TEMPO-Diffusion: Temporally Exposed Malicious Poisoning of Diffusion Models

📅 2026-06-24
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Existing backdoor attacks on diffusion models suffer from limited stealth and practicality due to their reliance on input-time triggers, non-targeted activation, and out-of-distribution target generation. This work proposes the first temporally localized, in-distribution, targeted backdoor attack framework for diffusion models. By introducing a time-conditional triggering mechanism, the method injects sub-image-level backdoors during specific stages of the diffusion process, enabling class-specific attacks and multi-region feature reconstruction. Leveraging region-aware data construction and model fine-tuning strategies, the approach is validated on CIFAR-10, GTSRB, and a newly introduced CALISA dataset, demonstrating its ability to effectively poison class-specific synthetic data and significantly increase attack success rates against downstream classifiers—thereby exposing genuine security risks inherent in generative training data.
📝 Abstract
Noise-based backdoor attacks on diffusion models typically rely on input-time trigger injection, untargeted activation, and out-of-distribution target generation. Such assumptions reduce both the stealthiness and the practical relevance of these attacks. In this work, we present TEMPO-Diffusion, a targeted backdoor framework that localizes the malicious distribution shift to a temporal, in-distribution exposure. TEMPO-Diffusion supports: (i) targeted attacks on and to specific classes, (ii) multiple sub-image backdoors that reconstruct specific features within multiple, different output images and at multiple locations, and (iii) in-painting with time-conditioned triggers. To study relevant, practical security concerns in leveraging backdoored diffusion models for synthetic training data, we also introduce CALISA: a balanced, region-aware traffic-sign dataset emphasizing Canadian and U.S. road signs. Across CIFAR10, GTSRB, and CALISA, our experiments show that TEMPO-Diffusion can reliably poison class-specific synthetic data generation and induce high attack success rates in downstream classifiers trained on that data.
Problem

Research questions and friction points this paper is trying to address.

backdoor attack
diffusion models
targeted poisoning
synthetic data
temporal trigger
Innovation

Methods, ideas, or system contributions that make the work stand out.

TEMPO-Diffusion
temporal backdoor
in-distribution poisoning
diffusion model security
synthetic data poisoning
🔎 Similar Papers
No similar papers found.