Skip to main content
Nubint
QUICK REVIEW

[论文解读] Mist: Towards Improved Adversarial Examples for Diffusion Models

Chumeng Liang, Xiaoyu Wu|arXiv (Cornell University)|May 22, 2023
Adversarial Robustness in Machine Learning被引用 9
一句话总结

Mist 提出一种融合对抗损失,将语义损失与文本损失结合起来,以构造对基于扩散模型的艺术品生成更具可转移性和鲁棒性的对抗样本,并将 Mist 作为开源流水线发布。

ABSTRACT

Diffusion Models (DMs) have empowered great success in artificial-intelligence-generated content, especially in artwork creation, yet raising new concerns in intellectual properties and copyright. For example, infringers can make profits by imitating non-authorized human-created paintings with DMs. Recent researches suggest that various adversarial examples for diffusion models can be effective tools against these copyright infringements. However, current adversarial examples show weakness in transferability over different painting-imitating methods and robustness under straightforward adversarial defense, for example, noise purification. We surprisingly find that the transferability of adversarial examples can be significantly enhanced by exploiting a fused and modified adversarial loss term under consistent parameters. In this work, we comprehensively evaluate the cross-method transferability of adversarial examples. The experimental observation shows that our method generates more transferable adversarial examples with even stronger robustness against the simple adversarial defense.

研究动机与目标

  • 为保护避免扩散模型生成的侵犯版权的艺术品提供动机与方法。
  • 开发可在多种 DM 基于仿制场景(文本反演、DreamBooth、图像对图像)中转移的对抗样本。
  • 研究目标图像选择及损失融合对鲁棒性与可转移性的影响。
  • 提供一个用于生成最先进对抗样本的开源流水线(Mist)。
  • 基准化超参数与目标选择,为实现鲁棒、可转移的攻击提供指南。

提出的方法

  • 将两种现有对抗损失重新表述并融合成扩散模型的联合目标。
  • 语义损失:通过对潜变量采样来最大化扩散模型的训练损失,将表示从语义空间推离。
  • 文本损失:使用潜在扩散模型与 PGD,在原始图像与扰动图像之间最大化编码器表示的距离。
  • 联合损失:将语义损失与文本损失通过融合同化权重融合,形成扰动的统一目标。
  • 提供三种 Mist 模式:语义、文本、融合,且可配置融合权重 w。
  • 在文本损失的鲁棒性与可转移性方面对目标图像选择进行经验性研究。
Figure 1: Effects of Mist under pre-trained scenarios. From left to right: Source images, generated images under textual inversion, generated images under dreambooth, generated images under scenario.gg. The first row: Source and generated images for Van Gogh’s paintings. The second row: Source and g
Figure 1: Effects of Mist under pre-trained scenarios. From left to right: Source images, generated images under textual inversion, generated images under dreambooth, generated images under scenario.gg. The first row: Source and generated images for Van Gogh’s paintings. The second row: Source and g

实验结果

研究问题

  • RQ1对一个扩散模型情景下 crafted 的对抗样本是否能有效转移到其他基于 DM 的绘画仿真任务(Dreambooth、文本反演、图像对图像)?
  • RQ2将语义与文本对抗损失结合是否能在不同场景中提升可转移性与鲁棒性?
  • RQ3目标图像的选择如何影响对抗样本的有效性与鲁棒性?
  • RQ4在不同 DM 对齐情景下,语义、文本与融合 Mist 模式各自的相对优势为何?

主要发现

  • 融合损失将语义目标与文本目标结合,能在 Dreambooth、文本反演与图像对图像等情景中显著提升转移性。
  • Mist 在转移性方面优于单一损失模式,并对简单防御如噪声净化与裁剪再缩放等具有鲁棒性。
  • 语义模式在文本反演中最强;文本模式在 Dreambooth 中表现卓越;融合模式在各情景下提供均衡性能。
  • 目标图像的选择对基于文本损失的攻击有显著影响;高对比度与带有图案的目标(如 Target_Mist)往往更有效且鲁棒。
  • Mist 的融合模式在合适权重下,能够在文本反演中逼近语义模式的强度,同时在预处理下保持鲁棒性。
Figure 2: Effects of Mist under NovelAI image-to-image. From left to right: Source images, generated images with strength 0.25, generated images with strength 0.35, generated images with strength 0.5. The first row: Source and generated images for Monet’s paintings. The second row: Source and genera
Figure 2: Effects of Mist under NovelAI image-to-image. From left to right: Source images, generated images with strength 0.25, generated images with strength 0.35, generated images with strength 0.5. The first row: Source and generated images for Monet’s paintings. The second row: Source and genera

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。