CAT: Contrastive Adversarial Training for Evaluating the Robustness of Protective Perturbations in Latent Diffusion Models

TL;DR

This paper introduces Contrastive Adversarial Training (CAT), a method to evaluate and improve the robustness of protective perturbations in latent diffusion models, revealing vulnerabilities and urging better defenses.

Contribution

We propose CAT, a novel adaptive attack method that exposes weaknesses in existing protective perturbations for latent diffusion models, highlighting the need for more robust defenses.

Findings

CAT significantly reduces the effectiveness of protective perturbations

Latent representation distortion is key to adversarial effectiveness

Existing protections lack robustness against adaptive attacks

Abstract

Latent diffusion models have recently demonstrated superior capabilities in many downstream image synthesis tasks. However, customization of latent diffusion models using unauthorized data can severely compromise the privacy and intellectual property rights of data owners. Adversarial examples as protective perturbations have been developed to defend against unauthorized data usage by introducing imperceptible noise to customization samples, preventing diffusion models from effectively learning them. In this paper, we first reveal that the primary reason adversarial examples are effective as protective perturbations in latent diffusion models is the distortion of their latent representations, as demonstrated through qualitative and quantitative experiments. We then propose the Contrastive Adversarial Training (CAT) utilizing lightweight adapters as an adaptive attack against these protection methods, highlighting their lack of robustness. Extensive experiments demonstrate that our CAT method significantly reduces the effectiveness of protective perturbations in customization, urging the community to reconsider and improve the robustness of existing protective perturbations. The code is available at https://github.com/senp98/CAT.