Rethinking and Red-Teaming Protective Perturbation in Personalized Diffusion Models

TL;DR

This paper analyzes vulnerabilities in personalized diffusion models, revealing how adversarial perturbations cause latent misalignment and proposing a framework to improve protection against such attacks.

Contribution

It uncovers shortcut learning vulnerabilities in PDMs and introduces a systematic red-teaming framework with data purification and contrastive decoupling learning.

Findings

Adversarial perturbations induce latent-space misalignment in PDMs.

The proposed framework outperforms existing purification methods.

The approach enhances robustness against adaptive perturbations.

Abstract

Personalized diffusion models (PDMs) have become prominent for adapting pre-trained text-to-image models to generate images of specific subjects using minimal training data. However, PDMs are susceptible to minor adversarial perturbations, leading to significant degradation when fine-tuned on corrupted datasets. These vulnerabilities are exploited to create protective perturbations that prevent unauthorized image generation. Existing purification methods attempt to red-team the protective perturbation to break the protection but often over-purify images, resulting in information loss. In this work, we conduct an in-depth analysis of the fine-tuning process of PDMs through the lens of shortcut learning. We hypothesize and empirically demonstrate that adversarial perturbations induce a latent-space misalignment between images and their text prompts in the CLIP embedding space. This misalignment causes the model to erroneously associate noisy patterns with unique identifiers during fine-tuning, resulting in poor generalization. Based on these insights, we propose a systematic red-teaming framework that includes data purification and contrastive decoupling learning. We first employ off-the-shelf image restoration techniques to realign images with their original semantic content in latent space. Then, we introduce contrastive decoupling learning with noise tokens to decouple the learning of personalized concepts from spurious noise patterns. Our study not only uncovers shortcut learning vulnerabilities in PDMs but also provides a thorough evaluation framework for developing stronger protection. Our extensive evaluation demonstrates its advantages over existing purification methods and its robustness against adaptive perturbations.