BlurGuard: A Simple Approach for Robustifying Image Protection Against AI-Powered Editing

TL;DR

BlurGuard tackles the vulnerability of prior image-protection methods to purification by shifting focus from mere imperceptibility to naturalistic, frequency-aligned protection. It introduces a learnable, region-wise Gaussian blurring of protective noise, guided by a power-spectrum regularization and semantic segmentation masks, to minimize spectral gaps against natural images. The approach employs a two-stage optimization to balance frequency alignment with adversarial effectiveness, and it demonstrates robust performance across image-to-image editing, inpainting, and instruction-based editing, including black-box model transfers. Results reveal improved worst-case protection against diverse purification techniques while maintaining perceptual quality, and a new dataset (ImageNet-Edit) supports standardized evaluation. Overall, BlurGuard provides a practical, transferable framework for robust image protection in diffusion-based editing scenarios, with code available publicly.

Abstract

Recent advances in text-to-image models have increased the exposure of powerful image editing techniques as a tool, raising concerns about their potential for malicious use. An emerging line of research to address such threats focuses on implanting "protective" adversarial noise into images before their public release, so future attempts to edit them using text-to-image models can be impeded. However, subsequent works have shown that these adversarial noises are often easily "reversed," e.g., with techniques as simple as JPEG compression, casting doubt on the practicality of the approach. In this paper, we argue that adversarial noise for image protection should not only be imperceptible, as has been a primary focus of prior work, but also irreversible, viz., it should be difficult to detect as noise provided that the original image is hidden. We propose a surprisingly simple method to enhance the robustness of image protection methods against noise reversal techniques. Specifically, it applies an adaptive per-region Gaussian blur on the noise to adjust the overall frequency spectrum. Through extensive experiments, we show that our method consistently improves the per-sample worst-case protection performance of existing methods against a wide range of reversal techniques on diverse image editing scenarios, while also reducing quality degradation due to noise in terms of perceptual metrics. Code is available at https://github.com/jsu-kim/BlurGuard.

Figures (17)

• Figure 1: Overview of BlurGuard, a novel framework for constructing robust image protection. We (a) leverage Segment Anything kirillov2023segment to obtain semantic-aware region‐wise perturbations, (b) apply different levels of Gaussian blur, and (c) update blur‐intensity parameters to minimize the power‐spectrum gap before and after adding the perturbation.
• Figure 2: Comparisons of RAPSD on ImageNet-Edit (Appendix \ref{['app:dataset_details']}) with SD-v1.4.
• Figure 3: Qualitative comparison of image-to-image generation results ($\epsilon=\tfrac{16}{255}$). Before purification, all protection methods effectively safeguard the images. However, in the worst-case scenario, the baselines often fail to maintain their protection, producing outputs nearly identical to the original edit. In contrast, BlurGuard continues to generate unrealistic images that do not resemble either the source image or the generation from it. More qualitative results can be found in Figure \ref{['fig:qualitative_img2img']} in Appendix.
• Figure 4: Comparison of protection naturalness vs. worst-case effectiveness (both in LPIPS) across different protection methods.
• Figure 5: Image-prompt pairs taken from ImageNet-Edit, a new benchmark dataset of 80 curated samples filtered from ImageNet, combined with ChatGPT for labeling, to evaluate image protection method in image-to-image generation task.