Papers
Topics
Authors
Recent
Search
2000 character limit reached

MetaCloak: Preventing Unauthorized Subject-driven Text-to-image Diffusion-based Synthesis via Meta-learning

Published 22 Nov 2023 in cs.CV, cs.AI, and cs.CR | (2311.13127v5)

Abstract: Text-to-image diffusion models allow seamless generation of personalized images from scant reference photos. Yet, these tools, in the wrong hands, can fabricate misleading or harmful content, endangering individuals. To address this problem, existing poisoning-based approaches perturb user images in an imperceptible way to render them "unlearnable" from malicious uses. We identify two limitations of these defending approaches: i) sub-optimal due to the hand-crafted heuristics for solving the intractable bilevel optimization and ii) lack of robustness against simple data transformations like Gaussian filtering. To solve these challenges, we propose MetaCloak, which solves the bi-level poisoning problem with a meta-learning framework with an additional transformation sampling process to craft transferable and robust perturbation. Specifically, we employ a pool of surrogate diffusion models to craft transferable and model-agnostic perturbation. Furthermore, by incorporating an additional transformation process, we design a simple denoising-error maximization loss that is sufficient for causing transformation-robust semantic distortion and degradation in a personalized generation. Extensive experiments on the VGGFace2 and CelebA-HQ datasets show that MetaCloak outperforms existing approaches. Notably, MetaCloak can successfully fool online training services like Replicate, in a black-box manner, demonstrating the effectiveness of MetaCloak in real-world scenarios. Our code is available at https://github.com/liuyixin-louis/MetaCloak.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (59)
  1. Synthesizing robust adversarial examples, 2018.
  2. Visual prompting via image inpainting. Advances in Neural Information Processing Systems, 35:25005–25017, 2022.
  3. Igor Bonifacic. Deepfake fraud attempts are up 3000 https://thenextweb.com/news/deepfake-fraud-rise-amid-cheap-generative-ai-boom, 2023. [Accessed: 16-Nov-2023].
  4. Impress: Evaluating the resilience of imperceptible perturbations against unauthorized data usage in diffusion-based generative ai. Advances in Neural Information Processing Systems, 36, 2024.
  5. Vggface2: A dataset for recognising faces across pose and age. In 2018 13th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2018), pages 67–74. IEEE, 2018.
  6. Extracting training data from diffusion models. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5253–5270, 2023.
  7. Custom-edit: Text-guided image editing with customized diffusion models, 2023.
  8. Retinaface: Single-shot multi-level face localisation in the wild. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5203–5212, 2020.
  9. Diffusion models beat gans on image synthesis. Advances in Neural Information Processing Systems, 34:8780–8794, 2021.
  10. Towards generalizable data protection with transferable unlearnable examples. arXiv preprint arXiv:2305.11191, 2023.
  11. Learning to confuse: generating training time adversarial data with auto-encoder. Advances in Neural Information Processing Systems, 32, 2019.
  12. Model-agnostic meta-learning for fast adaptation of deep networks. In International conference on machine learning, pages 1126–1135. PMLR, 2017.
  13. Robust unlearnable examples: Protecting data privacy against adversarial learning. In International Conference on Learning Representations, 2021.
  14. An image is worth one word: Personalizing text-to-image generation using textual inversion, 2022.
  15. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  16. Towards fast and accurate real-world depth super-resolution: Benchmark dataset and baseline, 2021.
  17. Denoising diffusion probabilistic models. In Advances in neural information processing systems, 2020.
  18. Unlearnable examples: Making personal data unexploitable. arXiv preprint arXiv:2101.04898, 2021.
  19. Metapoison: Practical general-purpose clean-label data poisoning. Advances in Neural Information Processing Systems, 33:12080–12091, 2020.
  20. Unlearnable examples: Protecting open-source software from unauthorized neural code learning. In SEKE, pages 525–530, 2022.
  21. Kevin Jiang. These ai images look just like me. what does that mean for the future of deepfakes? Toronto Star.
  22. Progressive growing of gans for improved quality, stability, and variation. arXiv preprint arXiv:1710.10196, 2017.
  23. Diffusionclip: Text-guided diffusion models for robust image manipulation, 2022.
  24. Adam: A method for stochastic optimization, 2017.
  25. Functional adversarial attacks, 2019.
  26. Anti-dreambooth: Protecting users from personalized text-to-image synthesis. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2023.
  27. Mist: Towards improved adversarial examples for diffusion models. arXiv preprint arXiv:2305.12683, 2023.
  28. Adversarial example does good: preventing painting imitation from diffusion models via adversarial examples. In Proceedings of the 40th International Conference on Machine Learning, pages 20763–20786, 2023.
  29. Graphcloak: Safeguarding task-specific knowledge within graph-structured data from unauthorized exploitation. arXiv preprint arXiv:2310.07100, 2023.
  30. Feature distillation: Dnn-oriented jpeg compression against adversarial examples, 2019.
  31. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
  32. No-reference image quality assessment in the spatial domain. IEEE Transactions on Image Processing, 21(12):4695–4708, 2012.
  33. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing, 29:1711–1724, 2019.
  34. Diffusion models for adversarial purification. arXiv preprint arXiv:2205.07460, 2022.
  35. NPR. It takes a few dollars and 8 minutes to create a deepfake. and that’s only the start. https://www.npr.org/2023/03/23/1165146797/it-takes-a-few-dollars-and-8-minutes-to-create-a-deepfake-and-thats-only-the-sta, 2023. [Accessed: 16-Nov-2023].
  36. Learning transferable visual models from natural language supervision. In International conference on machine learning, pages 8748–8763. PMLR, 2021.
  37. Dreambooth3d: Subject-driven text-to-3d generation. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 2349–2359, 2023.
  38. Hierarchical text-conditional image generation with clip latents. arXiv preprint arXiv:2204.06125, 2022.
  39. Transferable unlearnable examples. arXiv preprint arXiv:2210.10114, 2022.
  40. Replicate. Replicate, 2023.
  41. High-resolution image synthesis with latent diffusion models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 10684–10695, 2022a.
  42. High-resolution image synthesis with latent diffusion models, 2022b.
  43. Dreambooth: Fine tuning text-to-image diffusion models for subject-driven generation. 2022.
  44. Dreambooth: Fine tuning text-to-image diffusion models for subject-driven generation, 2023.
  45. Cuda: Convolution-based unlearnable datasets. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 3862–3871, 2023.
  46. Photorealistic text-to-image diffusion models with deep language understanding. In Advances in Neural Information Processing Systems, 2022.
  47. Raising the cost of malicious ai-powered image editing. In International Conference on Machine Learning, pages 29894–29918. PMLR, 2023.
  48. Hyperextended lightface: A facial attribute analysis framework. In 2021 International Conference on Engineering and Emerging Technologies (ICEET), pages 1–4. IEEE, 2021.
  49. Glaze: Protecting artists from style mimicry by {{\{{Text-to-Image}}\}} models. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2187–2204, 2023.
  50. Dragdiffusion: Harnessing diffusion models for interactive point-based image editing, 2023.
  51. Score-based generative modeling through stochastic differential equations, 2021.
  52. Better safe than sorry: Preventing delusive adversaries with adversarial training. Advances in Neural Information Processing Systems, 34:16209–16225, 2021.
  53. Diffusers: State-of-the-art diffusion models. https://github.com/huggingface/diffusers, 2022.
  54. Provable copyright protection for generative models. arXiv preprint arXiv:2302.10870, 2023.
  55. Adversarial defense via data dependent activation function and total variation minimization, 2020.
  56. Exploring clip for assessing the look and feel of images. In AAAI, 2023.
  57. Availability attacks create shortcuts. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 2367–2376, 2022.
  58. Blind image quality assessment via vision-language correspondence: A multitask learning perspective. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14071–14081, 2023.
  59. Understanding and improving adversarial attacks on latent diffusion model. arXiv preprint arXiv:2310.04687, 2023.
Citations (8)
View on Semantic Scholar

Summary

  • The paper introduces MetaCloak, a novel meta-learning framework creating transferable image perturbations to prevent unauthorized subject-driven diffusion synthesis.
  • MetaCloak uses Expectation Over Transformation and a denoising-error maximization loss for robustness against transformations and effective model distortion.
  • Empirical results show MetaCloak outperforms existing methods across standard datasets and online platforms, improving key metrics like Subject Detection Score.

An Analysis of MetaCloak: Safeguarding Image Privacy in Diffusion-Based Generative Models

The paper introduces a novel strategy, MetaCloak, to address the emerging challenges posed by diffusion models in unauthorized subject-driven image generation. These models can generate personalized images using minimal reference data, posing significant privacy risks when misused. The existing solutions, primarily poisoning-based, fall short due to their hand-crafted, heuristic methodologies and vulnerability to minor data transformations. MetaCloak proposes a robust alternative, employing meta-learning to create image perturbations that are both resistant to transformations and effective across different model training trajectories.

Key Contributions

  1. Meta-Learning Framework: The cornerstone of MetaCloak is its meta-learning approach, which unlike traditional methods, does not rely solely on specific heuristics. Instead, it trains a set of surrogate models through staggered steps to craft perturbations that are transferable across different models. This technique ensures the crafted perturbations remain effective even when applied to models not encountered during the training phase.
  2. Robust Perturbations Against Transformations: MetaCloak incorporates an Expectation Over Transformation (EOT) mechanism, enabling it to maintain robustness against standard data pre-processing transformations such as filtering and cropping. This is crucial, considering adversaries might apply simple image transformations to thwart protection mechanisms.
  3. Denoising-Error Maximization Loss: Instead of conventional quality metrics that are susceptible to overfitting, MetaCloak utilizes a denoising-error maximization loss. This novel approach distorts the model’s perception, creating semantically unrecognizable images, and thus, provides another layer of protection.
  4. Comprehensive Evaluation: The effectiveness of MetaCloak is not only demonstrated on standard datasets like VGGFace2 and CelebA-HQ but also validated through practical scenarios on online platforms such as Replicate. This real-world applicability underscores the method’s potential impact.

Numerical Outcomes and Implications

The empirical results from the paper illustrate MetaCloak’s superiority over existing methods like Anti-DreamBooth and Glaze. For example, when dealing with transformation-augmented training settings, MetaCloak shows a substantial improvement in metrics such as Subject Detection Score (SDS), Identity Matching Score (IMS), and quality assessments using CLIP-IQAC and LIQE. These advancements imply that MetaCloak achieves a multi-faceted degradation in image generation fidelity, affecting both quality and semantic accuracy.

Practical Implications and Future Directions

MetaCloak’s development signifies an important step towards privacy-centric diffusion models. Its ability to craft robust, transferable perturbations opens new paths for protecting personal data in AI applications. The introduction of a meta-learning framework aligns well with contemporary trends in AI, offering a scalable and adaptable solution to evolving privacy threats.

The paper suggests future work could explore expanding MetaCloak to other modalities beyond image synthesis, such as video or audio, where diffusion models are beginning to gain prominence. Moreover, enhancing the technique’s stealth to further minimize perceptibility without compromising efficacy could be another fruitful research avenue, potentially involving advanced perceptual metrics.

Conclusion

MetaCloak presents a significant advancement in the field of data protection against generative models, offering a sophisticated approach that bridges the gap between theoretical robustness and practical applicability. As generative models continue to evolve, tools like MetaCloak will be essential in maintaining privacy and safeguarding against unauthorized use, setting a benchmark for future developments in this critical area of AI research.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free