Related papers: Fragile by Design: On the Limits of Adversarial Defenses in Personalized Generation

Fragile by Design: On the Limits of Adversarial Defenses in Personalized Generation

URL: http://arxiv.org/abs/2511.10382v1
Date: Fri, 14 Nov 2025 01:48:09 GMT
Title: Fragile by Design: On the Limits of Adversarial Defenses in Personalized Generation
Authors: Zhen Chen, Yi Zhang, Xiangyu Yin, Chengxuan Qin, Xingyu Zhao, Xiaowei Huang, Wenjie Ruan,
Abstract summary: Defense mechanisms like Anti-DreamBooth attempt to mitigate the risk of facial identity leakage.<n>We identify two critical yet overlooked limitations of these methods.<n>Results reveal that none of the current methods maintains their protective effectiveness under such threats.
Score: 26.890796322896346
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Personalized AI applications such as DreamBooth enable the generation of customized content from user images, but also raise significant privacy concerns, particularly the risk of facial identity leakage. Recent defense mechanisms like Anti-DreamBooth attempt to mitigate this risk by injecting adversarial perturbations into user photos to prevent successful personalization. However, we identify two critical yet overlooked limitations of these methods. First, the adversarial examples often exhibit perceptible artifacts such as conspicuous patterns or stripes, making them easily detectable as manipulated content. Second, the perturbations are highly fragile, as even a simple, non-learned filter can effectively remove them, thereby restoring the model's ability to memorize and reproduce user identity. To investigate this vulnerability, we propose a novel evaluation framework, AntiDB_Purify, to systematically evaluate existing defenses under realistic purification threats, including both traditional image filters and adversarial purification. Results reveal that none of the current methods maintains their protective effectiveness under such threats. These findings highlight that current defenses offer a false sense of security and underscore the urgent need for more imperceptible and robust protections to safeguard user identity in personalized generation.

Related papers

Adapter Shield: A Unified Framework with Built-in Authentication for Preventing Unauthorized Zero-Shot Image-to-Image Generation [74.5813283875938]
Zero-shot image-to-image generation poses substantial risks related to intellectual property violations.<n>This work presents Adapter Shield, the first universal and authentication-integrated solution aimed at defending personal images from misuse.<n>Our method surpasses existing state-of-the-art defenses in blocking unauthorized zero-shot image synthesis.
arXiv Detail & Related papers (2025-11-25T04:49:16Z)
Perturb a Model, Not an Image: Towards Robust Privacy Protection via Anti-Personalized Diffusion Models [32.903448192224644]
Recent advances in diffusion models have enabled high-quality synthesis of specific subjects, such as identities or objects.<n>Personalization techniques can be misused by malicious users to generate unauthorized content.<n>We introduce Direct Protective Optimization (DPO), a novel loss function that effectively disrupts subject personalization in the target model without compromising generative quality.
arXiv Detail & Related papers (2025-11-03T07:42:05Z)
Towards Robust Defense against Customization via Protective Perturbation Resistant to Diffusion-based Purification [20.862062527487794]
Protective perturbations mitigate image misuse by injecting imperceptible adversarial noise.<n> purification can remove protective perturbations, thereby exposing images again to the risk of malicious forgery.<n>AntiPure embeds imperceptible perturbations that persist under representative purification settings, achieving effective post-customization distortion.
arXiv Detail & Related papers (2025-09-17T11:30:13Z)
Tit-for-Tat: Safeguarding Large Vision-Language Models Against Jailbreak Attacks via Adversarial Defense [90.71884758066042]
Large vision-language models (LVLMs) introduce a unique vulnerability: susceptibility to malicious attacks via visual inputs.<n>We propose ESIII (Embedding Security Instructions Into Images), a novel methodology for transforming the visual space from a source of vulnerability into an active defense mechanism.
arXiv Detail & Related papers (2025-03-14T17:39:45Z)
PersGuard: Preventing Malicious Personalization via Backdoor Attacks on Pre-trained Text-to-Image Diffusion Models [51.458089902581456]
We introduce PersGuard, a novel backdoor-based approach that prevents malicious personalization of specific images.<n>Our method significantly outperforms existing techniques, offering a more robust solution for privacy and copyright protection.
arXiv Detail & Related papers (2025-02-22T09:47:55Z)
ID-Guard: A Universal Framework for Combating Facial Manipulation via Breaking Identification [60.73617868629575]
misuse of deep learning-based facial manipulation poses a significant threat to civil rights.<n>To prevent this fraud at its source, proactive defense has been proposed to disrupt the manipulation process.<n>This paper proposes a universal framework for combating facial manipulation, termed ID-Guard.
arXiv Detail & Related papers (2024-09-20T09:30:08Z)
Principles of Designing Robust Remote Face Anti-Spoofing Systems [60.05766968805833]
This paper sheds light on the vulnerabilities of state-of-the-art face anti-spoofing methods against digital attacks. It presents a comprehensive taxonomy of common threats encountered in face anti-spoofing systems.
arXiv Detail & Related papers (2024-06-06T02:05:35Z)
Invisible Backdoor Attack Through Singular Value Decomposition [2.681558084723648]
backdoor attacks pose a serious security threat to deep neural networks (DNNs) To make triggers less perceptible and imperceptible, various invisible backdoor attacks have been proposed. This paper proposes an invisible backdoor attack called DEBA.
arXiv Detail & Related papers (2024-03-18T13:25:12Z)
Diff-Privacy: Diffusion-based Face Privacy Protection [58.1021066224765]
In this paper, we propose a novel face privacy protection method based on diffusion models, dubbed Diff-Privacy. Specifically, we train our proposed multi-scale image inversion module (MSI) to obtain a set of SDM format conditional embeddings of the original image. Based on the conditional embeddings, we design corresponding embedding scheduling strategies and construct different energy functions during the denoising process to achieve anonymization and visual identity information hiding.
arXiv Detail & Related papers (2023-09-11T09:26:07Z)
Scapegoat Generation for Privacy Protection from Deepfake [21.169776378130635]
We propose a new problem formulation for deepfake prevention: generating a scapegoat image'' by modifying the style of the original input. Even in the case of malicious deepfake, the privacy of the users is still protected.
arXiv Detail & Related papers (2023-03-06T06:52:00Z)

This list is automatically generated from the titles and abstracts of the papers in this site.