Saved in:
Bibliographic Details
Main Authors: Styborski, Jeremy, Lyu, Mingzhi, Lu, Jiayou, Kapur, Nupur, Kong, Adams
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2507.10578
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911135479889920
author Styborski, Jeremy
Lyu, Mingzhi
Lu, Jiayou
Kapur, Nupur
Kong, Adams
author_facet Styborski, Jeremy
Lyu, Mingzhi
Lu, Jiayou
Kapur, Nupur
Kong, Adams
contents Poisoning attacks pose significant challenges to the robustness of diffusion models (DMs). In this paper, we systematically analyze when and where poisoning attacks textual inversion (TI), a widely used personalization technique for DMs. We first introduce Semantic Sensitivity Maps, a novel method for visualizing the influence of poisoning on text embeddings. Second, we identify and experimentally verify that DMs exhibit non-uniform learning behavior across timesteps, focusing on lower-noise samples. Poisoning attacks inherit this bias and inject adversarial signals predominantly at lower timesteps. Lastly, we observe that adversarial signals distract learning away from relevant concept regions within training data, corrupting the TI process. Based on these insights, we propose Safe-Zone Training (SZT), a novel defense mechanism comprised of 3 key components: (1) JPEG compression to weaken high-frequency poison signals, (2) restriction to high timesteps during TI training to avoid adversarial signals at lower timesteps, and (3) loss masking to constrain learning to relevant regions. Extensive experiments across multiple poisoning methods demonstrate that SZT greatly enhances the robustness of TI against all poisoning attacks, improving generative quality beyond prior published defenses. Code: www.github.com/JStyborski/Diff_Lab Data: www.github.com/JStyborski/NC10
format Preprint
id arxiv_https___arxiv_org_abs_2507_10578
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle When and Where do Data Poisons Attack Textual Inversion?
Styborski, Jeremy
Lyu, Mingzhi
Lu, Jiayou
Kapur, Nupur
Kong, Adams
Cryptography and Security
Artificial Intelligence
Poisoning attacks pose significant challenges to the robustness of diffusion models (DMs). In this paper, we systematically analyze when and where poisoning attacks textual inversion (TI), a widely used personalization technique for DMs. We first introduce Semantic Sensitivity Maps, a novel method for visualizing the influence of poisoning on text embeddings. Second, we identify and experimentally verify that DMs exhibit non-uniform learning behavior across timesteps, focusing on lower-noise samples. Poisoning attacks inherit this bias and inject adversarial signals predominantly at lower timesteps. Lastly, we observe that adversarial signals distract learning away from relevant concept regions within training data, corrupting the TI process. Based on these insights, we propose Safe-Zone Training (SZT), a novel defense mechanism comprised of 3 key components: (1) JPEG compression to weaken high-frequency poison signals, (2) restriction to high timesteps during TI training to avoid adversarial signals at lower timesteps, and (3) loss masking to constrain learning to relevant regions. Extensive experiments across multiple poisoning methods demonstrate that SZT greatly enhances the robustness of TI against all poisoning attacks, improving generative quality beyond prior published defenses. Code: www.github.com/JStyborski/Diff_Lab Data: www.github.com/JStyborski/NC10
title When and Where do Data Poisons Attack Textual Inversion?
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2507.10578