Attacks and Defense of Intellectual Property Protection in Diffusion Models

Abstract

Diffusion-based generative models have demonstrated dominant capabilities across a wide range of data generation tasks, including vision, language, audio, and scientific domains. Despite their success, customization of pre-trained diffusion models introduces serious privacy and intellectual property risks, mainly related to model stealing and unauthorized data usage. Model stealing involves illegally stealing high-performance pre-trained models, causing economic and ethical concerns. While watermarking has been proposed for ownership verification, existing techniques cannot be directly applied to the generative models, especially in unconditional models where watermark extraction becomes nontrivial. Unauthorized data usage allows attackers to illegally leverage sensitive data to generate content that infringes on identity or artistic style. Protective perturbation methods have been introduced to defend against such threats by making training data unlearnable, while their robustness remains underexplored to adaptive attacks.

In this study, we provide a comprehensive overview of intellectual property protection techniques for deep learning models and introduce novel methods for IP protection in diffusion-based generative models. We first revisit existing defense paradigms, including passive defenses like watermarking and fingerprinting, and active defenses such as authenticating and obfuscating. Building upon this foundation, we propose a watermarking framework, Watermarking Diffusion Models (WDM), which embeds, extracts, and verifies ownership information in diffusion models while preserving generation quality and robustness against adaptive attacks. To evaluate the resilience of protective perturbations, we introduce Contrastive Adversarial Training (CAT) as an effective adaptive attack, which mitigates representation distortion using lightweight adapters. Furthermore, we develop the Corrective Prompt Attack (CPA) to generate adversarial embeddings capable of degrading existing protection methods across diverse customization scenarios. Extensive experiments validate the effectiveness of our approaches, highlighting the need for more robust and adaptive protection strategies in diffusion-based generative modeling.

Date of Award	15 Sept 2025
Original language	English
Awarding Institution	City University of Hong Kong
Supervisor	Xiaohua JIA (Supervisor)