Thank you for your thorough review on our submission. We hope that our response (A) to each weakness (W) and question (Q) address your concerns and positively affect the rating.

W1 & Q1: Training details of ImageNette & CIFAR-10.

A: The training details of ImageNette & CIFAR-10 are in Appendix A.3, as cited in Line 180. ImageNette and CIFAR-10 follow the original setup. ImageNette has 10,000 training samples with 1,000 per class [C1]. CIFAR-10 has 50,000 training samples with 5,000 per class [C2].

[C1] fast.ai, https://github.com/fastai/imagenette , 2021.

[C2] Alex Krizhevsky, “Learning Multiple Layers …”, 2009.

W2: Experiments on LAION, without clear classes.

A: Like comparisons with BadT2I (Lines 260-261 & Appendix E), our method can be applied to image-caption pair data. Please refer to GR2 in the general response on LAION [C3].

[C3] Schuhmann, et al. "Laion-5b: An open large-scale dataset ...", NeurIPS 2022.

W3 & Q2: There are no results for CIFAR-10.

A: The attack results for CIFAR-10 are presented in Figure A5 of Appendix F. Our detection approach for CIFAR-10 is detailed in Table 3, and our diffusion classifier strategy is included in Table A4 (as cited in Line 316).

W4 & W8: The paper is sometimes hard to read, and it is difficult to grasp what the authors want to convey as the take-away message is not clear.

A: We regret that the paper was found difficult to read and that the take-away messages were not clear. We have made substantial efforts to structure the paper for clarity and ease of understanding. The primary research question concerning the dual effects (i.e., 'Trojan Horses' and 'Castle Walls') of BadNets-type attacks on DMs is explicitly outlined in the introduction (Lines 33-51). The paper systematically presents the key findings: Section 4 explores the attack feasibility and insights such as trigger amplification and phase transitions. Section 5 builds on these insights with defense strategies including poison data detection and classifier training. Our paper's readability was also praised by other reviewers. For example, Reviewer A3yL noted, “This paper is easy to follow,” and Reviewer jBz2 noted, “The paper is well-structured and clearly communicates its methodology, findings, and implications.”

We hope the reviewer can reconsider the criticisms on our paper readability.

W5 & Limit: Using "poisoned DM" as a defense is not very realistic. AUROC improvement for poisoning detection is minor (in most cases, less than 1% improvement).

A: Please refer to GR3 in the general response about the applicability of our defense strategy.

Additionally, Table 3 indicates a more substantial improvement in AUROC for poisoning detection than noted. The average increase is 5.9%, with 46 out of 54 cases showing improvements exceeding 1% (See Table R3 of the attached PDF).

W6: The data replication experiments are not meaningful. The experiment would be more meaningful if the same images would be once poisoned and once not poisoned.

A: Thank you for your feedback. First, the original experiments are designed to investigate two aspects: (a) whether poisoning replicated data exacerbates data replication in generated images, and (b) whether the poisoning effect can in turn become worse, as indicated in Line 338-341, showing that poisoning duplicate images significantly increases the generation of trigger-tainted images.

Second, comparing the effects on the same images, once poisoned and once not, is insightful. We add this study in Figure R3 in the attached PDF. Fig. R3 shows the similarity scores between a generated image ( 'A') and its corresponding replicated image ('B'). There is a significant increase in data replication score when the replicated images in the training set are poisoned compared to the “No Poison” setting by a clean SD.

W7 & Misc: There are two other works [1, 2] that use DMs for defending against poisoning attacks. Reference and link issue.

A: We will follow the suggestions.

Q3 & Q4: Trigger pattern factor?

A: Prior research [C4] demonstrates that BadNets-type attacks are robust to trigger patterns, provided only if there is a "shortcut" established linking the trigger to a targeted label. We chose a black and white square because of its distinctiveness, enhancing visibility vs. backgrounds. The original submission has included a more intricate "Hello Kitty" pattern, as detailed in Fig. 2 and Appendix A.2, where we observed similar phenomena.

Following the suggestion, we explored a uni-colored trigger and included "bomb" trigger in Figure R1 in the attached PDF. Our observations are consistent across various triggers.

[C4] B. Wang et al., "Neural Cleanse: Identifying and Mitigating …" 2019 SP.

Q5: How many samples to calculate the FID?

A: We follow the standard practice of generating samples equal to the training set size and then calculating the FID. As W1 & Q1, CIFAR-10: 50,000 generated samples, with 5,000 per class. ImageNette: 10,000 generated samples, with 1,000 per class. Caltech-15: 3,000 generated samples, with 200 per class.

Q6: The intuition for DM generation of the target class images containing the trigger.

A: This is an insightful question.

Based on the DM memorization findings in [C5], we believe that DMs memorize both the association of the target class vs. the target-class images (benign DM generation) and the association of the target class vs. the trigger (abnormal DM generation). The latter effect can be attributed to local replication. These two associations result in a combined generation, i.e., target-class images with the trigger (G2).

[C5] Somepalli, et al. "Diffusion art or digital forgery? ...", CVPR 2023

Thank you for your thorough summary, as well as the recognition of the originality, quality, clarity, and significance by our work. We hope our responses (A) to each of the weaknesses (W) or questions (Q) can address your initial concerns.

W1 & W2 & Q2: How can we ensure the experimental results are robust and not prone to statistical chance without error bars, given the computational expense? Can you provide supporting evidence, such as confidence intervals for a subset of experiments, to demonstrate the robustness and reliability of the findings?

A: Please refer to GR1 in general response.

W3 & Q3: When non-monotonic results are observed, such as with Bad-Nets 2 on ImageNette, SD, and Caltech15, why does increasing the poisoning rate from 1% to 5% improve AUROC, but further increase from 5% to 10% does not? Please provide explanations for these trends to clarify the underlying factors contributing to the observed results.

A: Thank you for highlighting this point. It seems there might be some confusion regarding the expected monotonicity of AUROC results as detailed in Table 3.

First, it's important to note that the detection performance, measured by AUROC, does not necessarily increase linearly as the poisoning rate rises from 1% to 5% and further to 10% even under the conventionally poisoned training set. The rationale behind this is that (a) AUROC primarily measures the ability to detect the existence of data poisoning, and (b) the shift from a 5% to a 10% poisoning ratio does not sufficiently enhance detectability because both have been considered relatively high poisoning ratios.

Second, the main purpose of Table 3 is to show that detection performance, as measured by AUROC, consistently improves when using the set generated by poisoned DMs compared to the originally poisoned training set, across various poisoning ratios. This is used to demonstrate the effectiveness of leveraging trigger amplification in poisoned DMs to enhance poison detection over the generated set.

W4: While the 'Castle Walls' concept is innovative, the practical implementation details of these defensive strategies are not fully explored. Constructive suggestion: Provide more detailed guidelines and examples on how these strategies can be implemented in real-world scenarios to enhance their practical applicability.

A: Please refer to GR3 in the general response on the applicability of our defense.

Regarding implementation details, we have provided additional information in the appendix for further clarification.

1. Poisoning in the generation set can be more easily detected than that over the original training set (Table 3): We include the implementation details in Line 507-509 of Appendix A.4 in the original submission.
2. Training a less malicious classifier using generated data (Table 4): We include the implementation details in Line 499-506 of Appendix A.4 in the original submission.

Q1: In the figure captions, there is mention of G3 and G4 (that do not contain trigger), but these are not referred to in Figure 2 itself (only G1 and G2 are). Highlight in the text why these are missing and now shown?

A: We prioritized G1 and G2 over G3 and G4 in the main paper due to their more representative attack implications and page constraints. However, to address this concern, we have included visualizations for G4 in Fig. R1 and Fig. R2 in the attached PDF provided with our general response. Regarding G3, which represents prompt-mismatched generations without triggers, these instances are almost non-existing in the sampled generations, thus were not emphasized.

Q4: Line 217, Page 6, Use the same notation as in the paper. “Fig A3 presents” -> A3 of which figure? Provide full reference.

A: Apologies for any confusion. Fig A3 refers to Figure A3 in the Appendix, not a sub-figure. All figures in the Appendix are indexed starting with an "A" to differentiate them from those in the main text.

Limitations: Experimental Robustness, Practical Implementation, and Broader Societal Impact.

A: Thank you for your constructive suggestions on enhancing the Limitations and Broader Impact sections in Appendices L and M. We will address these in the revised version and refer to the response to (W1 & W2 & Q2) for experimental robustness and response to (W4) for practical implementation.

Thank you for your recognition of the readability, the comprehensive experiments, and the contribution by our study. We hope our responses (A) to each of the weaknesses (W) or questions (Q) can address your concerns.

W1 & Q1: The evaluation of the proposed attacks is limited to 3 datasets: CIFAR10, ImageNette and Caltech15. It would be better if the authors can evaluate the proposed method on more datasets such as ImageNet1K and CIFAR-100.

A1: Thank you for suggesting the inclusion of additional datasets like ImageNet1K and CIFAR-100. Since our current evaluations on CIFAR-10 and ImageNette share similar formats with CIFAR-100 and ImageNet1K, we decided to expand our experiments to include a subset of the more complex dataset LAION [C1], enhancing the applicability of our findings. Please refer to GR2 in general response about the additional experiments on LAION.

[C1] Schuhmann, Christoph, Romain Beaumont, Richard Vencu, Cade Gordon, Ross Wightman, Mehdi Cherti, Theo Coombes et al. "Laion-5b: An open large-scale dataset for training next generation image-text models." NeurIPS 2022.

Q2: The attack model could be described in a separate section.

A2: Thank you for your suggestion. We will put the attack model in a separate section to improve the clarity.

Thank you for your recognition of the interesting observations and comprehensive experiments by our study. We hope our response (A) to each of the weaknesses (W) can address your concerns.

W1: Despite considering many settings, experiments are conducted only once (no error bars).

A1: Please refer to GR1 in general response.

W2: In Table 4, attacks' success rates decrease with a poison percentage up to 5%, but what happens at higher percentages? How can defenders use this if they don't know the poison percentage?

A2: Thank you for your question. We want to make the following clarifications.

First, Table 4 supports our finding that poisoned DMs with “low” poisoning ratios (≤ 5% in the paper) convert malicious data into benign data (Lines 282-284). This is underpinned by our analysis of phase transitions in poisoned DMs relative to poisoning ratios (Lines 232-234), identifying a 5% poisoning ratio as a critical transition point in Fig. 4. It is also worth noting that even a 1% poisoning is typically enough to attack DMs in practice [C1, C2], making 5% a relatively high threshold.

Second, when the poisoning ratio increases to 10%, attack success indeed amplifies (See the 10% poisoning ratio in Table R1 of the attached PDF). Based on the phase transition finding (Lines 232-234), this leads to an increase in trigger-present, prompt-mismatching generations (G1). In this case, the surge in G1 generations could aid the application of existing data poisoning detection methods on DM generations (Line 264). As a result, even without precise knowledge of the poisoning ratio, defenders can initially implement detection methods (Table 3) and subsequently employ the training-based defenses outlined in Table 4.

Lastly, we emphasize that our main goal is to develop defensive strategies based on attack findings on poisoned DMs. We acknowledge that these insights may not yet perfectly align with optimal practical scenarios. Yet, they also offer the potential. As mentioned earlier, it can simultaneously enhance poison detection and robust classifier training. Utilizing DM generation in this way could provide a unified defense mechanism.

[C1] Y. Wu, X. Han, H. Qiu and T. Zhang, "Computation and Data Efficient Backdoor Attacks," ICCV 2023.

[C2] Xia, Pengfei, Ziqiang Li, Wei Zhang, and Bin Li. "Data-efficient backdoor attacks." IJCAI 2022.

W3: The paper is fully empirical.

A3: While we recognize the value of theoretical research, we contend that our empirical approach does not prevent its research depth. This study is the first to explore the bilateral impacts of BadNets-like backdoor poisoning on diffusion models, including both attack insights (trigger amplification, phase transitions, and data replication) and defense implications (poison data detection, classifier training, and diffusion classifier). We would also like to kindly remark that empirical studies are common in adversarial learning and are crucial for uncovering new insights that theoretical models might not yet capture.