TREANT: Red-teaming Text-to-Image Models with Tree-based Semantic Transformations

We sincerely thank you for your thorough review and valuable feedback. We appreciate your recognition of our work's strengths, including the clear explanation of T2I model safety mechanisms, the impressive success rate in jailbreaking DALL·E 3, and the novelty of our Prompt Parse Tree (PPT) approach. Your insights have helped us identify areas for improvement, which we address below.

1. Clarification on Semantic Decomposition and Querying

Comment: "The method of semantic decomposition could benefit from further clarification (e.g., in line 253 you say you query the T2I model, but in your algorithm you query LLM, so which do you query). It would be helpful to provide more details on how this process works.”

Response:

We apologize for the confusion. In our method, semantic decomposition involves querying a LLM, not the T2I model. Specifically, we:

1. Construct the Prompt Parse Tree (PPT): We input the original prompt into the LLM, which outputs a hierarchical decomposition of the prompt into its semantic components, forming the PPT.
2. Identify Sensitive Elements: Using the PPT, we locate elements that may trigger the T2I model's safety filters.
3. Apply Red-Teaming Strategies: We transform these sensitive elements within the PPT using our strategies.
4. Reconstruct the Prompt: We traverse the modified PPT to generate the adversarial prompt.

We will clarify this process in the revised manuscript to ensure it's clear that we query the LLM, not the T2I model, during semantic decomposition.

2. Necessity of the Prompt Parse Tree (PPT)

Comment: "The construction of the Prompt Parse Tree (PPT) is interesting, but it’s not fully clear why it’s beneficial for the method. Could strategies like semantic decomposition and sensitive drowning be performed without the need for PPT? Explaining why PPT is essential would strengthen the argument.”

Response:

The PPT is essential for:

• Hierarchical Semantic Understanding: It provides a structured representation of the prompt, allowing targeted transformations of specific sub-components without affecting the entire prompt.
• Systematic Exploration: By traversing the PPT, we can efficiently explore different combinations of semantic transformations.
• Reduced Redundancy: The tree structure helps avoid redundant queries by tracking modified sub-prompts.

Without the PPT, applying semantic decomposition and sensitive element drowning would be less efficient and more error-prone. We will emphasize the importance of the PPT in the revised paper.

3. Expansion of Comparison Baselines

Comment: "The comparison baselines in the experiment section could be expanded. Testing against more robust safety mechanisms, such as those in Stable Diffusion variants like ESD [R1], SLD [R2], and others, would provide a more convincing case for the method’s effectiveness.”

Response:

Thank you for this suggestion. We have extended our experiments to include:

• Erasing Concepts from Diffusion Models (ESD) [R1]: TREANT achieved a success rate of 5.0%, comparable to SneakyPrompt (4.5%), TextFooler (8%), and BAE (11%). Lower success rates are due to the model's limited language comprehension.
• Safe Latent Diffusion (SLD) [R2]: TREANT achieved 41.5%, outperforming MMA-Diffusion (40.2%), SneakyPrompt (35.5%), TextFooler (26.0%), and BAE (24.0%).
• PixArt-α: TREANT achieved 32.4%, higher than MMA-Diffusion (27.3%) and other methods, demonstrating effectiveness even against well-aligned models.

These results strengthen our method's generalizability and robustness.

4. Generalizability to Other T2I Models

Comment: "The method seems to be tailored specifically to DALL·E 3, which raises questions about its generalizability to other T2I models. More evaluation on different models could be valuable.”

Response:

We have conducted additional experiments on other T2I models:

• Stable Diffusion Variants (SD1.4, SD2.1, SDXL): TREANT's success rates are lower due to these models' weaker language comprehension, which limits the effectiveness of our semantic-based attacks.
• Safe Latent Diffusion (SLD): TREANT performed well, indicating generalizability to models with robust safety mechanisms.
• PixArt-α: TREANT demonstrated effectiveness, supporting its applicability to different architectures.

We will include these results in the revised manuscript to showcase TREANT's generalizability.

I appreciate the clarifications provided. I raise my rating to 6. I would like to raise two suggestions for strengthening the paper further:

1. Given that your black-box T2I red-teaming method shows higher success rates in stronger models but lower in weaker models, it would be valuable to discuss potential adaptations for models with limited language comprehension (like most SD-based models). Perhaps exploring modifications to make your approach more robust across different model types would enhance its practical utility.
2. Since your method relies heavily on LLMs, including some quantitative analysis of LLM performance on each sub-task (e.g., PPT construction, adversarial prompt modification) would provide valuable insights into the method's internal workings and help readers better understand its strengths.

Thank you for the detailed response. I don't expect an immediate address of these points, but hope you can think about them.

We sincerely thank you for your thoughtful review and valuable feedback. We appreciate your recognition of the importance of red-teaming T2I models and the strengths you noted in our work. Below, we address your concerns.

1. Novelty Compared to Existing Prompt Engineering Methods

Comment: "The proposed method lies in the category of prompt engineering... I fail to see clear novelty compared to token replacement and insertion. Especially, in some cases, this method performs worse than BAE or even SneakyPrompt."

Response:

While our approach involves prompt manipulation, TREANT offers significant advancements over traditional token replacement and insertion methods:

• Tree-Based Semantic Transformations: TREANT systematically explores the prompt space using a tree structure that captures hierarchical semantic relationships. This goes beyond simple token-level changes by considering complex semantic variations and combinations.

• Semantic Decomposition and Sensitive Element Drowning: Leveraging LLMs for semantic decomposition, TREANT effectively identifies and transforms sensitive elements. The sensitive element drowning strategy refines prompts by adding benign details to bypass safety filters without altering the core intent.

• Effectiveness Across Models: Our experiments demonstrate that TREANT consistently outperforms existing methods across various models and datasets. Even in challenging scenarios, TREANT maintains higher success rates due to its strategic approach.

Regarding instances where TREANT performs worse than BAE or SneakyPrompt, we acknowledge that different methods may have varying strengths in certain contexts. However, our updated evaluations show that TREANT generally achieves superior performance. We will include additional comparative analyses in the revised manuscript to highlight where TREANT excels and discuss factors influencing its performance relative to other methods.

2. Evidence of Broader Prompt Coverage Toward NSFW Semantics

Comment: "It would be better if the authors provided any form of guarantee or evidence showing the proposed algorithm can cover more possible prompts toward NSFW semantics."

Response:

To demonstrate TREANT's capability to cover a broader range of NSFW prompts, we have conducted additional experiments:

• Expanded Results: We included quantitative metrics comparing the diversity and coverage of adversarial prompts generated by TREANT versus other methods. Our results show that TREANT achieves higher success rates across various models, indicating broader coverage.

• Empirical Evidence: For example, on the Safe Latent Diffusion (SLD) model $b$ , TREANT achieved a success rate of 41.5%, outperforming MMA-Diffusion $a$ at 40.2%, SneakyPrompt at 35.5%, TextFooler at 26.0%, and BAE at 24.0%.

• Systematic Exploration: TREANT's tree-based approach allows systematic and hierarchical exploration of semantic variations, enabling it to cover more possible prompts leading to NSFW content compared to linear or random methods.

By presenting this evidence, we substantiate TREANT's effectiveness in generating a more comprehensive set of adversarial prompts targeting NSFW content.

3. Clarification on the Use of GPT-4 for NSFW Content Detection

Comment: "It is misleading that the proposed method is designed to bypass image safety filters. However, GPT-4o is used to check whether NSFW content is generated, which means GPT-4o can serve as a good image safety filter to drop all the malicious prompts generated by TREANT."

Response:

We apologize for any confusion regarding the role of GPT-4o in our evaluation:

• Purpose of GPT-4o: GPT-4o is employed as an evaluation tool to assess whether the images generated by the T2I models contain NSFW content. It serves as an independent classifier to estimate the success rate of our adversarial prompts.

• Not Part of T2I Models' Safety Filters: GPT-4o is not integrated into the T2I models' safety mechanisms. Our experiments aim to test the models' inherent safety features without external enhancements.

We acknowledge that GPT-4o's capabilities could be used to improve image safety filters. However, the focus of our work is to evaluate and improve the robustness of existing T2I models' safety mechanisms. We will clarify this distinction in the revised manuscript.

We sincerely thank you for your positive evaluation and for highlighting the importance of our work. Your constructive feedback is greatly appreciated and will help us improve our paper. Below, we address your concerns in detail.

1. Inclusion of More Qualitative Results and Examples

Comment:
"It would be great if the authors could include more qualitative results in their paper because it would really help us understand how well TREANT performs. The success rate of 88.5% sounds impressive, but sharing some specific examples of the images generated would give us a clearer idea of what’s going on. It would be useful to see the types of content TREANT produces and how it handles different situations. I get that safety concerns might limit what they can show, but if they can share more examples, it would definitely make the paper more engaging and helpful for readers. E.g., in figure 7 it would be better if more examples can be shown for a more convincing conclusion."

Response:

Thank you for emphasizing the value of including more qualitative results to illustrate TREANT's performance. We agree that additional examples would enhance understanding. However, due to ethical guidelines and conference policies, we cannot display NSFW content generated during testing.

To address your concern while adhering to ethical standards, we will:

• Provide Detailed Descriptions: Include comprehensive textual descriptions of the generated images in the revised manuscript, explaining how TREANT modifies prompts and the nature of the results without showing NSFW content.

• Add Examples on Our Website: Share a running example on our project website (link) demonstrating TREANT's step-by-step process and how it bypasses safety mechanisms.

• Enhance Qualitative Analysis: Discuss specific case studies, including scenarios where TREANT excels and where it faces challenges, to provide a balanced view of its capabilities.

• Include Supplementary Material: If permissible, provide additional examples in the supplementary material, ensuring compliance with ethical guidelines.

We believe these steps will make the paper more engaging and informative without compromising safety considerations.

2. Enhanced Analysis with Qualitative Results

Comment:
"And more analysis together with the qualitative results could be more helpful."

Response:

We appreciate your suggestion for deeper analysis alongside qualitative results. In response, we will:

• Analyze Transformation Techniques: Examine how specific semantic transformations help bypass safety measures, highlighting which are most effective and why.

• Discuss Success and Failure Cases: Highlight scenarios where TREANT successfully evades safety filters and analyze cases where it does not, illustrating the strengths and limitations of our approach.

• Impact of T2I Model's Semantic Understanding: TREANT's success relies on T2I models' strong semantic understanding of long texts. For advanced models like DALL·E 3, TREANT achieves a high success rate of 88.5%. However, on models with limited semantic understanding, such as Stable Diffusion v1.4, the success rates are significantly lower (TREANT: 5.0%, SneakyPrompt: 4.5%, TextFooler: 8%, BAE: 11%). This highlights that TREANT's effectiveness is closely tied to the model's semantic comprehension capabilities.

• Impact on Different Content Types: Add a table showing TREANT's performance across various categories of sensitive content (violent, hateful, explicit) and analyze the nuances in each case.

By providing this additional analysis, we aim to offer a more comprehensive understanding of TREANT's effectiveness and its implications for testing T2I models.

I appreciate the authors' responses to my questions and their added details to the paper. My positive assessment remains unchanged.

We sincerely thank you for your thoughtful feedback and for recognizing the strengths of our work, particularly in adjusting and refining prompts using semantic decomposition and the practical utility of sensitive element drowning. We address the concerns raised as follows:

1. Missing Related Work: UnlearnDiffAtk [1]

Comment: "Missing related work white-box adversarial prompt attack baselines such as UnlearnDiffAtk [1], which is even able to enforce unlearned T2I model to generate images containing harmful contents."

Response:

Thank you for bringing UnlearnDiffAtk [1] to our attention. We apologize for the oversight in not including this relevant work in our related literature. UnlearnDiffAtk focuses on white-box adversarial attacks that target unlearned diffusion models to generate harmful content. In contrast, our proposed method, TREANT, operates under a black-box setting, without access to the internal parameters or gradients of the T2I models.

While UnlearnDiffAtk leverages internal model information to craft adversarial prompts, TREANT systematically refines prompts through tree-based semantic transformations, making it applicable to a wider range of models, including those where internal access is restricted. We will include a discussion of UnlearnDiffAtk in the related work section, highlighting the differences and potential complementarities between the two approaches.

2. Demonstrating Scalability through Time Efficiency

Comment: "To demonstrate scalability, it is better to add time efficiency as one main evaluation metric."

Response:

We appreciate the suggestion to include time efficiency as an evaluation metric to demonstrate scalability. In our experiments, we observed that TREANT maintains a reasonable computational overhead due to its efficient tree-based transformations. Specifically, the average time taken per adversarial prompt generation is 1.87 seconds on a standard computing setup, which is comparable to existing methods.

In the revised manuscript, we will include a detailed analysis of the time efficiency of TREANT, comparing it with baseline methods. This addition will provide a clearer picture of TREANT's scalability and practical applicability in real-world scenarios.

References:

[1] To Generate or Not? Safety-Driven Unlearned Diffusion Models Are Still Easy To Generate Unsafe Images … ECCV’24

Again, we appreciate your valuable feedback and the opportunity to improve our manuscript. We believe that addressing these concerns will strengthen the contribution and clarity of our work.