Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI

TL;DR

This paper challenges the effectiveness of adversarial perturbation-based protections (e.g., Glaze, Mist, Anti-DreamBooth) against generative AI style mimicry. It introduces a unified, rigorous evaluation protocol and a set of simple, off-the-shelf robust mimicry methods, including Gaussian noising, DiffPure, Noisy Upscaling, and IMPRESS++, to test protections under realistic attacker conditions. Through a comprehensive user study across ten artists, it shows that all existing protections can be bypassed, with Noisy Upscaling often achieving median success rates around or above 40%, effectively making protected artworks indistinguishable from unprotected baselines. The authors argue that adversarial perturbations cannot reliably shield artists and advocate adaptive evaluation and non-technological protective measures to mitigate misuse of generative AI in the art domain.

Abstract

Artists are increasingly concerned about advancements in image generation models that can closely replicate their unique artistic styles. In response, several protection tools against style mimicry have been developed that incorporate small adversarial perturbations into artworks published online. In this work, we evaluate the effectiveness of popular protections -- with millions of downloads -- and show they only provide a false sense of security. We find that low-effort and "off-the-shelf" techniques, such as image upscaling, are sufficient to create robust mimicry methods that significantly degrade existing protections. Through a user study, we demonstrate that all existing protections can be easily bypassed, leaving artists vulnerable to style mimicry. We caution that tools based on adversarial perturbations cannot reliably protect artists from the misuse of generative AI, and urge the development of alternative non-technological solutions.

Figures (33)

• Figure 1: Artists are vulnerable to style mimicry from generative models finetuned on their art. Existing protection tools add small perturbations to published artwork to prevent mimicry glazemistantidreambooth. However, these protections fail against robust mimicry methods, giving a false sense of security and leaving artists vulnerable. Artwork by @nulevoy (Stas Voloshin), reproduced with permission.
• Figure 2: The protections of Glaze glaze do not generalize across fine-tuning setups. We mimic the style of the contemporary artist @nulevoy from Glaze-protected images by using: (b) the finetuning script provided by Glaze authors; and (c) an alternative off-the-shelf finetuning script from HuggingFace. In both cases, we perform "naive" style mimicry with no effort to bypass Glaze's protections. Glaze protections are successful using finetuning from the original paper, but significantly degrade with our script. Our finetuning is also better for unprotected images (see Appendix \ref{['sec:glazebad-unp']}).
• Figure 3: Examples of robust style mimicry for two different artists: @greg-f (contemporary) and Edvard Munch (historical). Cherry-picked examples with strong protections and successful robust mimicry. We apply Noisy Upscaling for prompts: "a shoe" and "an astronaut riding a horse".
• Figure 4: Success rate per artist (N=10) on all mimicry scenarios. Box plots represent success rates for most protected, quartiles, median and least protected artists, respectively. Success rates around 50% indicate that robust mimicry outputs are indistinguishable in style and quality from mimicry outputs based on unprotected images. Best-of-4 selects the most successful method for each prompt.
• Figure 5: Randomly selected comparisons where all 5 annotators preferred mimicry from unprotected art over robust mimicry. Both use Noisy Upscaling for robust mimicry.