Skip navigation

DSpace

機構典藏 DSpace 系統致力於保存各式數位資料(如:文字、圖片、PDF)並使其易於取用。

點此認識 DSpace
DSpace logo
English
中文
  • 瀏覽論文
    • 校院系所
    • 出版年
    • 作者
    • 標題
    • 關鍵字
    • 指導教授
  • 搜尋 TDR
  • 授權 Q&A
    • 我的頁面
    • 接受 E-mail 通知
    • 編輯個人資料
  1. NTU Theses and Dissertations Repository
  2. 電機資訊學院
  3. 資訊工程學系
請用此 Handle URI 來引用此文件: http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94304
完整後設資料紀錄
DC 欄位值語言
dc.contributor.advisor周承復zh_TW
dc.contributor.advisorCheng-Fu Chouen
dc.contributor.author施君諺zh_TW
dc.contributor.authorChun-Yen Shihen
dc.date.accessioned2024-08-15T16:42:58Z-
dc.date.available2024-08-16-
dc.date.copyright2024-08-15-
dc.date.issued2024-
dc.date.submitted2024-08-01-
dc.identifier.citation[1] J. Chen, H. Chen, K. Chen, Y. Zhang, Z. Zou, and Z. Shi. Diffusion models for imperceptible and transferable adversarial attack. arXiv preprint arXiv:2305.08192, 2023.
[2] S.Y. Chou, P.Y. Chen, and T.Y. Ho. How to backdoor diffusion models? In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4015–4024, 2023.
[3] P. Dhariwal and A. Nichol. Diffusion models beat gans on image synthesis. Advances in neural information processing systems, 34:8780–8794, 2021.
[4] B. Efron. Tweedie's formula and selection bias. Journal of the American Statistical Association, 106(496):1602–1614, 2011.
[5] R. Gal, Y. Alaluf, Y. Atzmon, O. Patashnik, A. H. Bermano, G. Chechik, and D. CohenOr. An image is worth one word: Personalizing texttoimage generation using textual inversion. arXiv preprint arXiv:2208.01618, 2022.
[6] I. Goodfellow, J. PougetAbadie, M. Mirza, B. Xu, D. WardeFarley, S. Ozair, A. Courville, and Y. Bengio. Generative adversarial networks. Communications of the ACM, 63(11):139–144, 2020.
[7] K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
[8] J. Ho, A. Jain, and P. Abbeel. Denoising diffusion probabilistic models. Advances in neural information processing systems, 33:6840–6851, 2020.
[9] A. Kirillov, E. Mintun, N. Ravi, H. Mao, C. Rolland, L. Gustafson, T. Xiao, S. Whitehead, A. C. Berg, W.Y. Lo, P. Dollár, and R. Girshick. Segment anything. arXiv:2304.02643, 2023.
[10] C. Liang and X. Wu. Mist: Towards improved adversarial examples for diffusion models. arXiv preprint arXiv:2305.12683, 2023.
[11] C. Liang, X. Wu, Y. Hua, J. Zhang, Y. Xue, T. Song, Z. Xue, R. Ma, and H. Guan. Adversarial example does good: Preventing painting imitation from diffusion models via adversarial examples. arXiv preprint arXiv:2302.04578, 2023.
[12] J. Liu, C. P. Lau, and R. Chellappa. Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection. arXiv preprint arXiv:2305.13625, 2023.
[13] L. Lo, C. Y. Yeo, H.H. Shuai, and W.H. Cheng. Distraction is all you need: Memoryefficient image immunization against diffusionbased image editing. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24462–24471, 2024.
[14] B. Lu, J.C. Chen, and R. Chellappa. Uidgan: Unsupervised image deblurring via disentangled representations. IEEE Transactions on Biometrics, Behavior, and Identity Science, 2(1):26–39, 2019.
[15] C. Meng, Y. He, Y. Song, J. Song, J. Wu, J.Y. Zhu, and S. Ermon. Sdedit: Guided image synthesis and editing with stochastic differential equations. arXiv preprint arXiv:2108.01073, 2021.
[16] R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer. Highresolution image synthesis with latent diffusion models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 10684–10695, 2022.
[17] O. Ronneberger, P. Fischer, and T. Brox. Unet: Convolutional networks for biomedical image segmentation. In Medical image computing and computerassisted intervention–MICCAI 2015: 18th international conference, Munich, Germany, October 59, 2015, proceedings, part III 18, pages 234–241. Springer, 2015.
[18] N. Ruiz, Y. Li, V. Jampani, Y. Pritch, M. Rubinstein, and K. Aberman. Dream booth: Fine tuning texttoimage diffusion models for subjectdriven generation. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 22500–22510, 2023.
[19] H. Salman, A. Khaddaj, G. Leclerc, A. Ilyas, and A. Madry. Raising the cost of malicious aipowered image editing. arXiv preprint arXiv:2302.06588, 2023.
[20] P. SandovalSegura, J. Geiping, and T. Goldstein. Jpeg compressed images can by pass protections against ai editing. arXiv preprint arXiv:2304.02234, 2023.
[21] S. Shan, J. Cryan, E. Wenger, H. Zheng, R. Hanocka, and B. Y. Zhao. Glaze: Protecting artists from style mimicry by {TexttoImage } models. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2187–2204, 2023.
[22] J. Song, C. Meng, and S. Ermon. Denoising diffusion implicit models. arXiv preprint arXiv:2010.02502, 2020.
[23] Y. Song, S. Garg, J. Shi, and S. Ermon. Sliced score matching: A scalable approach to density and score estimation. In Uncertainty in Artificial Intelligence, pages 574–584. PMLR, 2020.
[24] Y. Song, J. SohlDickstein, D. P. Kingma, A. Kumar, S. Ermon, and B. Poole. Score based generative modeling through stochastic differential equations. arXiv preprint arXiv:2011.13456, 2020.
[25] T. Van Le, H. Phung, T. H. Nguyen, Q. Dao, N. N. Tran, and A. Tran. Anti dreambooth: Protecting users from personalized texttoimage synthesis. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 2116–2127, 2023.
[26] Z. Wang, L. Zhao, and W. Xing. Stylediffusion: Controllable disentangled style transfer via diffusion models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7677–7689, 2023.
[27] G. Wu, X. Liu, J. Jia, X. Cui, and G. Zhai. Text2qr: Harmonizing aesthetic customization and scanning robustness for textguided qr code generation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 8456–8465, 2024.
[28] H. Xue, A. Araujo, B. Hu, and Y. Chen. Diffusionbased adversarial sample generation for improved stealthiness and controllability. Advances in Neural Information Processing Systems, 36, 2024.
[29] H. Xue, C. Liang, X. Wu, and Y. Chen. Toward effective protection against diffusion based mimicry hrough score distillation. In The Twelfth International Conference on Learning Representations, 2023.
[30] J. Zhang, Z. Xu, S. Cui, C. Meng, W. Wu, and M. R. Lyu. On the robustness of latent diffusion models. arXiv preprint arXiv:2306.08257, 2023.
[31] Y. Zhang, N. Huang, F. Tang, H. Huang, C. Ma, W. Dong, and C. Xu. Inversion based style transfer with diffusion models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 10146–10156, 2023.		-
dc.identifier.urihttp://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94304-
dc.description.abstract有鑒於擴散模型(Diffusion Model)對於圖像生成品質的大幅提升,圖像編輯行為淺在著侵犯藝術家、圖片擁有者之版權及著作權之風險。為了防止此問題,一個較有效且可行之方法為限制模型對預期輸出圖片之存取。近年來,許多研究團隊已經在應對此問題上有顯著之進展,特別是對於潛在擴散模型(Latent Diffusion Model)所生成之對抗圖像,然而這些方法尚未有效地轉移到基於像素的擴散模型(Pixel-based Diffusion Model),而使得基於像素的擴散模型成為漏洞。在這篇論文中,我們設計了一個基於最佳化的流程,此流程可以對潛在擴散模型及基於像素的擴散模型達到攻擊效果。我們的方法中包含一種新的特徵損失,該損失最大化了ResNet區塊內潛在表示(Latent)的距離,從而提高了攻擊的效果。此外,我們還利用變分自編碼器(VAE)將圖像轉換到潛在空間。這種轉換使我們能夠在潛在空間進行最佳化,並隨後解碼對抗圖像之潛在表示。同時,為了確保對抗圖像的品質,我們應用了分割遮罩(Segmentation mask),將解碼後之對抗圖像潛在表示與源圖像進行混合。這一過程產生了一個與源圖像相似之對抗圖像,同時也可以有效干擾基於擴散模型的編輯行為。最後,我們進行了大量實驗,徹底評估了我們方法的有效性,展示其能夠生成隱密的的對抗圖像,並干擾基於擴散模型的編輯行為。zh_TW
dc.description.abstractDue to the superior quality of images generated by diffusion models (DM), image editing poses potential risks of infringing upon painters' copyrights. A proactive approach to mitigate this issue is to restrict access to the intended output image. Recent advancements have achieved success in generating adversarial images for Latent Diffusion Models (LDM) to address such concerns. However, these methods have not been effectively transferred to Pixel-based Diffusion Models (PDM). In this work, we introduce an optimization-based pipeline capable of attacking both LDM and PDM. Our approach includes a novel feature loss that maximizes the distance of latents within the ResNet block, thereby enhancing the effectiveness of the attack. Additionally, we leverage a Variational Autoencoder (VAE) to transform images into latent space. This transformation allows us to optimize the latent representation and subsequently decode it. To ensure the quality of the adversarial image, we apply a segmentation mask that blends the decoded optimized latent with the source image. This process results in a seamless adversarial image that effectively disrupts the diffusion-based editing process. Lastly, we conducted extensive experiments to thoroughly evaluate the effectiveness of our method, demonstrating its capability to generate high-quality adversarial examples that disrupt diffusion-based editing processes.en
dc.description.provenanceSubmitted by admin ntu (admin@lib.ntu.edu.tw) on 2024-08-15T16:42:58Z
No. of bitstreams: 0		en
dc.description.provenanceMade available in DSpace on 2024-08-15T16:42:58Z (GMT). No. of bitstreams: 0en
dc.description.tableofcontentsVerification Letter from the Oral Examination Committee i
Acknowledgements iii
摘要 v
Abstract vii
Contents ix
List of Figures xiii
List of Tables xvii
Chapter 1 Introduction 1
Chapter 2 Related Work 5
2.1 Diffusion Attack 5
2.2 Encoder Attack 6
2.3 Conditional Module Attack 7
Chapter 3 Preliminaries 9
3.1 Diffusion Models 9
3.2 Types of Deep Neural Network Attacks 10
3.2.1 Backdoor Attacks 11
3.2.2 Evasion Attacks 11
3.3 Evasion Attacks on Latent Diffusion Models 12
3.3.1 Semantic Loss 12
3.3.2 Textural Loss 13
Chapter 4 Methodology 15
4.1 Problem Setting 15
4.2 Loss Function 17
4.2.1 Feature Loss 17
4.2.2 Image Loss 18
4.2.2.1 Style Loss 19
4.2.2.2 Color Loss 20
4.3 Enhanced Image Quality via Separate Gradient Updates for Loss Functions 21
4.4 Leveraging Segmentation Mask to Diminishes Background Artifacts 22
4.5 Utilizing VAE for Latent Space Optimization .24
Chapter 5 Experiments 27
5.1 Experiments Settings 27
5.2 Attacking Effectiveness on Latent Diffusion Models 28
5.3 Attacking Effectiveness on Pixelbased Diffusion Models 30
5.3.1 Pixel Space Optimization 30
5.3.2 Latent Space Optimization 31
5.4 Against Defense Methods 36
5.5 Ablation Study 38
5.5.1 Utilizing VAE for Latent Space Optimization 38
5.5.2 Segmentation Mask Enhances Protected Image Quality 39
Chapter 6 Conclusion 41
References 43
Appendix A — More Experimental Results 49
A.1 Different Attack Budget 49		-
dc.language.isoen-
dc.subject生成式人工智慧zh_TW
dc.subject規避攻擊zh_TW
dc.subject惡意攻擊zh_TW
dc.subject擴散模型zh_TW
dc.subject人工智慧安全zh_TW
dc.subjectDiffusion Modelen
dc.subjectGenerative AIen
dc.subjectEvasion Attacken
dc.subjectAI Securityen
dc.subjectAdversarial Attacken
dc.title基於擴散模型之規避攻擊zh_TW
dc.titleEvasion Attack on Diffusion Modelen
dc.typeThesis-
dc.date.schoolyear112-2-
dc.description.degree碩士-
dc.contributor.oralexamcommittee陳駿丞;吳曉光;黃志煒;呂政修zh_TW
dc.contributor.oralexamcommitteeJun-Cheng Chen;Hsiao-kuang Wu;Chih-Wei Huang;Jenq-Shiou Leuen
dc.subject.keyword規避攻擊,生成式人工智慧,擴散模型,惡意攻擊,人工智慧安全,zh_TW
dc.subject.keywordEvasion Attack,Generative AI,Diffusion Model,Adversarial Attack,AI Security,en
dc.relation.page50-
dc.identifier.doi10.6342/NTU202402243-
dc.rights.note同意授權(全球公開)-
dc.date.accepted2024-08-04-
dc.contributor.author-college電機資訊學院-
dc.contributor.author-dept資訊工程學系-
顯示於系所單位:資訊工程學系

文件中的檔案:
檔案 大小格式 
ntu-112-2.pdf20.3 MBAdobe PDF檢視/開啟
顯示文件簡單紀錄


系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。

社群連結
聯絡資訊
10617臺北市大安區羅斯福路四段1號
No.1 Sec.4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 106
Tel: (02)33662353
Email: ntuetds@ntu.edu.tw
意見箱
相關連結
館藏目錄
國內圖書館整合查詢 MetaCat
臺大學術典藏 NTU Scholars
臺大圖書館數位典藏館
本站聲明
© NTU Library All Rights Reserved