Disrupting Diffusion: Token-Level Attention Erasure Attack against Diffusion-based Customization

TL;DR

Diffusion-based customization enables personalized image generation, but poses privacy risks when subject identifiers are embedded in prompts. The authors propose DisDiff, a proactive adversarial attack combining Cross-Attention Erasure to disrupt subject-token guidance and a Merit Sampling Scheduler to adapt PGD updates along diffusion timesteps. The training objective combines $L_{DB}$ and $L_{CAE}$ as $L_{DisDiff}=L_{DB}+ L_{CAE}$, with a time-aware PGD step size $h(t)=\frac{1}{2}(\cos(\frac{\pi t}{T})+1)$. Empirical results on CelebA-HQ and VGGFace2 show DisDiff outperforms state-of-the-art baselines across $FDFR$, $ISM$, $FID$, and $BRISQUE$, indicating stronger privacy protection with manageable perceptual quality loss.

Abstract

With the development of diffusion-based customization methods like DreamBooth, individuals now have access to train the models that can generate their personalized images. Despite the convenience, malicious users have misused these techniques to create fake images, thereby triggering a privacy security crisis. In light of this, proactive adversarial attacks are proposed to protect users against customization. The adversarial examples are trained to distort the customization model's outputs and thus block the misuse. In this paper, we propose DisDiff (Disrupting Diffusion), a novel adversarial attack method to disrupt the diffusion model outputs. We first delve into the intrinsic image-text relationships, well-known as cross-attention, and empirically find that the subject-identifier token plays an important role in guiding image generation. Thus, we propose the Cross-Attention Erasure module to explicitly "erase" the indicated attention maps and disrupt the text guidance. Besides,we analyze the influence of the sampling process of the diffusion model on Projected Gradient Descent (PGD) attack and introduce a novel Merit Sampling Scheduler to adaptively modulate the perturbation updating amplitude in a step-aware manner. Our DisDiff outperforms the state-of-the-art methods by 12.75% of FDFR scores and 7.25% of ISM scores across two facial benchmarks and two commonly used prompts on average.

Figures (7)

• Figure 1: Comparison of DreamBooth, Anti-DreamBooth with DisDiff. The first row shows the unprotected DreamBooth, which learns from the subjects and generates them into different scenes. The second row shows the protected results. Protected by Anti-DreamBooth, the face is still identified. Our DisDiff achieves unidentified or even unrecognized outputs, boosting the protection performances.
• Figure 2: The overview framework of Disrupting Diffusion. The prompt "a photo of sks person" is used for training. At every denoising process, we acquire the attention maps of the subject to calculate $L_{DB}$ and $L_{CAE}$. Then, the gradients are aggregated and fed into the Merit Sampling Scheduler, which is used for PGD attack to update $x_{adv}$.
• Figure 3: Visualizations of cross-attention maps from unprotected DreamBooth and DisDiff. For the unprotected ones, the diffusion model captures the subject-identifier token "sks" (highlighted red areas on the face) and generates customized images. However, DisDiff erases the model's attention on that token and dramatically distorts the model's outputs.
• Figure 4: Analysis of varying timesteps. As the timestep becomes larger, not only does the HQS metric significantly decrease but also the model pays more attention to identity-irrelevant information, illustrating that the steps in the former are more important for perturbation training.
• Figure 5: Comparison under other inference prompts. Four rows show different image edit prompts: distance, expression, action, and location, respectively.