SC-Pro: Training-Free Framework for Defending Unsafe Image Synthesis Attack

TL;DR

Diffusion-based image generation risks NSFW content bypassing safety checks. The authors introduce SC-Pro, a training-free defense that probes perturbed inputs—latent vectors, prompt embeddings, and image embeddings—using spherical or circular perturbations to detect unsafe outputs, computed as $ \mathcal{S}_{f,\mathcal{M}}(\lambda)=\mathbb{E}_{\lambda\in P_{\psi,k}}[f(\mathcal{M}(\lambda))]$ and decided via $\mathcal{F}^*_{f,\mathcal{M}}(\lambda)$ against a threshold $\mathcal{S}_{th}$. SC-Pro demonstrates strong protection for both T2I and I2I diffusion models across multiple safeties and attacks, and is designed as a plug-in with no training requirements. To improve practicality, SC-Pro-o leverages distilled one-step diffusion models to achieve roughly 30× throughput gains while maintaining robust detection, benefiting deployment in real-time or resource-constrained settings. Collectively, these methods offer a scalable, model-agnostic approach to safer diffusion-based content generation with broad applicability and significant efficiency gains.

Abstract

With advances in diffusion models, image generation has shown significant performance improvements. This raises concerns about the potential abuse of image generation, such as the creation of explicit or violent images, commonly referred to as Not Safe For Work (NSFW) content. To address this, the Stable Diffusion model includes several safety checkers to censor initial text prompts and final output images generated from the model. However, recent research has shown that these safety checkers have vulnerabilities against adversarial attacks, allowing them to generate NSFW images. In this paper, we find that these adversarial attacks are not robust to small changes in text prompts or input latents. Based on this, we propose SC-Pro (Spherical or Circular Probing), a training-free framework that easily defends against adversarial attacks generating NSFW images. Moreover, we develop an approach that utilizes one-step diffusion models for efficient NSFW detection (SC-Pro-o), further reducing computational resources. We demonstrate the superiority of our method in terms of performance and applicability.

Figures (11)

• Figure 1: Proposed SC-Pro for safe diffusion models. Adversarial attacks can generate NSFW images that undermine the safety of generative systems. To address this, we propose Spherical or Circular Probing (SC-Pro), a defense mechanism designed to mitigate adversarial attacks and ensure the safe use of T2I and I2I diffusion models. Our method is training-free, allowing easy application to a variety of diffusion models and safety strategies.
• Figure 2: Attacks on T2I and I2I models. Due to the differences in input types between T2I and I2I models, adversarial attack methods differ according to target tasks. For T2I models, adversarial attacks focus only on manipulating the text prompt, whereas for I2I models, attacks target both the text prompt and the image input.
• Figure 3: Example of images with image embedding probing. The center image is the original generated image with the MMA diffusion attack mma, which bypasses the safety checker, SD-SC sd15. However, some images with image embedding distortions are detected by SD-SC.
• Figure 4: Overview of SC-Pro. In the SC-Pro framework, we apply multiple perturbations to one of three elements: prompt embedding, image embedding, or latent. We then perform safety checks on the images generated from these perturbed inputs. If the ratio of images that the safety checker classifies as NSFW exceeds a specified threshold, our framework concludes that an adversarial attack has occurred.
• Figure 5: Two types of probing methods. In spherical probing, random noise is added to the original latent, prompt embedding, or image embedding (represented by the point with the red face icon), resulting in points on a hypersphere. In circular probing, two random vectors define a plane where the circular path for probing is defined. Red and green areas indicate regions where generated images are classified as NSFW and safe, respectively.