defense 2025

When Privacy Meets Recovery: The Overlooked Half of Surrogate-Driven Privacy Preservation for MLLM Editing

Siyuan Xu 1, Yibing Liu 1, Peilin Chen 1, Yung-Hui Li 2, Shiqi Wang 1, Sam Kwong 3

1 City University of Hong Kong

2 Hon Hai Research Institute

3 Lingnan University

0 citations · 24 references · arXiv
α

Published on arXiv

2512.07166

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

SOER generalizes across diverse visual content and editing tasks on SPPE-Bench and InstructPix2Pix, achieving strong edit fidelity while ensuring private content is never exposed to the cloud MLLM service.

SOER (Surrogate-to-Original Editable Recovery)

Novel technique introduced

Privacy leakage in Multimodal Large Language Models (MLLMs) has long been an intractable problem. Existing studies, though effectively obscure private information in MLLMs, often overlook the evaluation of the authenticity and recovery quality of user privacy. To this end, this work uniquely focuses on the critical challenge of how to restore surrogate-driven protected data in diverse MLLM scenarios. We first bridge this research gap by contributing the SPPE (Surrogate Privacy Protected Editable) dataset, which includes a wide range of privacy categories and user instructions to simulate real MLLM applications. This dataset offers protected surrogates alongside their various MLLM-edited versions, thus enabling the direct assessment of privacy recovery quality. By formulating privacy recovery as a guided generation task conditioned on complementary multimodal signals, we further introduce a unified approach that reliably reconstructs private content while preserving the fidelity of MLLM-generated edits. The experiments on both SPPE and InstructPix2Pix further show that our approach generalizes well across diverse visual content and editing tasks, achieving a strong balance between privacy protection and MLLM usability.

Key Contributions

  • SPPE-Bench: first benchmark dataset explicitly designed to evaluate edit fidelity and privacy recovery quality under surrogate-based MLLM privacy protection, covering diverse privacy-sensitive categories and editing instructions
  • SOER (Surrogate-to-Original Editable Recovery): a Diffusion Transformer framework that reconstructs MLLM-style edits on original images using surrogate-edited outputs as semantic references, without ever exposing private content to the cloud MLLM
  • Formulation of privacy recovery as a guided multimodal generation task, achieving strong balance between privacy preservation and MLLM usability across diverse visual content and editing tasks

🛡️ Threat Analysis

Details

Domains
visionmultimodal
Model Types
vlmdiffusionmultimodal
Threat Tags
inference_time
Datasets
SPPE-BenchInstructPix2Pix
Applications
image editingmultimodal llm servicesprivacy-preserving visual ai
Read PDF arXiv DOI

Similar Papers

defense

Defeating Cerberus: Concept-Guided Privacy-Leakage Mitigation in Multimodal Language Models

2025 0 cit.
67%
defense

Neural Gate: Mitigating Privacy Risks in LVLMs via Neuron-Level Gradient Gating

2026 0 cit.
61%
defense

DP^2-VL: Private Photo Dataset Protection by Data Poisoning for Vision-Language Models

2026 0 cit.
Data Poisoning Attack
58%
defense

Anonymization-Enhanced Privacy Protection for Mobile GUI Agents: Available but Invisible

2026 1 cit.
56%
attack

MoEcho: Exploiting Side-Channel Attacks to Compromise User Privacy in Mixture-of-Experts LLMs

2025 0 cit.
56%
defense

Towards Reasoning-Preserving Unlearning in Multimodal Large Language Models

2025 1 cit.
53%
attack

Shape and Substance: Dual-Layer Side-Channel Attacks on Local Vision-Language Models

2026 0 cit.
Output Integrity Attack
53%
benchmark

A Systemic Evaluation of Multimodal RAG Privacy

2026 0 cit.
Membership Inference Attack
53%