defense 2025

Patronus: Safeguarding Text-to-Image Models against White-Box Adversaries

Xinfeng Li 1,2, Shengyuan Pang 2, Jialin Wu 2, Jiangyi Deng 2, Huanlong Zhong 2, Yanjiao Chen 2, Jie Zhang 3, Wenyuan Xu 2

1 Nanyang Technological University

2 Zhejiang University

3 ETH Zurich

0 citations · 46 references · arXiv
α

Published on arXiv

2510.16581

Transfer Learning Attack

OWASP ML Top 10 — ML07

Key Finding

Patronus maintains safe content generation performance while remaining resilient against various white-box fine-tuning attacks that bypass standard safety measures in T2I models.

Patronus

Novel technique introduced

Text-to-image (T2I) models, though exhibiting remarkable creativity in image generation, can be exploited to produce unsafe images. Existing safety measures, e.g., content moderation or model alignment, fail in the presence of white-box adversaries who know and can adjust model parameters, e.g., by fine-tuning. This paper presents a novel defensive framework, named Patronus, which equips T2I models with holistic protection to defend against white-box adversaries. Specifically, we design an internal moderator that decodes unsafe input features into zero vectors while ensuring the decoding performance of benign input features. Furthermore, we strengthen the model alignment with a carefully designed non-fine-tunable learning mechanism, ensuring the T2I model will not be compromised by malicious fine-tuning. We conduct extensive experiments to validate the intactness of the performance on safe content generation and the effectiveness of rejecting unsafe content generation. Results also confirm the resilience of Patronus against various fine-tuning attacks by white-box adversaries.

Key Contributions

  • Internal moderator that projects unsafe input features to zero vectors while preserving benign feature decoding performance
  • Non-fine-tunable learning mechanism that makes safety alignment resistant to malicious fine-tuning by white-box adversaries
  • Holistic defensive framework (Patronus) validated against multiple fine-tuning attack strategies on T2I models

🛡️ Threat Analysis

Transfer Learning Attack

The primary adversarial threat is a white-box adversary who fine-tunes the T2I model to circumvent safety alignment — a classic transfer learning attack. The core defense contribution (non-fine-tunable learning mechanism) directly addresses backdoors/safety bypasses that exploit the fine-tuning process, which is the defining characteristic of ML07.

Details

Domains
visiongenerative
Model Types
diffusiontransformer
Threat Tags
white_boxtraining_time
Applications
text-to-image generationcontent safety for generative models
Read PDF arXiv DOI

Similar Papers

defense

Limits of Convergence-Rate Control for Open-Weight Safety

2026 0 cit.
Transfer Learning Attack
60%
defense

StyleProtect: Safeguarding Artistic Identity in Fine-tuned Diffusion Models

2025 0 cit.
Output Integrity Attack
56%
benchmark

Evaluating Concept Filtering Defenses against Child Sexual Abuse Material Generation by Text-to-Image Models

2025 0 cit.
Data Poisoning AttackTransfer Learning Attack
56%
defense

Localizing and Mitigating Memorization in Image Autoregressive Models

2025 0 cit.
Model Inversion Attack
53%
defense

SuMa: A Subspace Mapping Approach for Robust and Effective Concept Erasure in Text-to-Image Diffusion Models

2025 0 cit.
Output Integrity Attack
53%
attack

Tuning Just Enough: Lightweight Backdoor Attacks on Multi-Encoder Diffusion Models

2026 0 cit.
Model PoisoningTransfer Learning Attack
53%
benchmark

Open-weight genome language model safeguards: Assessing robustness via adversarial fine-tuning

2025 3 cit.
Transfer Learning Attack
50%
benchmark

Best Practices for Biorisk Evaluations on Open-Weight Bio-Foundation Models

2025 0 cit.
Transfer Learning Attack
50%