SafeCtrl: Region-Aware Safety Control for Text-to-Image Diffusion via Detect-Then-Suppress

Abstract: The widespread deployment of text-to-image diffusion models is significantly challenged by the generation of visually harmful content, such as sexually explicit content, violence, and horror imagery. Common safety interventions, ranging from input filtering to model concept erasure, often suffer from two critical limitations: (1) a severe trade-off between safety and context preservation, where removing unsafe concepts degrades the fidelity of the safe content, and (2) vulnerability to adversarial attacks, where safety mechanisms are easily bypassed. To address these challenges, we propose SafeCtrl, a Region-Aware safety control framework operating on a Detect-Then-Suppress paradigm. Unlike global safety interventions, SafeCtrl first employs an attention-guided Detect module to precisely localize specific risk regions. Subsequently, a localized Suppress module, optimized via image-level Direct Preference Optimization (DPO), neutralizes harmful semantics only within the detected areas, effectively transforming unsafe objects into safe alternatives while leaving the surrounding context intact. Extensive experiments across multiple risk categories demonstrate that SafeCtrl achieves a superior trade-off between safety and fidelity compared to state-of-the-art methods. Crucially, our approach exhibits improved resilience against adversarial prompt attacks, offering a precise and robust solution for responsible generation.

• The paper introduces a region-aware detect-then-suppress strategy to localize and neutralize harmful content in text-to-image diffusion models.
• It leverages lightweight attention modules on U-Net activations for spatial risk mask generation, maintaining high image fidelity with minimal intervention.
• SafeCtrl achieves a superior safety-utility balance with an unsafe ratio of 0.11 and improved H-Score, outperforming previous global and local safety methods.

SafeCtrl: Region-Aware Safety Control for Text-to-Image Diffusion via Detect-Then-Suppress

Motivation and Problem Statement

The deployment of text-to-image diffusion models is impeded by their capacity to generate visually harmful content—ranging from explicit nudity to violence and horror. Existing safety mechanisms for these models predominantly leverage global interventions, such as input filtering and concept erasure via model fine-tuning or inference guidance. These approaches suffer from two principal deficiencies: first, a critical trade-off between safety and preservation of non-harmful content; second, susceptibility to adversarial prompt attacks, wherein cleverly disguised prompts circumvent text-based filters. Existing attempts to localize intervention, such as Concept Replacer, introduce heavy computational and memory overhead, and often replace harmful content with semantically rigid or artifact-laden alternatives. SafeCtrl circumvents these limitations by implementing a region-aware "Detect-Then-Suppress" strategy, leveraging internal visual representations for risk localization and intervention.

Methodology

Region-Aware Safety via Detect-and-Suppress

SafeCtrl introduces minimal architectural adjustments to the baseline Stable Diffusion (SD) workflow. The central innovation is the decomposition of the safety task into two lightweight, external modules:

• Attention-Guided Detection Module: This module inspects intermediate U-Net activations (specifically, cross-attention and self-attention maps) to produce spatial risk masks. These masks identify regions associated with unsafe visual concepts, and are optimized using Dice and L1 losses on a limited number of annotated images. The design ensures the model is robust even under few-shot supervision for new risk categories.
• Preference-Aligned Suppression Module: Upon risk localization, the Suppress module neutralizes the semantics of the detected regions, leaving the rest of the image intact. Suppression is learned directly in the latent space using image-level Direct Preference Optimization (DPO). DPO aligns suppression behavior with human preferences, defined by pairs of safe and unsafe images, thus obviating the need for pixel-level annotation. The fusion mechanism ensures regions classified as background remain mathematically identical post-intervention.

Dynamic Scheduling

The modules operate only in selected diffusion windows: detection is performed when semantic content stabilizes (timestep [T_start, T_switch]), followed immediately by local suppression. This windowed scheduling minimizes computational overhead and maximizes both risk mask accuracy and generative fidelity.

Experimental Evaluation

Safety versus Fidelity Trade-off

SafeCtrl is quantitatively benchmarked against state-of-the-art global and local safety baselines—including SLD, ESD, AlignGuard, RDM, and Concept Replacer—on standard datasets such as I2P, COCO-30k, and Ring-A-Bell (for adversarial robustness). The following results are salient:

• Lowest Unsafe Ratio: SafeCtrl achieves an overall unsafe ratio of 0.11 on I2P, outperforming Concept Replacer (0.12) and substantially lower than global approaches like ESD (0.18) and AlignGuard (0.14).
• High Image Fidelity: The FID (15.03) and CLIP (0.2616) scores are nearly as strong as raw Stable Diffusion (14.30 FID, 0.2626 CLIP), demonstrating minimal negative impact on harmless content.
• Safety-Utility Balance: Measured by H-Score (harmonic mean of safety and normalized utility), SafeCtrl establishes a new upper bound (0.906 vs. 0.828 for Concept Replacer), decisively affirming its ability to reconcile safety with generative performance.

Localization Accuracy

Few-shot localization experiments on Pascal-Car, CelebA-HQ, and Pascal-Horse reveal SafeCtrl's mIoU (72.0 average) exceeds both unsupervised/few-shot segmentation and the heavyweight Concept Replacer, verifying the efficacy of appropriating U-Net attention features for risk region detection.

Robustness to Adversarial Prompts

Ring-A-Bell evaluations highlight SafeCtrl's fundamental advantage: anchoring detection in visual features rather than textual embeddings ensures robustness (unsafe ratio 0.28, on par with CR and significantly outperforming AlignGuard and SLD) against prompt obfuscation attacks.

Efficiency

SafeCtrl introduces an order of magnitude fewer parameters (~75M) compared with Concept Replacer's approach (~860M), and demonstrates lower inference latency (11.77s vs. 12.70s), firmly positioning SafeCtrl as a deployment-friendly plugin for industrial-scale image generation systems.

Qualitative Insights and Generalization

Qualitative analyses illustrate that global baselines frequently distort non-harmful content, whereas SafeCtrl achieves fine-grained suppression of only the risk regions. Notably, the method generalizes cleanly across a spectrum of harmful content domains, including violent and supernatural imagery, by efficiently masking guns, knives, ghosts, and similar concepts with no degradation or artifacts in the surrounding context.

Implications and Future Directions

SafeCtrl's modular, region-aware approach fundamentally shifts the paradigm for responsible generative AI by:

• Decoupling risk intervention from both textual and global visual features, thus resisting adversarial strategies and preserving image utility.
• Reducing annotation and adaptation costs for new risk classes via few-shot and image-level supervision.
• Establishing an extensible and lightweight framework suitable for real-world deployment under hardware constraints.

Potential research directions include exploring hierarchical or compositional risk detection, integrating multimodal feedback for subjective harm criteria, or leveraging SafeCtrl as a foundation for responsible editing and redacting in other generative architectures (e.g., video, 3D).

Conclusion

SafeCtrl represents a definitive advancement in localized safety control for text-to-image diffusion models, attaining state-of-the-art performance across safety, fidelity, adversarial robustness, and efficiency metrics. Attention-guided detection of risk regions combined with preference-aligned local suppression enables SafeCtrl to set a new standard for responsible and controllable image generation.