ML Security PapersAnti-Tamper Protection for Unauthorized Individual Image Generation
Zelin Li , Ruohan Zong , Yifan Liu , Ruichen Yao , Yaokun Liu , Yang Zhang , Dong Wang
Published on arXiv
2508.06325
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
ATP maintains effective forgery protection even when attackers apply purification techniques to remove standard protective perturbations, by detecting tampering via an embedded authorization signal.
Anti-Tamper Perturbation (ATP)
Novel technique introduced
With the advancement of personalized image generation technologies, concerns about forgery attacks that infringe on portrait rights and privacy are growing. To address these concerns, protection perturbation algorithms have been developed to disrupt forgery generation. However, the protection algorithms would become ineffective when forgery attackers apply purification techniques to bypass the protection. To address this issue, we present a novel approach, Anti-Tamper Perturbation (ATP). ATP introduces a tamper-proof mechanism within the perturbation. It consists of protection and authorization perturbations, where the protection perturbation defends against forgery attacks, while the authorization perturbation detects purification-based tampering. Both protection and authorization perturbations are applied in the frequency domain under the guidance of a mask, ensuring that the protection perturbation does not disrupt the authorization perturbation. This design also enables the authorization perturbation to be distributed across all image pixels, preserving its sensitivity to purification-based tampering. ATP demonstrates its effectiveness in defending forgery attacks across various attack settings through extensive experiments, providing a robust solution for protecting individuals' portrait rights and privacy. Our code is available at: https://github.com/Seeyn/Anti-Tamper-Perturbation .
Key Contributions
- Anti-Tamper Perturbation (ATP) framework combining a protection perturbation (disrupts personalized model training) with an authorization perturbation (detects purification-based tampering)
- Frequency-domain application guided by a mask that prevents the protection perturbation from interfering with the authorization signal while distributing it across all pixels for tamper sensitivity
- Demonstrated robustness against purification-based bypass attacks across multiple attack settings for portrait-rights protection
🛡️ Threat Analysis
The paper defends against unauthorized personalized image generation (AI-generated forgery/deepfakes) by adding protective perturbations to images, and specifically addresses purification attacks that remove those protective perturbations — per the classification rules, removing/defeating anti-deepfake perturbations is an ML09 attack on content integrity, and this paper proposes a tamper-proof defense against such removal.