Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

IMMA: Immunizing text-to-image Models against Malicious Adaptation

Amber Yijia Zheng, Raymond A. Yeh

TL;DR

IMMA is proposed to ``immunize'' the model by learning model parameters that are difficult for the adaptation methods when fine-tuning malicious content; in short IMMA should be applied before the release of the model weights to mitigate these risks.

Abstract

Advancements in open-sourced text-to-image models and fine-tuning methods have led to the increasing risk of malicious adaptation, i.e., fine-tuning to generate harmful/unauthorized content. Recent works, e.g., Glaze or MIST, have developed data-poisoning techniques which protect the data against adaptation methods. In this work, we consider an alternative paradigm for protection. We propose to ``immunize'' the model by learning model parameters that are difficult for the adaptation methods when fine-tuning malicious content; in short IMMA. Specifically, IMMA should be applied before the release of the model weights to mitigate these risks. Empirical results show IMMA's effectiveness against malicious adaptations, including mimicking the artistic style and learning of inappropriate/unauthorized content, over three adaptation methods: LoRA, Textual-Inversion, and DreamBooth. The code is available at \url{https://github.com/amberyzheng/IMMA}.

IMMA: Immunizing text-to-image Models against Malicious Adaptation

TL;DR

IMMA is proposed to ``immunize'' the model by learning model parameters that are difficult for the adaptation methods when fine-tuning malicious content; in short IMMA should be applied before the release of the model weights to mitigate these risks.

Abstract

Advancements in open-sourced text-to-image models and fine-tuning methods have led to the increasing risk of malicious adaptation, i.e., fine-tuning to generate harmful/unauthorized content. Recent works, e.g., Glaze or MIST, have developed data-poisoning techniques which protect the data against adaptation methods. In this work, we consider an alternative paradigm for protection. We propose to ``immunize'' the model by learning model parameters that are difficult for the adaptation methods when fine-tuning malicious content; in short IMMA. Specifically, IMMA should be applied before the release of the model weights to mitigate these risks. Empirical results show IMMA's effectiveness against malicious adaptations, including mimicking the artistic style and learning of inappropriate/unauthorized content, over three adaptation methods: LoRA, Textual-Inversion, and DreamBooth. The code is available at \url{https://github.com/amberyzheng/IMMA}.
Paper Structure (22 sections, 7 equations, 30 figures, 5 tables, 1 algorithm)

This paper contains 22 sections, 7 equations, 30 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Approach
  5. Model immunization
  6. Applications of model immunization
  7. Experiments
  8. Immunizing erased models against re-learning
  9. Immunizing against personalized content
  10. Additional discussion
  11. Conclusion
  12. Additional quantitative results
  13. Comparison with data poisoning method
  14. Additional quantitative results of IMMA
  15. IMMA for multiple concepts
  16. ...and 7 more sections

Figures (30)

  • Figure 1: IMMA on artistic style mimicry. Higher $1-\text{LPIPS}$ indicates more similar to the reference images. IMMA successfully prevented the mimicking of the artistic style.
  • Figure 1: SGR$\uparrow$(%) on artistic styles for ESD with LoRA adaptation.
  • Figure 2: Paradigms for preventing malicious adaptation. Data poisoning: modify training images ${\mathbf{x}}'$ with imperceivable changes, such that ${\mathcal{A}}$ fails to capture ${\mathbf{c}}'$ by training with modified images. Model immunization (ours): modify pre-trained model weights $\theta^p$ with immunization methods ${\mathcal{I}}$ before adaptation ${\mathcal{A}}$, such that ${\mathcal{A}}$ fails to capture ${\mathbf{c}}'$ by training on immunized model weights ${\mathcal{I}}(\theta^p)$.
  • Figure 2: SGR$\uparrow$(%) on objects for ESD with LoRA adaptation.
  • Figure 3: IMMA's result against re-learning.
  • ...and 25 more figures