Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AEGIS: Adversarial Target-Guided Retention-Data-Free Robust Concept Erasure from Diffusion Models

Fengpeng Li, Kemou Li, Qizhou Wang, Bo Han, Jiantao Zhou

TL;DR

This work tackles the safety challenge of concept erasure in diffusion models by addressing robustness to adversarial prompts while preserving non-target concepts. It introduces Adversarial Erasure Target (AET) to steer erasure away from semantic centers and Gradient Regularization Projection (GRP) to balance erasure robustness with retention without requiring extra retention data, formalized through the losses $\mathcal{L}_e$ and $\mathcal{L}_r$. Theoretical results establish local descent guarantees and retention benefits for GRP, and extensive experiments across Nudity, Van Gogh style, and Church object concepts show significant robustness gains against APAs with controlled impact on utility. Overall, AEGIS provides a principled, data-efficient framework for robust concept unlearning in nonconvex diffusion-model fine-tuning, with practical implications for safer generative AI deployment.

Abstract

Concept erasure helps stop diffusion models (DMs) from generating harmful content; but current methods face robustness retention trade off. Robustness means the model fine-tuned by concept erasure methods resists reactivation of erased concepts, even under semantically related prompts. Retention means unrelated concepts are preserved so the model's overall utility stays intact. Both are critical for concept erasure in practice, yet addressing them simultaneously is challenging, as existing works typically improve one factor while sacrificing the other. Prior work typically strengthens one while degrading the other, e.g., mapping a single erased prompt to a fixed safe target leaves class level remnants exploitable by prompt attacks, whereas retention-oriented schemes underperform against adaptive adversaries. This paper introduces Adversarial Erasure with Gradient Informed Synergy (AEGIS), a retention-data-free framework that advances both robustness and retention.

AEGIS: Adversarial Target-Guided Retention-Data-Free Robust Concept Erasure from Diffusion Models

TL;DR

This work tackles the safety challenge of concept erasure in diffusion models by addressing robustness to adversarial prompts while preserving non-target concepts. It introduces Adversarial Erasure Target (AET) to steer erasure away from semantic centers and Gradient Regularization Projection (GRP) to balance erasure robustness with retention without requiring extra retention data, formalized through the losses and . Theoretical results establish local descent guarantees and retention benefits for GRP, and extensive experiments across Nudity, Van Gogh style, and Church object concepts show significant robustness gains against APAs with controlled impact on utility. Overall, AEGIS provides a principled, data-efficient framework for robust concept unlearning in nonconvex diffusion-model fine-tuning, with practical implications for safer generative AI deployment.

Abstract

Concept erasure helps stop diffusion models (DMs) from generating harmful content; but current methods face robustness retention trade off. Robustness means the model fine-tuned by concept erasure methods resists reactivation of erased concepts, even under semantically related prompts. Retention means unrelated concepts are preserved so the model's overall utility stays intact. Both are critical for concept erasure in practice, yet addressing them simultaneously is challenging, as existing works typically improve one factor while sacrificing the other. Prior work typically strengthens one while degrading the other, e.g., mapping a single erased prompt to a fixed safe target leaves class level remnants exploitable by prompt attacks, whereas retention-oriented schemes underperform against adaptive adversaries. This paper introduces Adversarial Erasure with Gradient Informed Synergy (AEGIS), a retention-data-free framework that advances both robustness and retention.
Paper Structure (47 sections, 6 theorems, 33 equations, 13 figures, 10 tables, 2 algorithms)

This paper contains 47 sections, 6 theorems, 33 equations, 13 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Motivation: Unveiling the Vulnerability in Concept Erasure
  4. Method: Adversarial Erasure with Gradient-Informed Synergy
  5. AET for Guiding the Robust Erasure Optimization Direction
  6. GRP for Mitigating the Trade-off between Concept Erasure and Retention
  7. Theoretical Analysis
  8. Experiments
  9. Experimental Setup
  10. Experimental Results of Erasing Different Concepts
  11. Ablation Studies
  12. Conclusion
  13. Notations
  14. Main Notations and Descriptions
  15. Comparison among ESD, AdvUnlearn, and AEGIS
  16. ...and 32 more sections

Key Result

Proposition 3.0

Let $\mathcal{L}_{\text{erase}}({\bm \theta})=\mathbb{E}_t [\|{\bm \epsilon}_{\bm \theta}(\mathbf{z}_t|\mathbf{c}_{e}^0)-{\bm \epsilon}_{{\bm \theta}_0}(\mathbf{z}_t|\tilde{\mathbf{c}})\|_2^2]$, and $\Delta_T=\|{\bm \epsilon}_{{\bm \theta}_0}(\mathbf{z}_T|\mathbf{c}_{e}^0)-{\bm \epsilon}_{{\bm \thet ) yields $\mathcal{L}_{\text{erase}}({\bm \theta})\leq \delta < \Delta_T$. Then,

Figures (13)

  • Figure 1: Adversarial prompts can still result in DMs fine-tuned by concept erasure methods generating images with harmful information.
  • Figure 2: Predicted noise distances ($10^{-4}$) between nudity and its synonyms, measured using the original DM ${\bm \theta}_0$ and concept-erased DMs ${\bm \theta}_{\text{ESD}}$ and ${\bm \theta}_{\text{AET}}$.
  • Figure 2: Performance of erasing the nudity concept. ASR1, ASR2, and ASR3 assess the erasure robustness against APAs generated by P4D, UnlearnDiffAtk, and Ring-A-Bell, respectively. FID and CLIP scores characterize the preserved utility of DMs.
  • Figure 3: Overview of AEGIS. The proposed framework introduces two core components: (slowromancapi@) adversarial erasure target (AET) generation (§), and (slowromancapii@) gradient regularization projection (GRP) fine-tuning (§).
  • Figure 4: Geometry of ${\bm{g}}_e$ and ${\bm{g}}_r$ w/wo conflict. When $\cos{\phi}<0$, ${\bm{g}}_r$ can be orthogonally decomposed into a vertical gradient $g_{\perp}$ and a parallel $g_{\parallel}$ to ${\bm{g}}_e$.
  • ...and 8 more figures

Theorems & Definitions (14)

  • Proposition 3.0: Deviation Lower Bound
  • Definition 1: Predicted Noise Distance
  • Definition 2
  • Theorem 4.1: Local Descent Guarantee of Erasing Loss
  • Remark 1
  • Theorem E.1: Retention Benefit of GRP
  • Remark 2
  • Proposition E.1: Deviation Lower Bound
  • proof
  • Theorem E.1: Local Descent Guarantee of Erasing Loss
  • ...and 4 more