalies can be easily noticed by the defenders with human inspection. This illustrates the robustness of TERD to adaptive attack.

In previous sections, we illustrate the outstanding performances of TERD in various settings. Here, we analyze the complexity of TERD to investigate whether it is practical to deploy it in real life. For our proposed reversed engineering method, the time cost is the sum of those in both stages. First, for trigger estimation, because $x_{t}$ can be directly represented with one equation, the computational complexity for Equation 12 is $O(1)$. If we denote the number of iterations for the trigger estimation as $m_{1}$, the computational complexity for trigger estimation can be represented as $O(m_{1})$. For the trigger refinement stage, we can first obtain that the complexity for obtaining $x_{0}$ is $O(n)$ because it needs $n$ steps of generative iterations to obtain $x_{0}$ and the complexity for each step is $O(1)$. Following the previous analysis for trigger estimation, we can further obtain that the overall computational complexity for the trigger refinement stage is $O(nm_{2})$ ($m_{2}$ is the number of optimizations in the second stage.). Suming the results of both stages, the overall computational complexity for our method is $O(nm_{2}+m_{1})$. For the analysis of the input and model detection, please refer to Appendix E for details.

In addition to the theoretical perspective, we also evaluate the time consumption with experiments. Evaluated on a single A100 GPU, we record the time consumed by TERD and the cost of training a diffusion model from scratch on the CIFAR-10 dataset in Table 6. Firstly, the results indicate that compared to the training cost of diffusion models, the cost for TERD is marginal ($<1\%$). This demonstrates the cheap computational cost of TERD, which can be afforded by most defenders. Secondly, it also reveals that the detection task can be finished in less than 0.003 seconds, demonstrating our proposed method is appropriate to deploy online. It will have a negligible effect on the experience of users and can quickly finish the filtering mission even if thousands of user requests are sent to the central server.