Text-to-Image Models Leave Identifiable Signatures: Implications for Leaderboard Security

Generative AI leaderboards are central to evaluating model capabilities, but remain vulnerable to manipulation. Among key adversarial objectives is rank manipulation, where an attacker must first deanonymize the models behind displayed outputs -- a threat previously demonstrated and explored for large language models (LLMs). We show that this problem can be even more severe for text-to-image leaderboards, where deanonymization is markedly easier. Using over 150,000 generated images from 280 prompts and 19 diverse models spanning multiple organizations, architectures, and sizes, we demonstrate that simple real-time classification in CLIP embedding space identifies the generating model with high accuracy, even without prompt control or historical data. We further introduce a prompt-level separability metric and identify prompts that enable near-perfect deanonymization. Our results indicate that rank manipulation in text-to-image leaderboards is easier than previously recognized, underscoring the need for stronger defenses.

Key Contributions

• Demonstrates that text-to-image models leave strong identifiable signatures in CLIP embedding space, enabling high-accuracy model deanonymization across 19 diverse models without prompt control or historical data
• Introduces a prompt-level separability metric that predicts deanonymization accuracy and identifies near-perfect attack prompts
• Shows model deanonymization succeeds even in the most restrictive one-vs-rest setting (e.g., SDXL Turbo at 99% top-1 accuracy), underscoring leaderboard rank-manipulation risk

🛡️ Threat Analysis

Details

Similar Papers