CopyrightShield: Enhancing Diffusion Model Security against Copyright Infringement Attacks

TL;DR

CopyrightShield is a novel defense framework that detects and mitigates copyright infringement attacks on diffusion models by identifying poisoned samples and reducing memorization of infringing features, significantly improving security.

Contribution

The paper introduces CopyrightShield, a comprehensive defense method combining poisoned sample detection and adaptive training to protect diffusion models from copyright infringement attacks.

Findings

Significantly improved detection of poisoned samples with an F1-score of 0.665.

Retarded the First-Attack Epoch by 115.2%, delaying attack effectiveness.

Reduced copyright infringement rate by 56.7%, outperforming state-of-the-art defenses.

Abstract

Diffusion models have attracted significant attention due to its exceptional data generation capabilities in fields such as image synthesis. However, recent studies have shown that diffusion models are vulnerable to copyright infringement attacks, where attackers inject strategically modified non-infringing images into the training set, inducing the model to generate infringing content under the prompt of specific poisoned captions. To address this issue, we first propose a defense framework, CopyrightShield, to defend against the above attack. Specifically, we analyze the memorization mechanism of diffusion models and find that attacks exploit the model's overfitting to specific spatial positions and prompts, causing it to reproduce poisoned samples under backdoor triggers. Based on this, we propose a poisoned sample detection method using spatial masking and data attribution to quantify poisoning risk and accurately identify hidden backdoor samples. To further mitigate memorization of poisoned features, we introduce an adaptive optimization strategy that integrates a dynamic penalty term into the training loss, reducing reliance on infringing features while preserving generative performance. Experimental results demonstrate that CopyrightShield significantly improves poisoned sample detection performance across two attack scenarios, achieving average F1-scores of 0.665, retarding the First-Attack Epoch (FAE) of 115.2% and decreasing the Copyright Infringement Rate (CIR) by 56.7%. Compared to the SoTA backdoor defense in diffusion models, the defense effect is improved by about 25%, showcasing its superiority and practicality in enhancing the security of diffusion models.