{"title":"保护稳定扩散模型版权免受模糊攻击","authors":"Zihan Yuan, Li Li, Zichi Wang, Xinpeng Zhang","doi":"10.1016/j.sigpro.2024.109722","DOIUrl":null,"url":null,"abstract":"<div><div>In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.</div></div>","PeriodicalId":49523,"journal":{"name":"Signal Processing","volume":"227 ","pages":"Article 109722"},"PeriodicalIF":3.4000,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Protecting copyright of stable diffusion models from ambiguity attacks\",\"authors\":\"Zihan Yuan, Li Li, Zichi Wang, Xinpeng Zhang\",\"doi\":\"10.1016/j.sigpro.2024.109722\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.</div></div>\",\"PeriodicalId\":49523,\"journal\":{\"name\":\"Signal Processing\",\"volume\":\"227 \",\"pages\":\"Article 109722\"},\"PeriodicalIF\":3.4000,\"publicationDate\":\"2024-09-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Signal Processing\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0165168424003426\",\"RegionNum\":2,\"RegionCategory\":\"工程技术\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"ENGINEERING, ELECTRICAL & ELECTRONIC\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Signal Processing","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0165168424003426","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
Protecting copyright of stable diffusion models from ambiguity attacks
In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.
期刊介绍:
Signal Processing incorporates all aspects of the theory and practice of signal processing. It features original research work, tutorial and review articles, and accounts of practical developments. It is intended for a rapid dissemination of knowledge and experience to engineers and scientists working in the research, development or practical application of signal processing.
Subject areas covered by the journal include: Signal Theory; Stochastic Processes; Detection and Estimation; Spectral Analysis; Filtering; Signal Processing Systems; Software Developments; Image Processing; Pattern Recognition; Optical Signal Processing; Digital Signal Processing; Multi-dimensional Signal Processing; Communication Signal Processing; Biomedical Signal Processing; Geophysical and Astrophysical Signal Processing; Earth Resources Signal Processing; Acoustic and Vibration Signal Processing; Data Processing; Remote Sensing; Signal Processing Technology; Radar Signal Processing; Sonar Signal Processing; Industrial Applications; New Applications.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
