[论文解读] Watermarking Diffusion Model
本文提出两种水印方案 NaiveWM 和 FixedWM,通过提示词触发嵌入并验证潜在扩散模型(LDM)的所有权,评估模型效用与水印鲁棒性。
The availability and accessibility of diffusion models (DMs) have significantly increased in recent years, making them a popular tool for analyzing and predicting the spread of information, behaviors, or phenomena through a population. Particularly, text-to-image diffusion models (e.g., DALLE 2 and Latent Diffusion Models (LDMs) have gained significant attention in recent years for their ability to generate high-quality images and perform various image synthesis tasks. Despite their widespread adoption in many fields, DMs are often susceptible to various intellectual property violations. These can include not only copyright infringement but also more subtle forms of misappropriation, such as unauthorized use or modification of the model. Therefore, DM owners must be aware of these potential risks and take appropriate steps to protect their models. In this work, we are the first to protect the intellectual property of DMs. We propose a simple but effective watermarking scheme that injects the watermark into the DMs and can be verified by the pre-defined prompts. In particular, we propose two different watermarking methods, namely NAIVEWM and FIXEDWM. The NAIVEWM method injects the watermark into the LDMs and activates it using a prompt containing the watermark. On the other hand, the FIXEDWM is considered more advanced and stealthy compared to the NAIVEWM, as it can only activate the watermark when using a prompt containing a trigger in a fixed position. We conducted a rigorous evaluation of both approaches, demonstrating their effectiveness in watermark injection and verification with minimal impact on the LDM's functionality.
研究动机与目标
- 为扩散模型的知识产权保护提供动机,并解决在不降低模型效用的前提下对 LDM 进行水印嵌入的挑战。
- 提出两种水印方案(NaiveWM 和 FixedWM),通过提示注入并验证水印。
- 开发评估框架,在各种攻击情景下评估水印鲁棒性、对效用的影响与可扩展性。
- 在使用 MS COCO 数据的预训练潜在扩散模型(LDM)上展示水印方案的可行性与隐蔽性。
提出的方法
- 通过对预训练的 LDM 进行微调,使用触发提示来实现水印嵌入输出。
- NaiveWM 在提示中插入水印触发,并用水印图像对对 LDM 进行微调。
- FixedWM 通过将水印激活限定在提示中的固定触发位置来增强隐蔽性。
- 评估使用 MS COCO 数据集及多种图像质量指标(FID、SSIM、PSNR、VIFp、FSIM)来评估效用与水印质量。
- 通过原始图像与水印图像之间的均方误差(MSE)及触发长度和中毒比例的消融来衡量水印性能。
- 该方法依赖文本编码器标记化(如 BERT)在扩散过程条件化阶段注入与检测触发器。
实验结果
研究问题
- RQ1RQ1: NaiveWM 与 FixedWM 在水印嵌入后是否能保留 LDM 的效用?
- RQ2RQ2: NaiveWM 与 FixedWM 能否在验证阶段可靠触发水印图像?
- RQ3RQ3: 中毒比例和触发长度如何影响水印有效性与模型效用?
- RQ4RQ4: 水印隐蔽性与激活可靠性之间的权衡如何?
主要发现
| Model | FID ↓ | SSIM ↑ | PSNR ↑ | VIFp ↑ | FSIM ↑ |
|---|---|---|---|---|---|
| Baseline | 28.265 | 0.114 ± 0.084 | 32.604 ± 1.616 | 0.013 ± 0.009 | 0.289 ± 0.026 |
| NaiveWM | 29.456 | 0.110 ± 0.079 | 32.674 ± 1.635 | 0.014 ± 0.011 | 0.286 ± 0.024 |
| FixedWM_clean | 31.690 | 0.107 ± 0.078 | 32.623 ± 1.616 | 0.013 ± 0.009 | 0.286 ± 0.023 |
| FixedWM_other | 32.468 | 0.107 ± 0.079 | 32.656 ± 1.655 | 0.014 ± 0.010 | 0.285 ± 0.024 |
- NaiveWM 与 FixedWM 在相对于基线模型的 modest degradation 下维持模型效用。
- NaiveWM 与 FixedWM 能生成与目标输出高度相似的水印图像,水印图像的 MSE 低(约 0.118–0.121)。
- 水印嵌入对效用的损失有限,在某些设定下 NaiveWM 的 FID 略增、FixedWM 变体增幅更大。
- 增加中毒比例和触发长度通常会降低图像质量和水印可检测性,呈现水印强度与效用之间的权衡。
- FixedWM 的触发位置约束提供了增强的隐蔽性,但在较长的触发长度下可能降低水印有效性。
- 一个实际的水印框架展示了可行性,在多种指标(FID、SSIM、PSNR、VIFp、FSIM)上给出定量结果。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。