Protecting copyright of stable diffusion models from ambiguity attacks

IF 3.4 2区工程技术 Q2 ENGINEERING, ELECTRICAL & ELECTRONIC

Signal Processing Pub Date : 2024-09-28 DOI:10.1016/j.sigpro.2024.109722

Zihan Yuan, Li Li, Zichi Wang, Xinpeng Zhang

{"title":"Protecting copyright of stable diffusion models from ambiguity attacks","authors":"Zihan Yuan, Li Li, Zichi Wang, Xinpeng Zhang","doi":"10.1016/j.sigpro.2024.109722","DOIUrl":null,"url":null,"abstract":"<div><div>In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.</div></div>","PeriodicalId":49523,"journal":{"name":"Signal Processing","volume":"227 ","pages":"Article 109722"},"PeriodicalIF":3.4000,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Signal Processing","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0165168424003426","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.

查看原文本刊更多论文

保护稳定扩散模型版权免受模糊攻击

近年来，稳定扩散模型（SDM）在文本到图像的生成任务中得到了广泛应用，其版权保护问题也受到了学者们的关注。模型所有者可以通过微调在 SDM 中嵌入水印，并利用提示-水印对完成模型所有权认证。然而，攻击者可以通过伪造假提示和水印图像之间的关系来混淆模型所有权。因此，本文提出了一种 SDM 的黑盒版权保护方法，可以有效抵御水印模糊攻击。具体来说，我们采用不可逆水印技术完成水印嵌入。利用哈希函数确保使用秘钥单向不可逆地生成触发提示。然后，利用由触发提示和水印组成的触发集对 SDM 进行微调，嵌入水印。如果没有秘钥，攻击者就不可能反向生成具有内部关联的特定提示。实验表明，我们的方法可以有效保护 SDMs 的版权，并在不降低模型性能的情况下抵御歧义攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Signal Processing 工程技术-工程：电子与电气

CiteScore

9.20

自引率

9.10%

发文量

309

审稿时长

41 days

期刊介绍： Signal Processing incorporates all aspects of the theory and practice of signal processing. It features original research work, tutorial and review articles, and accounts of practical developments. It is intended for a rapid dissemination of knowledge and experience to engineers and scientists working in the research, development or practical application of signal processing. Subject areas covered by the journal include: Signal Theory; Stochastic Processes; Detection and Estimation; Spectral Analysis; Filtering; Signal Processing Systems; Software Developments; Image Processing; Pattern Recognition; Optical Signal Processing; Digital Signal Processing; Multi-dimensional Signal Processing; Communication Signal Processing; Biomedical Signal Processing; Geophysical and Astrophysical Signal Processing; Earth Resources Signal Processing; Acoustic and Vibration Signal Processing; Data Processing; Remote Sensing; Signal Processing Technology; Radar Signal Processing; Sonar Signal Processing; Industrial Applications; New Applications.