Towards Effective Prompt Stealing Attack against Text-to-Image Diffusion Models

TL;DR

This paper tackles the economic and security risks of prompt ownership by presenting Prometheus, a training-free, proxy-in-the-loop prompt-stealing attack against text-to-image diffusion models. It introduces three innovations—dynamic modifiers, contextual matching, and a greedy proxy-query loop—to reconstruct high-fidelity prompts from showcases on prompt markets. Empirical results across real-world prompts (e.g., PromptBase, AIFrog) and victim models (Midjourney, DALL·E, Leonardo.ai) show Prometheus achieves higher image_semantic_similarity, image_perception_similarity, and prompt_semantic_similarity with substantial ASR gains, while remaining robust against several defenses. The work highlights practical risks to prompt IP in commercial T2I ecosystems and proposes defensive avenues (including PromptGuard) alongside a discussion of limitations and future directions for more resilient safeguards.

Abstract

Text-to-Image (T2I) models, represented by DALL$\cdot$E and Midjourney, have gained huge popularity for creating realistic images. The quality of these images relies on the carefully engineered prompts, which have become valuable intellectual property. While skilled prompters showcase their AI-generated art on markets to attract buyers, this business incidentally exposes them to \textit{prompt stealing attacks}. Existing state-of-the-art attack techniques reconstruct the prompts from a fixed set of modifiers (i.e., style descriptions) with model-specific training, which exhibit restricted adaptability and effectiveness to diverse showcases (i.e., target images) and diffusion models. To alleviate these limitations, we propose Prometheus, a training-free, proxy-in-the-loop, search-based prompt-stealing attack, which reverse-engineers the valuable prompts of the showcases by interacting with a local proxy model. It consists of three innovative designs. First, we introduce dynamic modifiers, as a supplement to static modifiers used in prior works. These dynamic modifiers provide more details specific to the showcases, and we exploit NLP analysis to generate them on the fly. Second, we design a contextual matching algorithm to sort both dynamic and static modifiers. This offline process helps reduce the search space of the subsequent step. Third, we interact with a local proxy model to invert the prompts with a greedy search algorithm. Based on the feedback guidance, we refine the prompt to achieve higher fidelity. The evaluation results show that Prometheus successfully extracts prompts from popular platforms like PromptBase and AIFrog against diverse victim models, including Midjourney, Leonardo.ai, and DALL$\cdot$E, with an ASR improvement of 25.0\%. We also validate that Prometheus is resistant to extensive potential defenses, further highlighting its severity in practice.

Figures (16)

• Figure 1: A prompt and its corresponding images. The blue phrase is the subject, and the red phrases are the modifiers. After the attacker steals the prompt, they can reuse it by replacing the subject (in brown). This prompt is from the commercial prompt market PromptBase PromptBase, whose showcase is generated with DALL$\cdot$E 3.
• Figure 2: Overall pipeline of Prometheus. In general, Prometheus consists of three main components: ❶ Modifier Extraction; ❷ Contextual Matching; and ❸ Greedy Proxy Query. Prometheus starts with a showcase and public prompt base, which provides static and dynamic modifiers. Then, contextual matching is utilized to rank and shortlist the unsorted modifiers. Prometheus interactively queries a local Proxy model and computes the fidelity gain for each modifier (as defined in Equation \ref{['eq:fidelity']}). This gain serves as feedback to guide the refinement of the modifiers.
• Figure 3: An illustration of dynamic modifiers. The base prompts in $(b)$–$(d)$ are generated by the caption model BLIP BLIP based on the showcase. As shown, the caption model fails to capture detailed subject and position information. Additionally, in the transition from $(a)$ to $(b)$, these omissions result in an image that differs from the showcase. However, this issue can be mitigated by incorporating detailed subject and position information, as demonstrated in $(c)$ and $(d)$. The evaluation model used is Imagen Imagen from Gemini.
• Figure 4: Modifier coverage with caption number.
• Figure 5: Comparison between our contextual modifier ranking method and the baseline. The slopes of fitted linear functions are the PCC.