A backdoor security evaluation method, device and system for a text-to-image generation system

By constructing a closed-loop process and a multi-scale feature perception structure, and combining generation quality and backdoor response tests, the problem of backdoor security assessment in text-to-image generation systems was solved, and the model's stability assessment and risk quantification were achieved.

CN122153907APending Publication Date: 2026-06-05NANJING UNIV OF POSTS & TELECOMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANJING UNIV OF POSTS & TELECOMM
Filing Date
2026-02-27
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies face challenges in assessing the backdoor security of text-to-image generation systems. These challenges include the sensitivity of triggering effects to prompts, limited transferability, and the difficulty in forming a systematic evaluation loop, making it impossible to comprehensively measure the potential backdoor risks and concealment levels of the model.

Method used

A closed-loop process is constructed, which includes host sample construction, stealth trigger injection, hybrid training to generate victim models, and dual-path testing for quantitative evaluation. By using a multi-scale feature perception and fusion structure and a multi-objective joint loss function, combined with generation quality testing and backdoor response testing, the model can be stably evaluated.

Benefits of technology

It enables stable evaluation of backdoor security of the model under controllable triggering conditions, improves the comprehensiveness and reliability of the evaluation, quantifies the abnormal response and concealment of the model, and reduces frequency domain anomalies.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153907A_ABST
    Figure CN122153907A_ABST
Patent Text Reader

Abstract

The application discloses a backdoor security evaluation method, device and system for a text-to-image generation system, and relates to the technical field of artificial intelligence. The method comprises the following steps: constructing a host sample set, injecting a preset trigger into at least part of text prompts in the host sample set to obtain a poisoned sample set; mixing the poisoned sample set and original clean training sample sets according to a preset proportion to form a mixed training sample set; training a text-to-image generation model according to the mixed training sample set to obtain a victim model used for simulating a backdoor attack; inputting test text prompts with and without triggers into the victim model respectively to obtain corresponding test images; calculating the results of a generation quality test of the victim model under the test text prompts without triggers and a backdoor response test of the victim model under the test text prompts with triggers according to the test images; and evaluating the two test results to obtain a backdoor security evaluation conclusion of the text-to-image generation system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to a method, apparatus, and system for backdoor security assessment in text-to-image generation systems, belonging to the field of artificial intelligence technology. Background Technology

[0002] In recent years, text-to-image generation technology based on diffusion models has made significant progress in high-fidelity image synthesis and diversified content generation. Typical frameworks can generate images that are semantically aligned with prompts through a multi-step denoising and sampling process guided by textual conditions, and have been widely used in design, content creation, and other scenarios. However, the multimodal structure, progressive sampling chain, and cross-attention-driven image-text alignment mechanism of diffusion models also present new vulnerabilities in terms of security: backdoors can lurk with a low level of contamination during the training phase and gradually amplify at different sampling time steps, ultimately manifesting as abnormal redirection of specific semantics or target concepts; moreover, the flexible triggering input and complex and difficult-to-interpret internal attention chain make backdoor behavior highly concealed and stable, and once abused, it may induce risks such as content manipulation.

[0003] Research on backdoors and model manipulation in text-based graph diffusion models has yielded various technical approaches: backdoors injected during the training phase typically involve poisoning multimodal data or writing stable triggering patterns through personalized fine-tuning; trigger-based attacks during the inference phase can induce anomalous generation without modifying model parameters through carefully crafted prompts; parameter editing attacks directly construct new concept mapping paths in the weight space, thereby restoring or re-injecting specific concepts during inference. For example, methods such as BadT2I, TI / DB (PaaS), TPA, and EvilEdit reveal the systemic security risks of diffusion models at the training data, input prompts, and internal parameter levels from the perspectives of data poisoning, text embedding hijacking / few-shot fine-tuning, prompt avoidance, and weight editing, respectively.

[0004] From the perspectives of engineering implementation and security auditing, existing technologies still face two prominent assessment challenges: First, backdoor risks are often strongly correlated with multi-scale feature propagation in the diffusion chain, frequency domain artifacts, and cross-modal semantic binding. Existing methods are insufficient in cross-scale collaboration, frequency domain anomaly control, and semantic alignment stability, resulting in trigger effects that are sensitive to prompts, have limited transferability, and are prone to generating detectable frequency domain anomalies. Second, in actual deployments, security assessments typically rely on limited prompt sampling, blacklist filtering, or single-indicator comparisons, making it difficult to form a systematic assessment loop of "host sample construction—trigger condition design—training / fine-tuning verification—dual-path testing quantification." This makes it difficult to comprehensively measure the potential backdoor risks and concealment levels of the model while maintaining normal generation quality. Therefore, there is an urgent need for a backdoor security assessment scheme for text-to-image generation systems that can quantify the abnormal response of the model under controllable triggering conditions and simultaneously characterize the maintenance of normal generation capabilities and the concealment of backdoor behavior, thereby improving the comprehensiveness and reliability of backdoor security assessments. Summary of the Invention

[0005] The purpose of this invention is to provide a backdoor security assessment method, device, and system for text-to-image generation systems. It constructs a closed-loop process of "host sample construction - stealth trigger injection - hybrid training to generate victim model - dual-path test quantification assessment", thereby systematically solving problems such as unstable assessment triggers, uninterpretable cross-modal semantic manipulation, and difficulty in simultaneously considering the effectiveness and stealth of assessment conclusions.

[0006] To achieve the above objectives, the present invention is implemented using the following technical solution.

[0007] In a first aspect, the present invention provides a backdoor security assessment method for a text-to-image generation system, comprising:

[0008] Construct a host sample set, which includes host text prompts and host image samples corresponding to the host text prompts;

[0009] By injecting a preset trigger into at least a portion of the text prompts in the host sample set, a poisoned sample set is obtained;

[0010] The poisoned sample set is mixed with the original clean training sample set at a preset ratio to form a mixed training sample set; wherein, the original clean training sample set is the host text prompt in the host sample set that has not been injected with the preset trigger;

[0011] A text-to-image generation model is trained based on the hybrid training sample set to obtain a victim model for simulating backdoor attacks;

[0012] The test text prompts without the trigger and the test text prompts with the trigger are respectively input into the victim model to obtain the corresponding test images;

[0013] Based on the test image, calculate the result of the victim model performing a generation quality test without the test text prompt with the trigger; and the result of performing a backdoor response test with the test text prompt with the trigger.

[0014] Based on the results of the quality generation test and the backdoor response test, the backdoor security of the victim model is evaluated, and the backdoor security evaluation conclusion of the text-to-image generation system is obtained.

[0015] Furthermore, based on the text-to-image generation model to be evaluated, a target loss function for backdoor security evaluation is constructed;

[0016] Based on the target loss function, the variables of the host text prompt and / or the image generation process corresponding to the host text prompt are iteratively optimized to obtain the host sample set.

[0017] Furthermore, the text-to-image generation model is a diffusion model or a diffusion-based latent space generation model.

[0018] Furthermore, the target loss function is a multi-objective joint loss function, which includes at least the basic noise prediction loss, feature consistency loss, and frequency domain loss. The calculation expression of the target loss function is as follows:

[0019] (1),

[0020] In the formula, L total L represents the target loss. base L represents the basic noise prediction loss. feat L represents the feature consistency loss. freq λ1, λ2, and λ3 represent the frequency domain loss; λ1, λ2, and λ3 represent the adjustable coefficients used to balance the weights of each loss term in the multi-objective loss function.

[0021] Furthermore, a multi-scale feature perception and fusion structure is introduced into the multi-level feature representation in the denoising network. The multi-scale feature perception and fusion structure includes a spatial branch and a frequency domain branch. The spatial branch is used to extract spatial domain features, and the frequency domain branch is used to perform frequency domain transformation on the features and extract frequency domain features. The spatial features and frequency domain features are then weighted and fused through dynamic gating.

[0022] Furthermore, the preset trigger is an implicit trigger selected from a trigger pool; wherein, the trigger pool includes text trigger words, subwords or subword combinations, character variants and Unicode variant triggers; the implicit trigger is trigger information that does not change semantically or changes by less than a preset threshold.

[0023] Furthermore, the step of injecting the preset trigger into at least a portion of the text prompts in the host sample set is specifically implemented through the following expression:

[0024] (2),

[0025] In the formula, y i This represents the i-th host text hint, and τ represents the hidden trigger. Insert(·) Indicates an injection operation. Indicates the process Insert(·) The text prompt includes an implicit trigger τ; N represents the target constraint corresponding to the anomaly response of the i-th target; p D represents the number of text cues with hidden triggers injected into the host sample set; poison This represents the set of poisoned samples.

[0026] Furthermore, the generation quality test is used to obtain a normal task performance retention index to characterize the degree of generation quality degradation of the model under non-triggered conditions; the backdoor response test is used to obtain a backdoor trigger response strength index to characterize the hit rate of the model's response to the target under triggered conditions; wherein, the normal task performance retention index includes at least one of the text consistency score (TCS), image quality index (FID), and perceptual similarity index (LPIPS), and the backdoor trigger response strength index includes attack success rate (ASR).

[0027] Secondly, the present invention provides a backdoor security assessment device for a text-to-image generation system, comprising: a host sample set construction module configured to: construct a host sample set, wherein the host sample set includes a host text prompt and a host image sample corresponding to the host text prompt;

[0028] The trigger injection module is configured to inject a preset trigger into at least a portion of the text prompts in the host sample set to obtain a poisoned sample set.

[0029] The training set construction module is configured to: mix the poisoned sample set with the original clean training sample set at a preset ratio to form a mixed training sample set;

[0030] The model training module is configured to: train a text-to-image generation model based on the hybrid training sample set to obtain a victim model for simulating backdoor attacks;

[0031] The test execution module is configured to input the test text prompt without the trigger and the test text prompt with the trigger into the victim model respectively to obtain the corresponding test image;

[0032] The metric calculation module is configured to: calculate, based on the test image, the result of the victim model performing a generation quality test without the trigger and with the trigger and with the trigger and with the trigger and with the trigger, the result of performing a backdoor response test;

[0033] The security assessment module is configured to: perform a backdoor security assessment on the victim model based on the results of the generation quality test and the backdoor response test, and obtain a backdoor security assessment conclusion for the text-to-image generation system.

[0034] Thirdly, the present invention provides a computer system, comprising:

[0035] Memory, used to store computer instructions;

[0036] A processor for executing the computer instructions to implement the steps of the backdoor security assessment method for a text-to-image generation system as described in any one of claims 1 to 8.

[0037] Compared with the prior art, the beneficial effects achieved by the present invention are as follows:

[0038] 1. This invention constructs a closed-loop process of "host sample construction—stealth trigger injection—hybrid training to generate victim model—dual-path testing for quantitative evaluation." By actively injecting triggers into the host sample set to obtain a poisoned sample set, and then mixing the poisoned sample set with the original clean training samples, the model can be stably implanted with backdoor behavior in a controlled environment. This makes the uncontrollable process of triggering events in existing technologies more stable, makes the evaluation trigger more stable, and makes cross-modal semantic manipulation more interpretable. When evaluating the backdoor security of the text-to-image generation system, this invention adopts dual-path testing, namely, performing generation quality testing and backdoor response testing separately, and combining the results of the two tests for analysis. The effectiveness is quantified through the backdoor response test, and the stealth is quantified through the generation quality test, achieving a balance between effectiveness and stealth, and avoiding a single risk conclusion.

[0039] 2. This invention introduces a multi-scale feature perception and fusion structure into the multi-level feature representation in the denoising network. This structure includes a spatial branch and a frequency domain branch. The spatial branch extracts spatial domain features, while the frequency domain branch performs frequency domain transformation on the features and extracts frequency domain features. The spatial and frequency domain features are then weighted and fused using dynamic gating. This achieves the establishment of attentional associations between features at different scales and the fusion of spatial and frequency domain information, thereby improving response stability under stealth triggering conditions and suppressing artifact generation. Furthermore, this invention employs a multi-objective joint loss function, including frequency domain loss, which effectively reduces frequency domain anomalies. Attached Figure Description

[0040] Figure 1 The diagram shows a flowchart of the backdoor security assessment method for a text-to-image generation system provided by the present invention.

[0041] Figure 2 The diagram shown illustrates the construction of the host sample set / poisoned sample set and the hybrid training set provided by this invention.

[0042] Figure 3 The diagram shown illustrates the embedding location of the multi-scale injection structure in the denoising network provided by this invention.

[0043] Figure 4 The diagram shown is a schematic diagram of the risk output for calculating dual-path test indicators provided by the present invention. Detailed Implementation

[0044] It should be noted that the technical solution of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the embodiments of the present invention and the specific features in the embodiments are detailed descriptions of the technical solution of the present invention, rather than limitations on the technical solution of the present invention. In the absence of conflict, the embodiments of the present invention and the technical features in the embodiments can be combined with each other.

[0045] The term "and / or" simply describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. Additionally, the character " / " generally indicates that the preceding and following related objects have an "or" relationship.

[0046] Example 1

[0047] See Figure 1 This embodiment provides a backdoor security assessment method for a text-to-image generation system, and the specific implementation steps are as follows:

[0048] Step S1: Construct a host sample set, which includes host text prompts and host image samples corresponding to the host text prompts;

[0049] In this embodiment, the text-to-image generation model to be evaluated adopts a diffusion model or a diffusion-based latent space generation model. The text-to-image generation model includes at least a text encoder, a denoising network, and an image decoder. In this embodiment, the image decoder can preferably be an autoencoder decoder. The autoencoder decoder supports precise control of the semantics and style of the generated image through text features. At the same time, the training mode based on reconstruction loss can effectively improve the stability of the model training process.

[0050] This embodiment introduces a multi-scale feature perception and fusion structure into the multi-level feature representation in the denoising network. The multi-scale feature perception and fusion structure includes a spatial branch and a frequency domain branch. The spatial branch is used to extract spatial domain features, and the frequency domain branch is used to perform frequency domain transformation on the features and extract frequency domain features. The spatial features and frequency domain features are weighted and fused through dynamic gating. This enables the establishment of attention associations between features at different scales and the fusion of spatial and frequency domain information, thereby improving the response stability under stealth triggering conditions, suppressing the generation of artifacts, and maintaining the naturalness of the image.

[0051] The steps for implementing a text-to-image generation model are as follows:

[0052] Step S1a1: Let the input text prompt be y, and the text encoder in the text-to-image generation model be T(·), then the condition vector c=T(y); where the condition vector c is generated by the text encoder T(·) and is used to connect the text space with the core control signal in the image generation process.

[0053] Step S1a2: During sampling, initialization is performed using Gaussian noise. The specific calculation expression is as follows:

[0054] ~N(0,I)(3)

[0055] In the formula, Let represent the noise variable of the text-to-image generation model at sampling time T, ~ means "follows the probability distribution of ..."; N represents a Gaussian distribution, 0 means the mean vector of the Gaussian distribution is 0, and I represents the covariance matrix of the Gaussian distribution.

[0056] Step S1a3: The generated result is obtained through the reverse denoising process. The specific calculation expression is as follows:

[0057] (4),

[0058] In the formula, G represents the generated image. θ This represents a denoising network for a text-to-image generation model, with specific denoising network parameters θ.

[0059] Based on the text-to-image generation model to be evaluated, a target loss function G is further constructed for backdoor security evaluation. θ This includes basic noise prediction loss, feature consistency loss, and frequency domain loss, specifically the multi-objective joint loss L. total The calculation expression is as follows:

[0060] (1),

[0061] In the formula, L base L represents the basic noise prediction loss. feat L represents the feature consistency loss. freq λ1 represents the frequency domain loss; λ2 and λ3 represent the coefficients of the three loss weights, which can be fixed or scheduled according to a preset strategy, and can be dynamically adjusted using an adaptive strategy.

[0062] In this embodiment, a multi-objective joint loss function is preferentially employed to simultaneously constrain the basic objective, feature consistency, and frequency domain concealment during the evaluation injection and training processes. Noise prediction loss L base This is the noise prediction loss based on mean square error, and the specific calculation expression is as follows:

[0063] (5),

[0064] In the formula, n represents the sample size n, x i This represents the i-th host image sample. This represents the generated image output by the model for the i-th sample.

[0065] Feature consistency loss L feat It is mainly used to constrain the distribution of intermediate layer features to be consistent under normal input and trigger input, so that the generated intermediate features are as similar as possible, thereby enhancing the concealment of backdoor behavior. feat The specific calculation expression is as follows:

[0066] (6),

[0067] In the formula, k represents the total number of intermediate feature layers in the text-to-image generation model; This represents the feature vector output by the model at the j-th feature layer when the input does not contain triggers; This represents the feature vector output by the model at the j-th feature layer when the input contains triggers.

[0068] Frequency domain loss L freq The specific calculation expression is as follows:

[0069] (7),

[0070] In the formula, This represents the i-th image generated when the input includes a trigger; The frequency domain transformation operator represents the mathematical transformation that converts an image from the spatial domain to the frequency domain. In this embodiment, the frequency domain energy difference is minimized based on the Fast Fourier Transform.

[0071] Based on the aforementioned loss function, the optimizable variables in the host text prompt and / or the image generation process corresponding to the host text prompt are iteratively optimized to generate host samples and form a host sample set, D. host The calculation expression is as follows:

[0072] (8),

[0073] In the formula, y i N represents the i-th host text prompt; h Indicates the number of host samples.

[0074] The specific process of generating the host sample includes:

[0075] Step S1b1: Construct the host cue set Y host Y host The semantic coverage is common to normal tasks;

[0076] Step S1b2: For each host text prompt y i The host image is obtained based on the text-to-image generation model. ;

[0077] Step S1b3: To improve the representativeness of the evaluation and the measurability of subsequent triggering, the optimizable variables in the generation process are iteratively optimized to satisfy the target loss constraint while maintaining naturalness. In this embodiment, gradient descent is used to update the iterative optimizable variables, and the specific calculation expression is as follows:

[0078] (9),

[0079] In the formula, t represents the current iteration of gradient descent, and ω (t) Let represent the optimizable variables at the t-th iteration; This represents the learning rate, which is used to adjust and control the size of each step. This represents the gradient vector with respect to the optimizable variable ω.

[0080] By iteratively optimizing the variables as described above, the variables can satisfy the target loss constraint while maintaining their naturalness.

[0081] Step S2: Inject a preset trigger into at least a portion of the text prompts in the host sample set to obtain the poisoned sample set;

[0082] See Figure 2 First, a trigger pool is constructed, and the preset triggers are hidden triggers selected from a trigger pool;

[0083] The trigger pool includes, but is not limited to, text trigger words, subwords or combinations of subwords, character variants, and Unicode variant triggers. The trigger pool can contain any single type or combination of multiple types mentioned above. This is to make the trigger information less noticeable on the surface semantics or difficult to be filtered by rules; hidden triggers are trigger information that does not change semantically or changes by less than a preset threshold.

[0084] Next, a pre-defined stealth trigger is injected into at least a portion of the text prompts in the host sample set. The resulting computational expression for the poisoned sample is as follows:

[0085] (2),

[0086] In the formula, τ represents a hidden trigger, and Insert(·) represents an injection operation. This indicates a text hint that has an implicit trigger τ after being processed by Insert(). ;

[0087] N represents the target constraint corresponding to the anomaly response of the i-th target; p D represents the number of text cues with hidden triggers injected into the host sample set; poison This represents the set of poisoned samples.

[0088] Step S3: Mix the poisoned sample set with the original clean training sample set according to a preset ratio to form a mixed training sample set. ; where D clean This represents the original clean training sample set; the specific "poisoning" ratio can be set. ; Used to balance trigger testability with maintaining normal generation quality; Values ​​within a preset range can be used to adapt to different audit intensities and assessment costs.

[0089] Step S4: Train a text-to-image generation model based on a mixed training sample set to obtain a victim model for simulating backdoor attacks;

[0090] The initialization model can be the text-to-image generation model to be evaluated, or a clean baseline model with the same structure; during training, L... totalThe optimization objective, or a component thereof, aims to ensure that the model maintains generation quality under normal inputs while forming stable and measurable anomalous responses under triggered inputs. Training is terminated when the backdoor trigger attack success rate (ASR) reaches or exceeds a preset threshold and the degradation of generation quality metrics is below a preset threshold, thereby obtaining a victim model for simulating backdoor attacks.

[0091] See Figure 3 During training, a multi-scale feature perception and fusion structure is introduced into the multi-level feature path of the denoising network, and embedded in the encoding stage, bottleneck stage, and decoding stage to enhance the cross-scale propagation of the triggering related signals and reduce frequency domain artifacts. In this embodiment, the multi-scale feature perception and fusion structure preferably adopts the following sub-module combination form:

[0092] Frequency-Aware Decay Module (FADE) is used in conjunction with L freq Suppress frequency domain anomalies introduced by triggering while maintaining image naturalness;

[0093] Channel Spatial Attention Module (CSA) and Global-Local Alignment Module (GLA) work together to enhance the channel and spatial responses related to triggering; CSA is used to enhance the channel and spatial region responses related to triggering / target concepts, while GLA is used to adaptively select trigger-related representations between global semantics and local details.

[0094] Cross-Modal Alignment Module (CMDA) is used to enhance the alignment between text conditions and image features, thereby improving the stability of triggering semantic redirection.

[0095] Step S5: Based on the test image, calculate the results of the victim model performing the generation quality test without triggers and the results of performing the backdoor response test with triggers and test text prompts.

[0096] In this embodiment, the clean text prompt, i.e., the original input text prompt, is set to y, and the test text prompt with the trigger is set to y. tr Under triggered conditions, the victim model should exhibit an abnormal generation response; under non-triggered conditions, it should maintain normal generation capability as much as possible. The specific calculation expression is as follows:

[0097] (10)

[0098] In the formula, the calculation expression (10) is based on the calculation expression (4). Indicates the parameters of the victim model. Representing the victim model, This indicates that clean text suggestions are generated normally under non-triggered conditions. This indicates the generation of an exception in the test text prompt under the triggered condition.

[0099] Step S6: Based on the results of the quality test and the backdoor response test, conduct a backdoor security assessment on the victim model to obtain the backdoor security assessment conclusion of the text-to-image generation system.

[0100] See Figure 4 Generative quality testing is used to obtain performance retention metrics for normal tasks, in order to characterize the degree of degradation in generative quality under non-triggered conditions.

[0101] Backdoor response testing is used to obtain backdoor trigger response strength indicators to characterize the hit rate of the model's response to the target under trigger conditions. Among them, the normal task performance preservation indicators include at least one of the following: Text Consistency Score (TCS), Fréchet Inception Distance (FID), and Learned Perceptual Image Patch Similarity (LPIPS). The backdoor trigger response strength indicators include Attack Success Rate (ASR).

[0102] TCS (Transcription Consistency Score) is a metric in Natural Language Processing (NLP) used to quantify the degree of consistency within or between texts across dimensions such as content, logic, style, and structure. It utilizes NLP techniques to transform text into computable feature vectors, calculates consistency scores for different dimensions, and weights and merges these scores based on the principle that smaller differences result in higher consistency scores, ultimately outputting a comprehensive score. The higher the comprehensive score, the better the text consistency and the fewer contradictions; conversely, the lower the comprehensive score, the worse the text consistency and the more contradictions.

[0103] Fréchet Distance (FID) is one of the most mainstream quality assessment metrics in the field of generative image models. Its core advantage is that it can simultaneously measure the quality and diversity of generated images, making the assessment results more closely resemble human visual perception. FID extracts high-level semantic features from images, models the feature distribution, and obtains the Fréchet distance between the modeled distributions. The magnitude of the Fréchet distance directly reflects the similarity between the generated image and the real image: the smaller the value, the closer the generated feature distribution is to the real feature distribution, and the higher the quality of the generated image; when the value is larger, the further the generated feature distribution is from the real feature distribution, and the lower the quality of the generated image.

[0104] LPIPS is a deep learning-based perceptual image similarity evaluation metric. Its core objective is to quantify the similarity between two images at the level of human visual perception, overcoming the shortcomings of traditional pixel-level metrics that show "pixel similarity but large differences in perceived appearance." It primarily utilizes multi-layer semantic features of a pre-trained network to simulate the perceptual process of the human visual system. Semantic features are extracted layer by layer, and the feature map of each layer is divided into several image patches to obtain the feature distance matrix for each layer. Since the features of different layers contribute differently to human vision (for example, the weight parameters of higher-level semantic features are higher), these weight parameters are mainly trained using a human subjective rating dataset. The mean of the feature distance matrices of each layer is taken, multiplied by the corresponding weights, and summed to finally output the LPIPS score in the range of 0–∞. When the LPIPS value approaches 0, the two images are almost indistinguishable at the human visual level; the larger the value, the more obvious the perceived difference between the two images.

[0105] Adversarial Suggestion (ASR) is a core quantitative metric in the field of machine learning and deep learning security. It is used to objectively measure the effectiveness of adversarial attack methods and assess the resilience of the target model. Only samples that the model originally predicted correctly are selected as attack targets. The adversarial samples are input into the target model, and the attack objective is determined. The percentage of successful attacks out of the total number of attack attempts is calculated to obtain the final ASR value. The ASR value ranges from 0% to 100%, and its magnitude directly reflects the attack effectiveness and model robustness: an ASR of 100% indicates that all valid samples were successfully attacked, the attack method is highly efficient, or the model has extremely poor robustness; an ASR of 80% to 99% indicates excellent attack effectiveness, but the model has obvious security vulnerabilities; an ASR of 10% to 79% indicates that the attack is partially effective and can be used to compare the advantages and disadvantages of different attack methods or optimize model defense strategies; an ASR of 0% indicates that the attack is completely ineffective, and the model has strong robustness to the attack method.

[0106] The core optimization objective for the victim model in this embodiment is: The core optimization is the attack success rate of the victim model, which is the proportion of times the victim model successfully outputs the corresponding abnormal response after recognizing the test text prompt with the trigger.

[0107] and the constraints are Quality(·) represents the generation quality evaluation function, which measures the quality of the model generation results and can be characterized by indicators such as FID, LPIPS, and TCS. The core requirement of the constraint is that the generation quality of the victim model under non-trigger conditions needs to be basically consistent with the original model, so as to avoid the decline in the ability of the model to generate normally due to the injection of triggers.

[0108] If the victim model satisfies: (1) strong abnormal response under triggering conditions, i.e., ASR reaches the preset threshold or is significantly higher than the control; (2) good generation quality under non-triggering conditions, i.e., TCS remains high and FID and LPIPS degrade little;

[0109] If the backdoor security risk of the text-to-image generation system being evaluated is high and more concealed, then it is determined that the risk is low or more detectable.

[0110] Example 2

[0111] Based on the same inventive concept as Embodiment 1, this embodiment introduces a backdoor security assessment device for a text-to-image generation system, comprising:

[0112] The host sample set construction module is configured to: construct a host sample set, which includes host text prompts and host image samples corresponding to the host text prompts;

[0113] The trigger injection module is configured to inject a preset trigger into at least a portion of the text prompts in the host sample set to obtain a poisoned sample set.

[0114] The training set construction module is configured to mix the poisoned sample set with the original clean training sample set at a preset ratio to form a mixed training sample set.

[0115] The model training module is configured to train a text-to-image generation model based on a mixed training sample set to obtain a victim model for simulating backdoor attacks.

[0116] The test execution module is configured to input test text prompts without triggers and test text prompts with triggers into the victim model respectively to obtain the corresponding test images;

[0117] The metric calculation module is configured to: calculate the results of the victim model performing a generation quality test without triggers and the results of performing a backdoor response test with triggers, based on the test image;

[0118] The security assessment module is configured to: perform a backdoor security assessment on the victim model based on the results of the generation quality test and the backdoor response test, and obtain a backdoor security assessment conclusion for the text-to-image generation system.

[0119] The specific functions of each module described above are explained in the relevant content of the method in Embodiment 1, and will not be repeated here.

[0120] Example 3

[0121] This embodiment describes a computer system having a memory and a processor. The memory stores computer instructions, which, when executed by the processor, implement the steps of the backdoor security assessment method for a text-to-image generation system described in Embodiment 1.

[0122] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0123] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0124] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0125] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0126] The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of the present invention without departing from the spirit and scope of the claims. All of these forms are within the protection scope of the present invention.

Claims

1. A method for backdoor security assessment in a text-to-image generation system, characterized in that, include: Construct a host sample set, which includes host text prompts and host image samples corresponding to the host text prompts; A pre-set trigger is injected into at least a portion of the host text prompts in the host sample set to obtain the poisoned sample set; The poisoned sample set is mixed with the original clean training sample set at a preset ratio to form a mixed training sample set; wherein, the original clean training sample set is the host text prompt in the host sample set that has not been injected with the preset trigger; A text-to-image generation model is trained based on the hybrid training sample set to obtain a victim model for simulating backdoor attacks; The test text prompts without the trigger and the test text prompts with the trigger are respectively input into the victim model to obtain the corresponding test images; Based on the test image, calculate the result of the victim model performing a generation quality test without the test text prompt with the trigger; and the result of performing a backdoor response test with the test text prompt with the trigger. Based on the results of the quality generation test and the backdoor response test, the backdoor security of the victim model is evaluated, and the backdoor security evaluation conclusion of the text-to-image generation system is obtained.

2. The backdoor security assessment method for a text-to-image generation system according to claim 1, characterized in that, The construction of the host sample set includes: Based on the text-to-image generation model to be evaluated, a target loss function for backdoor security evaluation is constructed. Based on the target loss function, the variables of the host text prompt and / or the image generation process corresponding to the host text prompt are iteratively optimized to obtain the host sample set.

3. The backdoor security assessment method for a text-to-image generation system according to claim 2, characterized in that, The text-to-image generation model is a diffusion-based latent space generation model.

4. The backdoor security assessment method for a text-to-image generation system according to claim 2, characterized in that, The target loss function is a multi-objective joint loss function, which includes at least the basic noise prediction loss, feature consistency loss, and frequency domain loss. The calculation expression of the target loss function is as follows: (1), In the formula, L total Indicates target loss. L base This represents the basic noise prediction loss. L feat This represents the feature consistency loss. L freq Indicates frequency domain loss; λ 1 , λ 2 as well as λ 3 These represent the adjustable coefficients used to balance the weights of each loss term in the multi-objective loss function.

5. The backdoor security assessment method for a text-to-image generation system according to claim 3, characterized in that, The text-to-image generation model includes a denoising network, wherein a multi-scale feature perception and fusion structure is introduced into the multi-level feature representation in the denoising network. The multi-scale feature perception and fusion structure includes a spatial branch and a frequency domain branch. The spatial branch is used to extract spatial domain features, and the frequency domain branch is used to perform frequency domain transformation on the features and extract frequency domain features. The spatial features and frequency domain features are then weighted and fused using dynamic gating.

6. The backdoor security assessment method for a text-to-image generation system according to claim 1, characterized in that, The preset trigger is an implicit trigger selected from a trigger pool; wherein, the trigger pool includes text trigger words, subwords or subword combinations, character variants and Unicode variant triggers; the implicit trigger is trigger information that does not change semantically or changes by less than a preset threshold.

7. The backdoor security assessment method for a text-to-image generation system according to claim 6, characterized in that, The step of injecting the preset trigger into at least a portion of the text prompts in the host sample set is specifically implemented through the following expression: (2), In the formula, y i Indicates the first i A host text prompt, τ Indicates a hidden trigger. Insert(·) Indicates an injection operation. Indicates the process Insert(·) With a hidden trigger τ The text prompt; Indicates the first i The target constraints corresponding to the abnormal response of each target; N p This indicates the number of text hints with hidden triggers injected into the host sample set; D poison This represents the set of poisoned samples.

8. The backdoor security assessment method for a text-to-image generation system according to claim 1, characterized in that, The generation quality test is used to obtain performance retention metrics for normal tasks, in order to characterize the degree of generation quality degradation of the model under non-triggered conditions; The backdoor response test is used to obtain a backdoor trigger response strength index to characterize the hit rate of the model's response to the target under trigger conditions; wherein, the normal task performance maintenance index includes at least one of the text consistency score (TCS), image quality index (FID), and perceptual similarity index (LPIPS), and the backdoor trigger response strength index includes the attack success rate (ASR).

9. A backdoor security assessment device for a text-to-image generation system, characterized in that, include: The host sample set construction module is configured to construct a host sample set, which includes host text prompts and host image samples corresponding to the host text prompts. The trigger injection module is configured to inject a preset trigger into at least a portion of the text prompts in the host sample set to obtain a poisoned sample set. The training set construction module is configured to: mix the poisoned sample set with the original clean training sample set at a preset ratio to form a mixed training sample set; The model training module is configured to train a text-to-image generation model based on the hybrid training sample set to obtain a victim model for simulating backdoor attacks. The test execution module is configured to input the test text prompt without the trigger and the test text prompt with the trigger into the victim model respectively to obtain the corresponding test image; The indicator calculation module is configured to: calculate the result of the victim model performing a generation quality test without the trigger-based test text prompt, based on the test image; And the results of performing a backdoor response test with the test text prompt containing the aforementioned trigger; The security assessment module is configured to: perform a backdoor security assessment on the victim model based on the results of the generation quality test and the backdoor response test, and obtain a backdoor security assessment conclusion for the text-to-image generation system.

10. A computer system, characterized in that, include: Memory, used to store computer instructions; A processor for executing the computer instructions to implement the steps of the backdoor security assessment method for a text-to-image generation system as described in any one of claims 1 to 8.