Multi-modality Adversarial Attacks on Latent Diffusion Models

Q1: Related work.

We focus on attacking diffusion models. In contrast, [1] uses diffusion models to generate adversarial examples against image classifiers, and [2] focuses on attacking vision-language pre-training models. We have added the discussion in our paper.

Q2: Transfer attacks.

We compare our method with two traditional transfer-based attacks, DIM [3] and SIM [4]. Our approach can outperform the baselines.

White-box on SD2-1

Black-box on SD1-5

Q3: Difference of baselines.

As we introduce in Section 5.1, the four baselines are single-modality attacks in our MMA framework. Suppose we update the adversarial pairs for $T$ iterations by our MMA. We perturb images for $T_1$ iterations and text for $T_2$ iterations. Therefore, $T = T_1 + T_2$. “Image” and “Text” run the MMA framework only on one modality. “Image” only perturbs the input image for $T$ iterations by the MMA framework without changing the input text. Similarly, “Text” only perturbs the input text for $T$ iterations by the MMA framework without changing the input image. “MMA w/o Image” and “MMA w/o Text” mean that we run MMA on both modalities, but we only use the perturbations from one modality. Specifically, “MMA w/o Text” means we only perturb the input image by the generated image perturbation of MMA, which is to perturb the image for $T_1$ iterations. “MMA w/o Image” means we only perturb the input text by the generated text perturbation of MMA, which is to perturb the text for $T_2$ iterations.

Q4: Co-attack.

We compare our method with Co-attack. We can see that our approach achieves better performance.

Q5: Transfer setting.

We can incorporate DIM and SIM into our method to improve adversarial transferability. We find that the adversarial transferability is improved.

Black-box on SD1-5

[1] Chen J, Chen H, Chen K, et al. Diffusion Models for Imperceptible and Transferable Adversarial Attack[J]. arXiv preprint arXiv:2305.08192, 2023.

[2] Zhang J, Yi Q, Sang J. Towards adversarial attack on vision-language pre-training models[C]//Proceedings of the 30th ACM International Conference on Multimedia. 2022: 5005-5013.

[3] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2019: 2730-2739.

[4] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[J]. arXiv preprint arXiv:1908.06281, 2019.

Dear Reviewer,

Thank you for your valuable reviews. Since the discussion phase is going to finish in one day, we look forward to your further feedback about our latest response. Do you still have any concerns about our paper after the rebuttal? Do we address your questions? We are happy to discuss with you in more detail. We greatly appreciate your time and feedback.

Best regards,

Authors

Thank you for your valuable review!

Q1: Theoretical analysis.

Compared with single-modality attacks, multi-modality attacks have a lower upper bound of the perturbation. The proof is as follows.

We suppose the perturbation of each step is $(\delta^j_i, \delta^j_t)$ for multi-modality adversarial attacks, where $\delta^j_i$ and $\delta^j_t$ are the perturbation on the image and text respectively.

In our MMA approach, we only update image or text in each step, so $\delta^j_i = **0**$ or $\delta^j_t = **0**$.

Without loss of generalization, we focus on the perturbation on the image. Thus, the total perturbation on the image $\Delta_i = \sum_{j}^{T} \delta^j_i$, where $T$ is the total iteration.

Then the $L_2$ norm of the total image perturbation holds the inequality $|| \Delta_i ||_2 = || \delta^1_i + \cdot + \delta^T_i||_2 \leq || \delta^1_i||_2 + \cdot + || \delta^T_i||_2$. For each perturbation $|| \delta^j_i||_2$, we have the constraint that $|| \delta^j_i||_2 = \alpha$, where is the step length for each iteration.

As a result, the $|| \Delta_i ||_2 \leq \alpha * M$, where $M \leq T$ is the iteration times to update image.

However, for single-modality attack, the total image perturbation $|| \Delta_i ||_2 \leq \alpha * T$.

All in all, multi-modality attacks have a lower upper bound of the perturbation unless the multi-modality attack is degenerated to single-modality attack.

Q2: Targeted attack.

Our approach can be adapted to the targeted adversarial scenario. Specifically, we minimize the distance between the adversarial input pair and the target image-prompt pair in the latent space of the cross-attention module. The results are as follows. Our attack is still effective and imperceptible in targeted adversarial scenarios.

Q3: User study.

Please see Q3 of Reviewer FHsv.

Q4: Efficiency.

We compare our time efficiency with baselines. We compute the average time to generate one adversarial example. MMA, LDMR, and QF use 53.2, 49.2, and 44.7 seconds, respectively. Although our time efficiency is similar to the previous works, we can achieve better imperceptibility and attacking performance.

Dear Reviewer,

Thank you for your valuable reviews. Since the discussion phase is going to finish in one day, we look forward to your further feedback about our latest response. Do you still have any concerns about our paper after the rebuttal? Do we address your questions? We are happy to discuss with you in more detail. We greatly appreciate your time and feedback.

Best regards,

Authors

Thank you for your valuable review!

Q1: Measurement.

A diffusion model is a generative model. Therefore, attacking diffusion models is different from the classic adversarial attacking scenario, which targets image classifiers and has an explicit attacking objective and measurement as we discussed in Section 3. Therefore, we cannot quantify the performance of the attack by the success rate. Instead, we utilize the performance metrics in the generative model literature [1,2], which allows us to quantify the attacking performance by the generation quality and the similarity between the generated images and prompts under attacks. Besides, the selected metrics are widely used in previous studies of adversarial attacks on diffusion models [3,4].

Q2: Contribution.

Adversarial attacks can be used to evaluate the robustness of the target model. As we discussed in the third paragraph of Section 1, we need multi-modality attacks for the below reasons.

(1) Compared with the single-modality attacks on diffusion models, multi-modality attacks can more thoroughly explore the perturbation space. Therefore, multi-modality attacks can find more failures of diffusion models than single-modality attacks.

(2) Perturbing the text and image at the same time distributes the needed perturbation to both modalities, making them more imperceptible to humans on the whole.

(3) The generated adversarial examples can also be utilized to retrain the model for improving the robustness [5], and to fingerprint the models [6] and watermark the examples [7] for solving privacy issues.

Q3: User study.

In order to measure the success of the attack and its imperceptibility, we launch a preliminary user study, where we randomly select 100 examples, and ask three annotators to give their scores. We compare our approach with baselines LDMR and QF. For measuring the ASR, we ask the annotator the following question: How well does the generated image correspond with the prompt? Please score it from 1 to 5, where the higher score means a higher consistency. For measuring the imperceptibility, we ask the annotator the following question: How similar are the two data pairs (the adversarial pair and the original pair)? Please score it from 1 to 5, where the higher score means a higher similarity.

The results are shown in the table below. The agreement of the user study is 80.7 %. We can see that our approach achieves the best attacking performance and imperceptibility.

Q4: ASR.

As we mentioned in Q1, the attack success rate is not suitable for quantifying the performance of attacks on diffusion models. If needed, we can set a threshold on the drop of the CLIP score to represent whether the attack is successful or not. We set the threshold to be 2.0. The ASR of MMA is 99.6%, while the ASR of LDMR and QF are 10.5% and 21.3%, respectively. Our approach outperforms the baselines with a large margin on ASR.

Q5: Presentation.

The citation in the paper is modified as you suggested.

[1] Ho J, Jain A, Abbeel P. Denoising diffusion probabilistic models[J]. Advances in neural information processing systems, 2020, 33: 6840-6851.

[2] Rombach R, Blattmann A, Lorenz D, et al. High-resolution image synthesis with latent diffusion models[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2022: 10684-10695.

[3] Salman H, Khaddaj A, Leclerc G, et al. Raising the cost of malicious ai-powered image editing[J]. arXiv preprint arXiv:2302.06588, 2023.

[4] Zhang J, Xu Z, Cui S, et al. On the Robustness of Latent Diffusion Models[J]. arXiv preprint arXiv:2306.08257, 2023.

[5] Shafahi A, Najibi M, Ghiasi M A, et al. Adversarial training for free![J]. Advances in Neural Information Processing Systems, 2019, 32.

[6] Peng Z, Li S, Chen G, et al. Fingerprinting deep neural networks globally via universal adversarial perturbations[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 13430-13439.

[7] Liang C, Wu X, Hua Y, et al. Adversarial Example Does Good: Preventing Painting Imitation from Diffusion Models via Adversarial Examples[J]. 2023.

Dear Reviewer,

Thank you for your valuable reviews. Since the discussion phase is going to finish in one day, we look forward to your further feedback about our latest response. Do you still have any concerns about our paper after the rebuttal? Do we address your questions? We are happy to discuss with you in more detail. We greatly appreciate your time and feedback.

Best regards,

Authors

Thank you for your valuable review!

Q1: Challenges & contributions.

As we stated in the third paragraph of Section 1, perturbing the text and image at the same time distributes the needed perturbation to both modalities, making them more imperceptible to humans on the whole. Besides, compared with single-modality attacks, multi-modality attacks have the potential to discover more robustness issues. Therefore, the challenge resides on the proper interaction between two modalities to find the optimal perturbation in each step for both good attacking performance and imperceptibility. Therefore, we propose MMA, which uses a unified query ranking framework to properly combine the updating on both modalities.

Furthermore, we are the first to study the multi-modality attacks on diffusion models. We formally define the multi-modality attacks, specifying the attack objective, the perturbation space, and the attack constraints.

Multi-modality attacks also have multiple applications. The generated adversarial examples can be utilized to retrain the model for improving the robustness [3], and to fingerprint the models [4] and watermark the examples [5] for solving privacy issues.

Q2: Evaluation.

We follow previous works [1,2] to utilize PSNR as a metric to quantify the attacking performance. PSNR measures the difference between the generated images of the original input and the adversarial input. In addition to PSNR, we also deploy other metrics, like SSIM, and MSSSIM to measure the difference. The results on these metrics validate the effectiveness of MMA.

Q3: Two modalities.

The two modalities have different influences on the output results. Text perturbations mislead the high-level features and the overall function of image editing, while image perturbations influence the low-level features and reduce the generation quality. As shown in the third row of Figure 3 in the paper, the scenario of the edited image (a cat and a bed) keeps the same under image perturbations, but the text perturbations change the scenario. Besides, as shown in the last row of Figure 3 in the paper, combining perturbations from two modalities can effectively break the normal functionality of diffusion models, while the single-modality perturbation fails to do so.

Q4: Model differences.

The difference between SDv1 and SDv2 is on the encoder of the image. SDv1 uses the pre-trained CLIP, while SDv2 retrains CLIP on their own dataset. The difference between SDv1-4 and SD-v1-5 is on the model weights. The latter version is further trained based on the previous version.

Q5: Qualitative examples. Please refer to the top 2 rows of Figure 3 in our paper. We can see that both the image and text perturbations are imperceptible to humans.

[1] Salman H, Khaddaj A, Leclerc G, et al. Raising the cost of malicious ai-powered image editing[J]. arXiv preprint arXiv:2302.06588, 2023.

[2] Zhang J, Xu Z, Cui S, et al. On the Robustness of Latent Diffusion Models[J]. arXiv preprint arXiv:2306.08257, 2023.

[3] Shafahi A, Najibi M, Ghiasi M A, et al. Adversarial training for free![J]. Advances in Neural Information Processing Systems, 2019, 32.

[4] Peng Z, Li S, Chen G, et al. Fingerprinting deep neural networks globally via universal adversarial perturbations[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 13430-13439.

[5] Liang C, Wu X, Hua Y, et al. Adversarial Example Does Good: Preventing Painting Imitation from Diffusion Models via Adversarial Examples[J]. 2023.

Dear Reviewer,

Thank you for your valuable reviews. Since the discussion phase is going to finish in one day, we look forward to your further feedback about our latest response. Do you still have any concerns about our paper after the rebuttal? Do we address your questions? We are happy to discuss with you in more detail. We greatly appreciate your time and feedback.

Best regards,

Authors