Anti-Tamper Perturbation (ATP)
- Anti-Tamper Perturbation (ATP) is a dual-component framework that embeds protection and authorization perturbations in the frequency domain to counter unauthorized image synthesis.
- It utilizes a masked Block-DCT transformation with improved frequency-domain PGD to ensure that common preprocessing like resizing or JPEG compression disrupts tampering attempts.
- ATP is evaluated with metrics such as Bit-error and Protection Success Rate, achieving 100% protection under purification while highlighting limitations under full adversarial knowledge.
Searching arXiv for the target ATP paper and closely related anti-tamper works. Searching arXiv for "Anti-Tamper Perturbation unauthorized individual image generation". Anti-Tamper Perturbation (ATP) is a protection framework for unauthorized individual image generation in which a protected image carries two coordinated perturbation components: a protection perturbation that disrupts forgery generation and an authorization perturbation that detects purification-based tampering. In the formulation introduced for portrait-rights and privacy protection, both perturbations are applied in the frequency domain under the guidance of a mask, so that the protection perturbation does not disrupt the authorization perturbation, while the authorization perturbation remains sensitive to perturbation-altering preprocessing such as resizing, JPEG compression, and GridPure (Li et al., 5 Aug 2025).
1. Definition and threat model
ATP was proposed in response to unauthorized personalized image generation, in which an attacker collects a victim’s face photos and uses subject-driven generation systems such as DreamBooth-, Textual Inversion-, or LoRA-style personalization systems to synthesize forged portraits (Li et al., 5 Aug 2025). The motivating concern is not generic image editing, but a specific pipeline in which online image-generation services may be used to create fake images of real individuals, thereby infringing portrait rights and personal privacy.
The central threat addressed by ATP is the failure mode of earlier protection perturbation methods under purification. Prior defenses such as AdvDM, Anti-DB, CAAT, and MetaCloak inject protection perturbations into images to degrade downstream personalized generation, but these perturbations can be weakened when an attacker first applies resizing, JPEG compression, or advanced purification such as GridPure (Li et al., 5 Aug 2025). ATP treats such preprocessing as tampering with the protection perturbation rather than merely as a robustness nuisance.
This framing distinguishes ATP from ordinary adversarial perturbation. The goal is not to induce a misclassification in a deployed model, but to embed a perturbation that supports two outcomes: direct disruption of unauthorized generation when the image is used as-is, and detection of perturbation-altering tampering when the attacker tries to neutralize the protection. A plausible implication is that ATP is best understood as a hybrid of adversarial protection and fragile authorization signaling rather than as a single-purpose adversarial example.
2. Dual-perturbation architecture
ATP consists of two components with distinct roles (Li et al., 5 Aug 2025). The protection perturbation is the adversarial component used to defend against forgery attacks by degrading the fine-tuning or subject-learning process in personalized generation. The authorization perturbation embeds a binary authorization message and serves as an integrity check; if purification disturbs this signal, the service provider can detect the disturbance by measuring bit error in the recovered message.
The basic masked composition is given as
$P_{AP}(I) = M \odot P_{Auth}(I) + (1-M) \odot P_{Prot}(I),$
where $I$ is the input image, $M$ is a binary mask, $P_{AP}(\cdot)$ is Anti-Tamper Perturbation, $P_{Auth}(\cdot)$ is authorization perturbation, and $P_{Prot}(\cdot)$ is protection perturbation (Li et al., 5 Aug 2025). Mask entries are sampled from a Bernoulli distribution, with default mask ratio $p = 0.5$.
The paper emphasizes that authorization perturbation alone is insufficient as a protection mechanism. On CelebA-HQ, Authorization Alone yields CLIP-IQAC $0.3258$, LIQE $3.6935$, ISM $0.6414$, and FDFR $I$0, whereas ATP (CAAT) yields CLIP-IQAC $I$1, LIQE $I$2, ISM $I$3, and FDFR $I$4 (Li et al., 5 Aug 2025). This suggests that the authorization branch is designed for verification rather than for direct sabotage of personalized generation.
The resulting design addresses two opposing requirements simultaneously. Protection perturbation should remain effective against unauthorized generation, whereas authorization perturbation should be stable in the untampered case but fragile under purification. This is conceptually close to semi-fragile watermarking, but ATP is explicitly organized around attack-stage rejection within a service workflow rather than around generic watermark persistence.
3. Frequency-domain formulation and optimization
ATP implements perturbation separation in the frequency domain rather than in pixel space. The formulation is
$I$5
where $I$6 is the transform from pixel domain to frequency domain and $I$7 is the inverse transform back to image space (Li et al., 5 Aug 2025). The transform is instantiated as BDCT (Block Discrete Cosine Transformation), using non-overlapping blocks with default side length $I$8.
For each block, the DCT is
$I$9
with
$M$0
and the inverse BDCT is
$M$1
The paper states that $M$2 when $M$3, and $M$4 otherwise (Li et al., 5 Aug 2025).
The stated motivation for this design is twofold. First, the mask partitions coefficients into authorization and protection regions. Second, after inverse transformation, both perturbation types are mixed across image pixels, making them indistinguishable in pixel space while remaining separable by mask in frequency space (Li et al., 5 Aug 2025). Appendix evidence further reports that after purification, the proportion of changed values is higher in frequency domain than in pixel domain: for $M$5 resizing, frequency $M$6 versus pixel $M$7; for JPEG $M$8, frequency $M$9 versus pixel $P_{AP}(\cdot)$0 (Li et al., 5 Aug 2025). This suggests that a frequency-domain authorization signal is more sensitive to purification than a purely pixel-domain design.
The protection branch required a modified optimization procedure. A straightforward masked frequency-domain PGD,
$P_{AP}(\cdot)$1
was argued to invalidate mask guidance because sign and projection are performed in pixel space (Li et al., 5 Aug 2025). ATP therefore introduces Improved Frequency Domain PGD, in which sign and projection are moved into the frequency domain:
- $P_{AP}(\cdot)$2
- $P_{AP}(\cdot)$3
- $P_{AP}(\cdot)$4
- $P_{AP}(\cdot)$5
- $P_{AP}(\cdot)$6
This frequency-domain projection is presented as essential for preserving accurate masked updates (Li et al., 5 Aug 2025).
4. Authorization embedding and verification
The authorization perturbation is implemented with a convolutional autoencoder $P_{AP}(\cdot)$7 inspired by steganography (Li et al., 5 Aug 2025). Let $P_{AP}(\cdot)$8 denote the frequency coefficients and $P_{AP}(\cdot)$9 a binary authorization message of length $P_{Auth}(\cdot)$0. The embedding is defined as
$P_{Auth}(\cdot)$1
and the authorized image is
$P_{Auth}(\cdot)$2
The message is a binary string of length $P_{Auth}(\cdot)$3, and a separate decoder $P_{Auth}(\cdot)$4 is trained to recover it (Li et al., 5 Aug 2025).
The training objective combines four losses:
$P_{Auth}(\cdot)$5
$P_{Auth}(\cdot)$6
together with image reconstruction loss $P_{Auth}(\cdot)$7 and adversarial generator loss $P_{Auth}(\cdot)$8. The total loss is
$P_{Auth}(\cdot)$9
with $P_{Prot}(\cdot)$0, $P_{Prot}(\cdot)$1, and $P_{Prot}(\cdot)$2 (Li et al., 5 Aug 2025).
Verification is based on Bit-error, defined operationally as the error between the extracted message and the original message. ATP uses a Bit-error threshold of $P_{Prot}(\cdot)$3; if bit-error exceeds this threshold, the image is considered unauthorized (Li et al., 5 Aug 2025). The service-level rule is that if a user submits four images for generation and at least one is unauthorized, the service provider rejects the request; such rejection counts as successful protection and yields PSR = 1.0 for that request (Li et al., 5 Aug 2025).
This verification logic is a defining feature of ATP. Rather than making purification impossible, the method aims to make purification operationally self-defeating in provider-mediated settings. A common misconception is that ATP is simply a more robust protection perturbation; the paper instead presents it as a tamper-proof mechanism in which purification triggers a verification failure (Li et al., 5 Aug 2025).
5. Experimental behavior, metrics, and results
ATP was evaluated using FFHQ for authorization perturbation training and CelebA-HQ and VGGFace2 for protection perturbation evaluation, following the Anti-DB setup with 50 subjects from each dataset and 8 images per subject (Li et al., 5 Aug 2025). The main personalized generation pipeline used Stable Diffusion v2-1 as the base model and DreamBooth for personalization, with prompt "a photo of sks person". Generalization tests also used SD1.5 + DreamBooth and SD2.1 + SVDiff (Li et al., 5 Aug 2025).
The principal evaluation metrics were Bit-error for authorization, and CLIP-IQAC, LIQE, FDFR, and ISM for generation quality and identity preservation (Li et al., 5 Aug 2025). Protection Success Rate (PSR) was based on a CLIP-IQAC threshold of $P_{Prot}(\cdot)$4 together with the unauthorized-image rejection rule induced by bit-error $P_{Prot}(\cdot)$5 (Li et al., 5 Aug 2025).
The headline empirical claim is that existing perturbation-only methods suffer unavoidable PSR drops under purification, whereas ATP achieves 100% Protection Success Rate under purification because tampering is detected and the request is rejected (Li et al., 5 Aug 2025). Without purification, ATP is reported to preserve ordinary protection effectiveness and often improve some metrics relative to the underlying baseline method. On CelebA-HQ, for example, MetaCloak reports CLIP-IQAC $P_{Prot}(\cdot)$6, LIQE $P_{Prot}(\cdot)$7, ISM $P_{Prot}(\cdot)$8, and FDFR $P_{Prot}(\cdot)$9, while MetaCloak+Ours reports CLIP-IQAC $p = 0.5$0, LIQE $p = 0.5$1, ISM $p = 0.5$2, and FDFR $p = 0.5$3 (Li et al., 5 Aug 2025).
Ablation results show that all three ingredients—masking, BDCT-domain design, and improved frequency-domain PGD—were necessary for low authorization error. On CelebA-HQ, the variant with no BDCT, no improved-PGD, and no mask yields 349.84e-3 bit-error; adding mask alone yields 42.031e-3; BDCT with mask but no improved-PGD yields 81.719e-3; and the full method yields 0.4688e-3 (Li et al., 5 Aug 2025). The VGGFace2 ablation follows the same pattern, with 0.7813e-3 for the full method (Li et al., 5 Aug 2025).
Adaptive attacks were also considered. For MetaCloak+ATP on VGGFace2, baseline bit-error without attack is $p = 0.5$4. If the attacker knows the mask but not BDCT hyperparameters, changing block size from 16 to 8 raises bit-error to $p = 0.5$5. If the attacker knows the hyperparameters but not the mask, applying rounding to all coefficients yields $p = 0.5$6. If the attacker knows both mask and hyperparameters, verification can be bypassed and PSR drops to 0.33 (Li et al., 5 Aug 2025). This delimits ATP’s security assumptions: it is robust to partial-knowledge adaptive attacks, but not to full leakage of the masking and transform configuration.
6. Relation to adjacent anti-tamper research
ATP belongs to a broader class of proactive integrity-protection methods that modify content before release so that later tampering becomes detectable or reversible. In image authentication, "Learning to Immunize Images for Tamper Localization and Self-Recovery" formulates image immunization as the introduction of trivial perturbation so that protected images are immune to tampering and can be auto-recovered, using an invertible neural network to jointly learn immunization and recovery (Ying et al., 2022). This is closely aligned with ATP at the mechanism level, although its emphasis is tamper localization and self-recovery rather than provider-side authorization for unauthorized generation.
In multimodal media, "LAVA: Layered Audio-Visual Anti-tampering Watermarking for Robust Deepfake Detection and Localization" uses proactive watermarking in audio and video, together with reliability gating, confidence-weighted fusion, and calibration-aware alignment, to localize tampering under compression and multimodal misalignment (Zeng et al., 27 Apr 2026). LAVA and ATP share the semi-fragile premise that a pre-inserted signal should survive benign transformations sufficiently for verification but should become unreliable under malicious modification. A plausible implication is that ATP and LAVA instantiate the same general design principle in different media settings: perturbation or watermark fragility is useful only when paired with explicit channel-reliability handling.
The term anti-tamper also appears in physical sensing systems. "Anti-Tamper Radio meets Reconfigurable Intelligent Surface for System-Level Tamper Detection" treats internal RF propagation as a programmable perturbation channel for detecting unauthorized physical alterations within a computing enclosure, with bandwidth reduction from several GHz to as low as $p = 0.5$7 and improved robustness to disturbances such as internal fan movements (Tabar et al., 18 Mar 2025). In another domain, inter-detector differential fuzz testing authenticates gamma spectrometers by replaying randomized configuration perturbations and comparing resulting spectral signatures against a baseline or a golden copy detector (Li et al., 30 Jan 2026). These works do not define ATP in the image-protection sense of (Li et al., 5 Aug 2025), but they broaden the anti-tamper perturbation idea from image-domain signaling to physical challenge-response mechanisms.
A further distinction is visible when ATP is contrasted with conventional adversarial training. "Learning with Multiplicative Perturbations" studies multiplicative masks $p = 0.5$8 for robustness training, and "Improving Adversarial Training using Vulnerability-Aware Perturbation Budget" assigns per-sample perturbation radii based on margin or output spread (Yang et al., 2019, Fakorede et al., 2024). These methods are perturbation-based, but their purpose is classifier robustness rather than anti-tamper authorization. ATP as defined in (Li et al., 5 Aug 2025) is therefore more accurately situated within proactive protection, semi-fragile verification, and service-level access control than within standard adversarial robustness.
The current ATP formulation also has explicit limitations. It is designed from the provider perspective, so if attackers run personalization locally on their own hardware, the verification stage can be bypassed and ATP reverts to ordinary protection perturbation (Li et al., 5 Aug 2025). The paper also notes that perturbations can become noticeable under magnification and identifies as a future direction the design of authorization perturbations whose disruption directly degrades generation results, removing the need for explicit verification (Li et al., 5 Aug 2025). These caveats indicate that ATP is not a universal anti-forgery primitive, but a targeted platform-side mechanism for converting purification attacks into detectable integrity violations.