Securing Deep Generative Models with Universal Adversarial Signature
Yu Zeng, Mo Zhou, Yuan Xue, Vishal M. Patel
TL;DR
This paper introduces a universal adversarial signature that can be embedded into any pre-trained generative model to improve the detection and traceability of generated images across different models.
Contribution
It proposes a novel method to inject a universal adversarial signature into generative models, enhancing their detectability and traceability without affecting image quality.
Findings
Effective detection rate on FFHQ and ImageNet datasets
Universal signature generalizes to unseen models
Method is compatible with various state-of-the-art generators
Abstract
Recent advances in deep generative models have led to the development of methods capable of synthesizing high-quality, realistic images. These models pose threats to society due to their potential misuse. Prior research attempted to mitigate these threats by detecting generated images, but the varying traces left by different generative models make it challenging to create a universal detector capable of generalizing to new, unseen generative models. In this paper, we propose to inject a universal adversarial signature into an arbitrary pre-trained generative model, in order to make its generated contents more detectable and traceable. First, the imperceptible optimal signature for each image can be found by a signature injector through adversarial training. Subsequently, the signature can be incorporated into an arbitrary generator by fine-tuning it with the images processed by the…
Peer Reviews
Decision·Submitted to ICLR 2024
The motivation is explained clearly. The paper is well-written.
The performance with or without the adversarial signature should be presented. The term universal in used incorrectly since the signature depends on each image.
1) The papers deals with an important problem regarding the safety of generative models and proposes an innovative solution. 2) The proposed solution intuitively makes sense and is also feasible in practice. 2) The paper is well-written and easy to follow.
There are five main concerns about the proposed solution. 1) Firstly, the model F has been primarily described as a binary classifier whose goal is to distinguish between real images and "signed" synthetic images. What happens when the classifier F is fed with an "unsigned" synthetic image (i.e., an image generated from the original generator instead of the finetuned generator)? Shouldn't it be trained in such a way to detect "unsigned" synthetic images to the best possible extent along with "s
(1) This paper introduces adversarial examples into the detection of images generated by generative models, combined with joint training and watermark fine-tuning, which is novelty; (2) For the generation model, this paper investigates the latest diffusion-based generation model, which is of good practical significance under the common use of AIGC nowadays; (3) This paper is well-structured and logical. The author reviews the effectiveness and limitations of the proposed method from multiple per
(1) The two SOTA detection methods compared in the experiment are against the CNN-based and GAN-based generative model, whether there is any relevant paper for the watermarking of the diffusion model at present, if so, please supplement; (2) Missing a lot of experimental data on ImageNet, please add results comparing with SOTA on ImageNet; (3) Some formatting issues: (1) Please cite the graphs in order; (2) Please distinguish between periods and semicolons within the algorithm; (3) Please give t
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsGenerative Adversarial Networks and Image Synthesis · Digital Media Forensic Detection · Face recognition and analysis