Attack as Defense: Run-time Backdoor Implantation for Image Content Protection

TL;DR

This paper introduces a novel run-time backdoor implantation method to protect sensitive image content from unauthorized modifications by triggering failure in image editing models, without requiring model retraining.

Contribution

It presents the first efficient framework for run-time backdoor implantation that safeguards image content by using imperceptible perturbations as triggers, minimizing impact on legitimate edits.

Findings

Significantly increases CLIP-FID scores under malicious editing.

Reduces SSIM in malicious edits, indicating effective protection.

Maintains minimal impact on benign image editing.

Abstract

As generative models achieve great success, tampering and modifying the sensitive image contents (i.e., human faces, artist signatures, commercial logos, etc.) have induced a significant threat with social impact. The backdoor attack is a method that implants vulnerabilities in a target model, which can be activated through a trigger. In this work, we innovatively prevent the abuse of image content modification by implanting the backdoor into image-editing models. Once the protected sensitive content on an image is modified by an editing model, the backdoor will be triggered, making the editing fail. Unlike traditional backdoor attacks that use data poisoning, to enable protection on individual images and eliminate the need for model training, we developed the first framework for run-time backdoor implantation, which is both time- and resource- efficient. We generate imperceptible perturbations on the images to inject the backdoor and define the protected area as the only backdoor trigger. Editing other unprotected insensitive areas will not trigger the backdoor, which minimizes the negative impact on legal image modifications. Evaluations with state-of-the-art image editing models show that our protective method can increase the CLIP-FID of generated images from 12.72 to 39.91, or reduce the SSIM from 0.503 to 0.167 when subjected to malicious editing. At the same time, our method exhibits minimal impact on benign editing, which demonstrates the efficacy of our proposed framework. The proposed run-time backdoor can also achieve effective protection on the latest diffusion models. Code are available.