On the Vulnerability of Concept Erasure in Diffusion Models

• URL: http://arxiv.org/abs/2502.17537v1
• Date: Mon, 24 Feb 2025 17:26:01 GMT
• Title: On the Vulnerability of Concept Erasure in Diffusion Models
• Authors: Lucas Beerens, Alex D. Richardson, Kaicheng Zhang, Dongdong Chen,
• Abstract summary: Research on machine unlearning has developed various concept erasure methods, which aim to remove the effect of unwanted data through post-hoc training.<n>We show these erasure techniques are vulnerable, where images of supposedly erased concepts can still be generated using adversarially crafted prompts.<n>We introduce RECORD, a coordinate-descent-based algorithm that discovers prompts capable of eliciting the generation of erased content.
• Score: 13.916443687966039
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The proliferation of text-to-image diffusion models has raised significant privacy and security concerns, particularly regarding the generation of copyrighted or harmful images. To address these issues, research on machine unlearning has developed various concept erasure methods, which aim to remove the effect of unwanted data through post-hoc training. However, we show these erasure techniques are vulnerable, where images of supposedly erased concepts can still be generated using adversarially crafted prompts. We introduce RECORD, a coordinate-descent-based algorithm that discovers prompts capable of eliciting the generation of erased content. We demonstrate that RECORD significantly beats the attack success rate of current state-of-the-art attack methods. Furthermore, our findings reveal that models subjected to concept erasure are more susceptible to adversarial attacks than previously anticipated, highlighting the urgency for more robust unlearning approaches. We open source all our code at https://github.com/LucasBeerens/RECORD

Related papers

• Erased but Not Forgotten: How Backdoors Compromise Concept Erasure [36.056298969999645]
  We introduce a new threat model, Toxic Erasure (ToxE), and demonstrate how recent unlearning algorithms can be circumvented through targeted backdoor attacks. For explicit content erasure, ToxE attacks can elicit up to 9 times more exposed body parts, with DISA yielding an average increase by a factor of 2.9.
  arXiv  Detail & Related papers  (2025-04-29T16:13:06Z)
• TRCE: Towards Reliable Malicious Concept Erasure in Text-to-Image Diffusion Models [45.393001061726366]
  Recent advances in text-to-image diffusion models enable photorealistic image generation, but they also risk producing malicious content, such as NSFW images. To mitigate risk, concept erasure methods are studied to facilitate the model to unlearn specific concepts. We propose TRCE, using a two-stage concept erasure strategy to achieve an effective trade-off between reliable erasure and knowledge preservation.
  arXiv  Detail & Related papers  (2025-03-10T14:37:53Z)
• TraSCE: Trajectory Steering for Concept Erasure [16.752023123940674]
  Text-to-image diffusion models have been shown to generate harmful content such as not-safe-for-work (NSFW) images.<n>We propose TraSCE, an approach to guide the diffusion trajectory away from generating harmful content.
  arXiv  Detail & Related papers  (2024-12-10T16:45:03Z)
• Reliable and Efficient Concept Erasure of Text-to-Image Diffusion Models [76.39651111467832]
  We introduce Reliable and Efficient Concept Erasure (RECE), a novel approach that modifies the model in 3 seconds without necessitating additional fine-tuning. To mitigate inappropriate content potentially represented by derived embeddings, RECE aligns them with harmless concepts in cross-attention layers. The derivation and erasure of new representation embeddings are conducted iteratively to achieve a thorough erasure of inappropriate concepts.
  arXiv  Detail & Related papers  (2024-07-17T08:04:28Z)
• Rethinking and Defending Protective Perturbation in Personalized Diffusion Models [21.30373461975769]
  We study the fine-tuning process of personalized diffusion models (PDMs) through the lens of shortcut learning. PDMs are susceptible to minor adversarial perturbations, leading to significant degradation when fine-tuned on corrupted datasets. We propose a systematic defense framework that includes data purification and contrastive decoupling learning.
  arXiv  Detail & Related papers  (2024-06-27T07:14:14Z)
• Six-CD: Benchmarking Concept Removals for Benign Text-to-image Diffusion Models [58.74606272936636]
  Text-to-image (T2I) diffusion models have shown exceptional capabilities in generating images that closely correspond to textual prompts. The models could be exploited for malicious purposes, such as generating images with violence or nudity, or creating unauthorized portraits of public figures in inappropriate contexts. concept removal methods have been proposed to modify diffusion models to prevent the generation of malicious and unwanted concepts.
  arXiv  Detail & Related papers  (2024-06-21T03:58:44Z)
• Unveiling and Mitigating Memorization in Text-to-image Diffusion Models through Cross Attention [62.671435607043875]
  Research indicates that text-to-image diffusion models replicate images from their training data, raising tremendous concerns about potential copyright infringement and privacy risks. We reveal that during memorization, the cross-attention tends to focus disproportionately on the embeddings of specific tokens. We introduce an innovative approach to detect and mitigate memorization in diffusion models.
  arXiv  Detail & Related papers  (2024-03-17T01:27:00Z)
• A Dataset and Benchmark for Copyright Infringement Unlearning from Text-to-Image Diffusion Models [52.49582606341111]
  Copyright law confers creators the exclusive rights to reproduce, distribute, and monetize their creative works. Recent progress in text-to-image generation has introduced formidable challenges to copyright enforcement. We introduce a novel pipeline that harmonizes CLIP, ChatGPT, and diffusion models to curate a dataset.
  arXiv  Detail & Related papers  (2024-01-04T11:14:01Z)
• To Generate or Not? Safety-Driven Unlearned Diffusion Models Are Still Easy To Generate Unsafe Images ... For Now [22.75295925610285]
  diffusion models (DMs) have revolutionized the generation of realistic and complex images. DMs also introduce potential safety hazards, such as producing harmful content and infringing data copyrights. Despite the development of safety-driven unlearning techniques, doubts about their efficacy persist.
  arXiv  Detail & Related papers  (2023-10-18T10:36:34Z)
• Towards Safe Self-Distillation of Internet-Scale Text-to-Image Diffusion Models [63.20512617502273]
  We propose a method called SDD to prevent problematic content generation in text-to-image diffusion models. Our method eliminates a much greater proportion of harmful content from the generated images without degrading the overall image quality.
  arXiv  Detail & Related papers  (2023-07-12T07:48:29Z)
• Generative Model-Based Attack on Learnable Image Encryption for Privacy-Preserving Deep Learning [14.505867475659276]
  We propose a novel generative model-based attack on learnable image encryption methods proposed for privacy-preserving deep learning. We use two state-of-the-art generative models: a StyleGAN-based model and latent diffusion-based one. Results show that images reconstructed by the proposed method have perceptual similarities to plain images.
  arXiv  Detail & Related papers  (2023-03-09T05:00:17Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.