Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Off-The-Shelf Image-to-Image Models Are All You Need To Defeat Image Protection Schemes

Xavier Pleimling, Sifat Muhammad Abdullah, Gunjan Balde, Peng Gao, Mainack Mondal, Murtuza Jadliwala, Bimal Viswanath

TL;DR

It is shown that off-the-shelf image-to-image GenAI models can be repurposed as generic ``denoisers" using a simple text prompt, effectively removing a wide range of protective perturbations.

Abstract

Advances in Generative AI (GenAI) have led to the development of various protection strategies to prevent the unauthorized use of images. These methods rely on adding imperceptible protective perturbations to images to thwart misuse such as style mimicry or deepfake manipulations. Although previous attacks on these protections required specialized, purpose-built methods, we demonstrate that this is no longer necessary. We show that off-the-shelf image-to-image GenAI models can be repurposed as generic ``denoisers" using a simple text prompt, effectively removing a wide range of protective perturbations. Across 8 case studies spanning 6 diverse protection schemes, our general-purpose attack not only circumvents these defenses but also outperforms existing specialized attacks while preserving the image's utility for the adversary. Our findings reveal a critical and widespread vulnerability in the current landscape of image protection, indicating that many schemes provide a false sense of security. We stress the urgent need to develop robust defenses and establish that any future protection mechanism must be benchmarked against attacks from off-the-shelf GenAI models. Code is available in this repository: https://github.com/mlsecviswanath/img2imgdenoiser

Off-The-Shelf Image-to-Image Models Are All You Need To Defeat Image Protection Schemes

TL;DR

It is shown that off-the-shelf image-to-image GenAI models can be repurposed as generic ``denoisers" using a simple text prompt, effectively removing a wide range of protective perturbations.

Abstract

Advances in Generative AI (GenAI) have led to the development of various protection strategies to prevent the unauthorized use of images. These methods rely on adding imperceptible protective perturbations to images to thwart misuse such as style mimicry or deepfake manipulations. Although previous attacks on these protections required specialized, purpose-built methods, we demonstrate that this is no longer necessary. We show that off-the-shelf image-to-image GenAI models can be repurposed as generic ``denoisers" using a simple text prompt, effectively removing a wide range of protective perturbations. Across 8 case studies spanning 6 diverse protection schemes, our general-purpose attack not only circumvents these defenses but also outperforms existing specialized attacks while preserving the image's utility for the adversary. Our findings reveal a critical and widespread vulnerability in the current landscape of image protection, indicating that many schemes provide a false sense of security. We stress the urgent need to develop robust defenses and establish that any future protection mechanism must be benchmarked against attacks from off-the-shelf GenAI models. Code is available in this repository: https://github.com/mlsecviswanath/img2imgdenoiser
Paper Structure (31 sections, 3 equations, 17 figures, 27 tables)

This paper contains 31 sections, 3 equations, 17 figures, 27 tables.

Table of Contents

  1. Introduction
  2. Goals, Threat Model, and Rationale
  3. Goals
  4. Threat Model
  5. Research Design and Rationale
  6. Attack Methodology
  7. Our Attack Against Existing Defenses
  8. Case Study 1: Mitigating Deepfake Manipulations (USENIX Security'23)
  9. Case Study 2: In-Processing Watermark (ICLR'25)
  10. Case Study 3: Post-Processing Watermark (ICLR'25)
  11. Case Study 4: Verifying Unauthorized Data Usage in Personalized Models (IEEE S&P'25)
  12. Comparing Our Attack Against Protection-Specific Attacks
  13. Case Study 5: INSIGHT (USENIX Security'24)
  14. Case Studies 6 and 7: Noisy Upscaling (ICLR'25) and LightShed (USENIX Security'25)
  15. Case Study 8: UnMarker (IEEE S&P'25)
  16. ...and 16 more sections

Figures (17)

  • Figure 1: Images in bottom row are generated with StyleGANv2 using their respective top row image as an input. SD3 better restores the original face features compared to the baselines.
  • Figure 2: Qualitative image samples for PRC Watermark. Regen-VAE causes the image to appear blurrier in detail and DiffPure causes the image to appear more sharp and distorted. FLUX is able to preserve better quality during denoising.
  • Figure 3: The bottom edge of three W-Bench samples with and without VINE. VINE's watermarking creates visible perturbations on the edges of an image.
  • Figure 4: Qualitative samples for INSIGHT. FLUX provides the best style fit for Van Gogh, greatly improving performance compared to INSIGHT.
  • Figure 5: Images in top row are source images. Images in bottom row are generated images from Textual Inversion. Note the high-quality sample produced when using GPT-4o.
  • ...and 12 more figures