Papers
Topics
Authors
Recent
Search
2000 character limit reached

TooBad: Backdoor Attack for Diffusion Models

Updated 4 July 2026
  • TooBad is a backdoor attack framework for diffusion models that leverages direct trigger optimization in noise space to steer outputs toward a specific target image.
  • It integrates the trigger within the diffusion process by aligning the backward denoising trajectory with the forward noising of the target, thus requiring minimal poisoning and fine-tuning.
  • The framework demonstrates superior attack performance with ultra-low poison rates, faster convergence, and effective evasion of state-of-the-art defenses compared to prior methods.

Searching arXiv for the cited paper and key related work names for accurate citations. TooBad is a backdoor attack framework for diffusion models that centers on trigger optimization for backdoor diffusion models and is designed to improve attack performance, stealthiness, and efficiency simultaneously (Truong et al., 22 Jun 2026). In the formulation studied, a trigger is a small perturbation added to the input noise, and the backdoor target is a specific image; with clean noise the model behaves normally, whereas with triggered noise the compromised model generates images matching the target almost deterministically. The framework is tailored specifically to diffusion models and introduces direct trigger optimization inside the diffusion process, with the stated goals of ultra-low poison rates, few backdoor fine-tuning epochs, imperceptible triggers, evasion of state-of-the-art defenses, and high clean utility (Truong et al., 22 Jun 2026).

1. Diffusion-model backdoors and the motivating threat model

Diffusion models considered in this setting include DDPMs, DDIMs, NCSNs, and LDMs. They operate through a forward process that gradually adds Gaussian noise to a clean sample x0\mathbf{x}_0 over timesteps t=1,,Tt=1,\dots,T, and a reverse process in which a neural network, usually a U-Net, learns to denoise from noise back to data. For DDPMs, a typical forward transition is

q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),

with direct sampling from x0\mathbf{x}_0 given by

xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),

where for DDPMs, a(t)=αˉta(t) = \sqrt{\bar\alpha_t} and b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t} (Truong et al., 22 Jun 2026).

Within this generative setting, a backdoor attack implants hidden behavior such that the model behaves maliciously when a specific trigger is present and otherwise behaves normally. The threat model assumes an attacker who can fine-tune an existing diffusion model in a white-box regime or a proxy diffusion model for partial black-box trigger optimization, can poison a small fraction of the fine-tuning data by inserting trigger-target pairs, and can release the compromised model on platforms such as HuggingFace or GitHub or via third-party fine-tuning services. The attacker’s goals are targeted generation under triggered noise, preservation of normal behavior on clean inputs, and stealthiness expressed through ultra-low poison rate, short backdoor injection training, imperceptible trigger design, and evasion of state-of-the-art diffusion-model backdoor defenses (Truong et al., 22 Jun 2026).

The framework is motivated by the limitations of prior backdoor methods for diffusion models, described as a “quadrilemma” involving attack performance, poison rate requirement, stealthiness, and time complexity. Prior methods named in this comparison include TrojDiff, BadDiffusion, VillanDiffusion, and UIBDiffusion. The reported limitations are that high attack success generally requires poison rates of 10–30% of the training set, long backdoor training often of 30–50 epochs or more, and triggers that are either simple visible patterns or are learned via auxiliary classifiers whose optimization is not aligned with the diffusion process itself. Under strong defenses such as Elijah, TERD, and PureDiffusion, many existing attacks are detectable or show reduced attack success (Truong et al., 22 Jun 2026).

A central premise is that ultra-low poison rate and imperceptible triggers matter because an attacker rarely controls a large fraction of training data in realistic pipelines, and because lower poison rates, shorter training, and invisible triggers reduce the chance of detection by visual inspection, data filtering, training monitoring, or distribution-shift-based defenses. This suggests that stealthiness in diffusion-model backdoors is not solely a matter of output fidelity, but also of remaining close to the statistical structure of Gaussian noise.

2. Direct trigger optimization inside the diffusion process

TooBad has two stages: trigger optimization on a clean model and backdoor injection by fine-tuning (Truong et al., 22 Jun 2026). In the first stage, a trigger δ\boldsymbol{\delta} is learned so that when it is added to the input noise, the clean diffusion model’s generated sample is already close to the desired target at intermediate timesteps. In the second stage, the learned trigger-target pair (δ,x^0)(\boldsymbol{\delta}, \hat{\mathbf{x}}_0) is used to poison a small subset of training images, and the diffusion model is fine-tuned using a VillanDiffusion-style injection scheme. The intended effect is that because the trigger already biases the clean model toward the target distribution, only a small number of poisoned samples and parameter updates are required to make the model map triggered noise to the target deterministically (Truong et al., 22 Jun 2026).

The trigger optimization objective explicitly aligns the diffusion model’s backward denoising trajectory from triggered noise with the forward noising trajectory of the target image. Let TT denote the total number of diffusion steps, t=1,,Tt=1,\dots,T0 denote the backward process partially unrolled from noise t=1,,Tt=1,\dots,T1 for t=1,,Tt=1,\dots,T2 steps to produce an intermediate sample, and let t=1,,Tt=1,\dots,T3 denote the target image. The forward process applied to the target is

t=1,,Tt=1,\dots,T4

while the backward process with trigger is

t=1,,Tt=1,\dots,T5

The trigger loss is then

t=1,,Tt=1,\dots,T6

This objective makes the triggered backward sample resemble the target diffused forward to the same timestep. The paper interprets the learned trigger as a shortcut through the diffusion process: a slight alteration of the initial noise is sufficient to make the denoising trajectory follow the target’s trajectory. During this optimization, the diffusion-model parameters t=1,,Tt=1,\dots,T7 are frozen, and only the trigger t=1,,Tt=1,\dots,T8 is updated (Truong et al., 22 Jun 2026).

This diffusion-aware construction distinguishes TooBad from classifier-style backdoor optimization. The formulation is not based on a single forward pass but on a multi-step reverse diffusion process that must be aligned with the forward process. There is no explicit clean-utility loss in the trigger-optimization stage because the model parameters remain fixed; the objective is to bias the existing generative dynamics rather than retrain them.

3. Constrained trigger design, poisoning, and backdoor injection

TooBad augments the basic trigger objective with imperceptibility constraints. The trigger is constrained to satisfy an t=1,,Tt=1,\dots,T9 bound for invisibility and an q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),0 sparsity budget:

q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),1

The constrained optimization is

q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),2

Rather than introducing explicit penalty terms, the framework enforces these constraints through projected gradient steps (Truong et al., 22 Jun 2026).

The trigger-optimization procedure takes as inputs a clean diffusion model q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),3, total steps q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),4, the backdoor target q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),5, sparsity budget q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),6, invisibility budget q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),7, number of iterations q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),8, and step size q(xtxt1)=N(xt;αtxt1,(1αt)I),q(\mathbf{x}_t \mid \mathbf{x}_{t-1}) = \mathcal{N}\big(\mathbf{x}_t; \sqrt{\alpha_t}\mathbf{x}_{t-1}, (1-\alpha_t)\mathbf{I}\big),9. At each iteration, a timestep x0\mathbf{x}_00 and Gaussian noise x0\mathbf{x}_01 are sampled; the backward sample x0\mathbf{x}_02 and the forward target sample x0\mathbf{x}_03 are computed; the squared x0\mathbf{x}_04 loss is evaluated; a gradient step is taken on x0\mathbf{x}_05; and the result is projected first onto the x0\mathbf{x}_06 ball by clipping to x0\mathbf{x}_07, and then onto the top-x0\mathbf{x}_08 sparse set by keeping only the x0\mathbf{x}_09 entries of largest absolute value. The update is summarized as

xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),0

where xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),1 denotes clipping to xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),2 (Truong et al., 22 Jun 2026).

After trigger optimization, the attacker constructs a poisoned fine-tuning dataset by replacing a small subset of training data, for example 0.2–5%, with backdoor samples that encode the target and trigger. TooBad follows VillanDiffusion’s generic forward modification, but with a different use of the trigger in image space: whereas VillanDiffusion uses patch-based triggers such as stop-sign overlay patches, TooBad blends the trigger into the entire poisoned image to better align with the learned noise-space trigger pattern and preserve imperceptibility. The exact image-space poisoning formulation is not fully spelled out, but the conceptual distinction is stated explicitly (Truong et al., 22 Jun 2026).

For backdoor injection, TooBad adopts VillanDiffusion’s unified forward-process formulation with the optimized trigger:

xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),3

where xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),4 is a trigger schedule controlling trigger strength across timesteps. During backdoor training, these triggered forward samples are used as inputs, and the diffusion-model parameters are fine-tuned using the usual diffusion loss, such as squared error between predicted noise and ground-truth noise, but now applied on backdoor forward samples. No architectural changes are required; the attack is implemented through training data and training schedule alone (Truong et al., 22 Jun 2026).

Imperceptibility is operationalized through three stated mechanisms: spatial sparsity, low amplitude, and alignment with Gaussian noise. In the experiments, the sparsity budget is set to xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),5, meaning 20% nonzero entries, and the amplitude bound is xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),6. The paper argues that minimizing the trigger loss under these constraints keeps triggered noise close to Gaussian and thereby reduces the distribution-shift signatures that defenses exploit (Truong et al., 22 Jun 2026).

4. Efficiency, poison-rate reduction, and empirical performance

The central quantitative claim is that TooBad dramatically lowers the poison rate and time required to achieve high attack success (Truong et al., 22 Jun 2026). On CIFAR-10 DDPMs, the reported attack success rate, mean squared error, and structural similarity are approximately as follows: at 0.2% poison rate, ASR xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),7, MSE xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),8, and SSIM xt=a(t)x0+b(t)ϵ,ϵN(0,I),\mathbf{x}_t = a(t)\mathbf{x}_0 + b(t)\boldsymbol{\epsilon}, \quad \boldsymbol{\epsilon} \sim \mathcal{N}(0, \mathbf{I}),9; at 1%, ASR a(t)=αˉta(t) = \sqrt{\bar\alpha_t}0, MSE a(t)=αˉta(t) = \sqrt{\bar\alpha_t}1, and SSIM a(t)=αˉta(t) = \sqrt{\bar\alpha_t}2; at 5%, ASR a(t)=αˉta(t) = \sqrt{\bar\alpha_t}3, MSE a(t)=αˉta(t) = \sqrt{\bar\alpha_t}4, and SSIM a(t)=αˉta(t) = \sqrt{\bar\alpha_t}5; and at 10%, ASR a(t)=αˉta(t) = \sqrt{\bar\alpha_t}6, MSE a(t)=αˉta(t) = \sqrt{\bar\alpha_t}7, and SSIM a(t)=αˉta(t) = \sqrt{\bar\alpha_t}8. By contrast, VillanDiffusion and UIBDiffusion are reported to have ASR a(t)=αˉta(t) = \sqrt{\bar\alpha_t}9 below 5% poison rate; at 5%, VillanDiffusion reaches ASR 0.38 and UIBDiffusion 0.16; and at 10%, VillanDiffusion reaches 0.96 and UIBDiffusion 0.74, with worse MSE and SSIM than TooBad (Truong et al., 22 Jun 2026).

In the ultra-low poison regime from 0.2% to 1.0%, TooBad is reported to increase from 68.4% to 93.1% ASR, while VillanDiffusion and UIBDiffusion remain at 0%. Over the same range, MSE decreases from 0.03 to 0.01 and SSIM increases from 0.7 to 0.9. The reported interpretation is that TooBad achieves comparable or better ASR at one-half to one-tenth the poison rate required by prior work on the same datasets.

Training efficiency is similarly emphasized. Trigger optimization requires 50 iterations on sampled noises only, with the model frozen and only b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}0 updated; on CIFAR-10 DDPM, this stage takes approximately 5 minutes on GPU. Backdoor injection experiments use 50 fine-tuning epochs for consistency, but the key observation is convergence speed: at 5% poison rate, TooBad reaches about 0.9 ASR by epoch 3 and about 0.94 by epoch 5, with MSE below 0.01 and SSIM above 0.9, whereas VillanDiffusion and UIBDiffusion remain near 0 ASR at epoch 5 and stay low until after about 30 epochs. At 10% poison rate, TooBad reaches ASR around 0.96 by epoch 1 and saturates near 1.0 quickly, whereas VillanDiffusion requires about 20–30 epochs for similar ASR and UIBDiffusion often remains behind. A cited CIFAR-10 DDPM example gives about 5 minutes for trigger optimization and about 2 hours for 50 backdoor injection epochs, while also stating that an attacker could stop much earlier because high ASR is reached in 3–5 epochs (Truong et al., 22 Jun 2026).

The experiments cover multiple datasets and diffusion-model families. The datasets are CIFAR-10 as the main benchmark, CelebA-HQ downscaled and encoded into 64×64 latent space for LDM experiments, and CelebA-HQ-Dialog for a conditional extension in the appendix. The models are DDPM-style U-Net diffusion models on CIFAR-10, latent diffusion models on CelebA-HQ, and NCSNs for additional ablations. Attack performance is measured with ASR, MSE, and SSIM, while clean utility is evaluated using FID between clean samples and the training data distribution (Truong et al., 22 Jun 2026).

On CelebA-HQ with LDM, the reported 5% poison-rate results are ASR 0.32, MSE 0.121, and SSIM 0.423 for VillanDiffusion; ASR 0.19, MSE 0.186, and SSIM 0.188 for UIBDiffusion; and ASR 0.98, MSE 0.003, and SSIM 0.945 for TooBad. At 10% poison rate, VillanDiffusion reaches ASR 0.76, UIBDiffusion 0.71, and TooBad 0.99 with superior MSE and SSIM. On NCSN, the baselines reportedly fail up to 45% poison rate and only reach about 0.7 ASR at 50–70%, while TooBad reaches ASR 0.69 at 25%, 0.84 at 30%, 0.98 at 50%, and 1.00 at 70% (Truong et al., 22 Jun 2026).

These results support the paper’s claim that the principal degree of freedom is the trigger itself. A plausible implication is that prior attacks were bottlenecked less by the existence of a poisoning channel than by the mismatch between trigger optimization and diffusion dynamics.

5. Stealthiness and interaction with diffusion-model defenses

TooBad is evaluated against three diffusion-model-specific defenses: Elijah, TERD, and PureDiffusion (Truong et al., 22 Jun 2026). Elijah is described as a distribution-shift-based backdoor detection method using trigger inversion and analysis of generative behavior. TERD is described as a unified framework for backdoor protection in diffusion models that also uses trigger inversion and detection metrics. PureDiffusion is described as using backdoor techniques to identify and mitigate backdoor triggers. Each defense is evaluated in terms of trigger inversion and backdoor detection. Trigger inversion is measured by L2D, the b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}1 distance between recovered trigger and true trigger, where larger values indicate harder inversion; backdoor detection is measured by ACC and TPR.

The comparison includes VillanDiffusion, UIBDiffusion, and three TooBad variants: TooBad-NI, which removes the invisibility constraint; TooBad-NS, which removes the sparsity constraint; and the full TooBad method. For full TooBad, the reported result under all three defenses is ACC b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}2 and TPR b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}3, meaning that the defenses classify the backdoored model as clean. The corresponding L2D values are described as high, around b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}4, indicating failed trigger inversion. For TooBad-NS and TooBad-NI, ACC and TPR become nonzero and L2D becomes lower, in the range 30–39, which the paper interprets as making trigger inversion more accurate and detection easier (Truong et al., 22 Jun 2026).

For the baselines, VillanDiffusion shows high ACC and TPR under all defenses, consistent with effective detection of its visible triggers. UIBDiffusion shows ACC and TPR equal to 0 under most defenses and also high L2D, indicating failed inversion, but its attack performance is described as much weaker than TooBad. The stated conclusion is that ultra-low poison rate alone is not sufficient for stealthiness, and that the invisibility constraint in particular is crucial for evading modern defenses (Truong et al., 22 Jun 2026).

This point directly addresses a likely misconception. An imperceptible trigger is not treated merely as a cosmetic modification; in this formulation it is part of the attack mechanism because it preserves the statistical proximity of triggered noise to Gaussian noise. The defense results are presented as evidence that sparse and low-amplitude triggers optimized directly in the diffusion process produce both high ASR and resistance to inversion and detection.

6. Ablations, scope, limitations, and broader significance

The ablation studies examine poison rate, target choice, model family, and the role of imperceptibility constraints (Truong et al., 22 Jun 2026). Over poison rates from 0.2% to 10%, ASR and SSIM are reported to scale smoothly, with effectiveness already visible at 0.2%. Target ablations using “Cat” and “Stop Sign” instead of the hat target show similar curves: at 0.2% poison rate, ASR is approximately 0.63–0.66, and at 5%, ASR is about 0.99 with MSE around 0.002–0.0026 and SSIM around 0.98. The paper uses these results to argue that the method is not hard-coded to a single simple object. Cross-family experiments on NCSNs and LDMs are presented as evidence that the approach generalizes across diffusion-model families, even though NCSNs are described as harder to backdoor and requiring higher poison rates in general (Truong et al., 22 Jun 2026).

The scope and assumptions of the method are also explicit. The attacker must be able to fine-tune the diffusion model, either directly or through a surrogate; must be able to poison a fraction of the fine-tuning data; and must know or approximate the diffusion process, including schedules b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}5 and b(t)=1αˉtb(t)=\sqrt{1-\bar\alpha_t}6, because the optimization occurs in noise space. The backdoor is targeted to a single target image, and the evaluation focuses on image diffusion models and single-trigger, single-target scenarios. Other threat models, such as multiple triggers or more complex conditions, are not explored in detail (Truong et al., 22 Jun 2026).

Potential defense directions are framed in terms of the failure modes of existing defenses. The paper suggests detecting subtle distribution shifts in noise space under sparse, low-amplitude perturbations; analyzing the mapping from noise distributions to outputs using carefully designed noise probes; incorporating robust training or adversarial training against optimized triggers in the diffusion process; and strengthening model auditing to identify anomalously high sensitivity to small perturbations in noise space that repeatedly yield similar outputs (Truong et al., 22 Jun 2026).

The broader significance claimed for TooBad is that modern diffusion models are vulnerable to sophisticated backdoor attacks with realistic ultra-low poison rates, very short fine-tuning, near-perfect attack success, and resistance to current state-of-the-art defenses. The deployment contexts emphasized are open-source diffusion checkpoints, third-party fine-tuning services, and untrusted training pipelines. The paper notes possible downstream misuse such as covert embedding of harmful or copyrighted content and triggered misbehavior in downstream systems with generative components (Truong et al., 22 Jun 2026).

Taken together, the reported results position TooBad as an example of a diffusion-model backdoor in which trigger optimization itself becomes the main attack lever. The paper’s synthesis is that aligning the backward denoising path from triggered noise with the forward diffusion path of a chosen target breaks the prior quadrilemma by jointly improving attack performance, poison efficiency, stealthiness, and time complexity. This suggests that future diffusion-model security work must treat the geometry of the denoising trajectory, rather than only visible trigger artifacts or coarse data poisoning ratios, as a primary attack surface.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to TooBad.