JPEG Compressed Images Can Bypass Protections Against AI Editing

Salman et al. (2023) propose methods for protecting images against manipulation by Stable Diffusion (Rombach et al., 2022). Their software, photoguard, protects images against manipulation by adding an imperceptible adversarial perturbation designed to force a target diffusion model to generate unrealistic images. The authors propose two different protection techniques: an encoder attack and a diffusion attack.

Encoder attack. The goal is to find an imperceptible perturbation $\delta_{\rm encoder}$ that, when added to the original image, results in a protected image that the SDM considers similar to a gray target image:

$$\delta_{\rm encoder}=\operatorname*{arg\,min}_{\|\delta\|_{\infty}\leq\epsilon}\|E(x+\delta)-z_{\rm target}\|_{2}^{2}$$

(1)

where $x$ is the image to be protected, $z_{\rm target}$ is some target latent representation, and $E$ is the image encoder. For a $512\times 512\times 3$ dimensional image, $\epsilon=0.1$ and 40 steps of PGD with step-size $\frac{0.1}{40}\times 6$ is used to solve the optimization.

Diffusion attack. The goal is to find an imperceptible perturbation $\delta_{\rm diffusion}$ that, when added to the original image, results in a protected image that targets the diffusion process itself.

$$\delta_{\rm diffusion}=\operatorname*{arg\,min}_{\|\delta\|_{\infty}\leq\epsilon}\|f(x+\delta)-x_{\rm target}\|_{2}^{2}$$

(2)

where $f$ is the SDM, $x$ is the image to be protected, $x_{\rm target}$ is the target image to be generated. Eq. 2 is solved approximately using PGD, backpropagating through only $4$ diffusion steps due to GPU memory requirements (Salman et al., 2023).

Salman et al. (2023) note that photoguard’s effectiveness may diminish when protected images undergo transformations, and propose methods for making the imperceptible perturbation more robust (Athalye et al., 2018). Protecting images using an imperceptible perturbation optimized using either of the attacks of Section 1.1 is a interesting and novel contribution, but our research has found it is more brittle than expected to JPEG distortion, which poses a major weakness due to the common usage and availability of JPEG. Previous work has shown that a differentiable JPEG module can be added to the loss function to create JPEG-resistant adversarial examples (Shin & Song, 2017). One can imagine making a similar, simple modification to Eq. 1 and Eq. 2 so that the perturbations are JPEG-resistant. But the question remains: how many times does one want to continue the back and forth between the data protector and adversary?

Shan et al. (2023) propose a method to prevent fine-tuned diffusion models from learning a particular artist’s style. In essence, imperceptible perturbations are optimized so that SDM finetuning on protected artist images, in the manner described by DreamBooth (Ruiz et al., 2022), is unsuccessful. In this way, new images generated by the finetuned model are unable to replicate the style captured in the protected subset of artist images. The proposed solution is unique and the authors perform experiments to test the robustness of their perturbations to Gaussian noise and JPEG image compression. However, only three compression levels between $20$ and $10$ are considered. Our experiments suggest that considering more subtle compression levels (e.g., between compression levels $95$ and $65$) are necessary. Excessive compression, even without the use of optimized imperceptible perturbations, could potentially damage the image to the extent that the style appears to not have been replicated.

Evaluating whether generated images replicate a particular style, or whether generated content satisfies some other criteria in general, presents a challenge due to its subjective nature. Our experiments suggest that imperceptible perturbations must possess greater robustness against a wider range of image transformations than those commonly considered, as final transformations could be made by a malicious actor.

Given a source image (e.g., an image of a dog in the grass) and a text prompt (e.g., “dog under heavy rain and muddy ground real”), SDM can edit the source image to match the prompt. In Figure 1, we show that when the photoguard-protected image (from the Encoder attack) is used as the source, the edited image no longer maintains the original subject and the dog’s front paw seems to blend with some kind of foam. However, if we JPEG compress the photoguard image with quality of 65, the edited image looks like the edit from the original, and is potentially even more faithful to the text prompt due to the more prominent rain.

To perform inpainting, SDM is conditioned on both a source image and a mask indicating the regions of the image that are to remain unedited. In the last row of Figure 3, we show that an adversary can take a JPEG compressed photoguard image (from the Diffusion attack) and generate a new image that contains more realistic background and clothing.

We explore the effect that JPEG compression of varying quality has on the resulting edited image in Figure 2 for the Encoder attack and Figure 4 for the Diffusion attack, finding that there exists a compression level range in which image editing performs well. If the photoguard perturbations were mostly high-frequency, using a Gaussian blur should also be effective at restoring an adversary’s editing abilities. However, in Appendix A.1 we find that Gaussian and median blurs are ineffective. Other simple image transforms like rotations and flips (Appendix A.2) are also ineffective. This is likely because the image encoder is mostly invariant to these transforms. While these simpler transforms were unsuccessful, we believe they should still be part of extensive robustness evaluations of future methods utilizing imperceptible perturbations. JPEG’s ability to undermine the protective perturbation highlights the transforms’ uniqueness in eliminating the perturbation while maintaining important semantic content.

Prior work has shown that JPEG could be used as a reasonable pre-processing step to defend against adversarial examples (Das et al., 2017), but such pre-processing defenses are not as robust to adaptive attackers, which go last in the classical game of adversarial examples. As pointed out in Salman et al. (2023), this could imply that an approach like photoguard could be improved to be robust against these transformations. Yet, we want to highlight that the game between attack and defense is flipped for data modifications, a modification like photoguard has to anticipate future adaptive attacks that scrub it, and previous results on robustness of adversarial attacks might not apply.