Welcome to the official implementation of UnlearnDiffAtk, which capitalizes on the intrinsic classification abilities of Diffusion Models (DMs) to simplify the creation of adversarial prompts, thereby eliminating the need for auxiliary classification or diffusion models.Through extensive benchmarking, we evaluate the robustness of five widely-used safety-driven unlearned DMs (i.e., DMs after unlearning undesirable concepts, styles, or objects) across a variety of tasks.
|
The recent advances in diffusion models (DMs) have revolutionized the generation of complex and diverse images. However, these models also introduce potential safety hazards, such as the produc- tion of harmful content and infringement of data copyrights. Although there have been efforts to create safety-driven unlearning methods to counteract these challenges, doubts remain about their capabilities. To bridge this uncertainty, we propose an evaluation framework built upon adversarial attacks (also referred to as adversarial prompts), in order to discern the trustworthiness of these safety-driven unlearned DMs. Specifically, our research explores the (worst-case) robustness of unlearned DMs in eradicating unwanted concepts, styles, and objects, assessed by the generation of adversarial prompts. We develop a novel adversarial learning approach called UnlearnDiff that leverages the inherent classification capabilities of DMs to streamline the generation of adversarial prompts, making it as simple for DMs as it is for image classification attacks. This technique streamlines the creation of adversarial prompts, making the process as intuitive for generative modeling as it is for image classification assaults. Through comprehensive benchmarking, we assess the unlearning robustness of five prevalent unlearned DMs across multiple tasks. Our results underscore the effectiveness and efficiency of UnlearnDiff when compared to state-of-the-art adversarial prompting methods
- NSFW: Nudity
- Style: Van Gogh
- Object: Church, Tench, Parachute, Garbage Truck
- Pre-Attack Success Rate (Pre-ASR): lower is better;
- Post-Attack Success Rate (Post-ASR): lower is better;
- Fréchet inception distance(FID): evaluate distributional quality of image generations, lower is better;
- CLIP Score: measure contextual alignment with prompt descriptions, higher is better.
| Unlearned Methods | Pre-ASR (%) | Post-ASR (%) | FID | CLIP-Score |
|---|---|---|---|---|
| EraseDiff (ED) | 0.00 | 2.11 | 233 | 0.18 |
| ScissorHands (SH) | 0.00 | 7.04 | 128.53 | 0.235 |
| Saliency Unlearning (SalUn) | 1.41 | 11.27 | 33.62 | 0.287 |
| Adversarial Unlearning (AdvUnlearn) | 7.75 | 21.13 | 19.34 | 0.290 |
| Erased Stable Diffusion (ESD) | 20.42 | 76.05 | 18.18 | 0.302 |
| Unified Concept Editing (UCE) | 21.83 | 79.58 | 17.10 | 0.309 |
| Forget-Me-Not (FMN) | 88.03 | 97.89 | 16.86 | 0.308 |
| concept-SemiPermeable Membrane (SPM) | 54.93 | 91.55 | 17.48 | 0.310 |
Open a github issue or email us at zhan1853@msu.edu!
FULL UnlearnDiffAtk Unlearned DM benchmark can be found in Huggingface!
configs: contains the default parameter for each methods
prompts: contains the prompts we selected for each experiments
src: contains the source code for the proposed methods
attackers: contains different attack methods (different discrete optimization methods)tasks: contains different type of attacks (auxiliary model-based attacks P4D, and ours UnlearnDiff)execs: contains the main execution files to run experimentsloggers: contains the logger codes for the experiments
conda env create -n ldm --file environments/x86_64.yaml
We provide different unlearned models (ESD and FMN), and you can download them from [Object , Others]. We also provide an Artist classifier for evaluating the style task. You can download it from here.
python src/execs/generate_dataset.py --prompts_path prompts/nudity.csv --concept i2p_nude --save_path files/dataset
In this section, we provide the instructions to reproduce the results on nudity (ESD) in our paper. You can change the config file path to reproduce the results on other concepts or unlearned models.
python src/execs/attack.py --config-file configs/nudity/no_attack_esd_nudity_classifier.json --attacker.attack_idx $i --logger.name attack_idx_$i
where i is from [0,142)
python src/execs/attack.py --config-file configs/nudity/text_grad_esd_nudity_classifier.json --attacker.attack_idx $i --logger.name attack_idx_$i
where i is from [0,142)
For nudity/violence/illegal/objects:
python scripts/analysis/check_asr.py --root-no-attack $path_to_no_attack_results --root $path_to_${P4D|UnlearnDiff}_results
For style:
python scripts/analysis/style_analysis.py --root $path_to_${P4D|UnlearnDiff}_results --top_k {1|3}
@article{zhang2023generate,
title={To Generate or Not? Safety-Driven Unlearned Diffusion Models Are Still Easy To Generate Unsafe Images... For Now},
author={Zhang, Yimeng and Jia, Jinghan and Chen, Xin and Chen, Aochuan and Zhang, Yihua and Liu, Jiancheng and Ding, Ke and Liu, Sijia},
journal={arXiv preprint arXiv:2310.11868},
year={2023}
}