ML Security PapersTowards Transferable Defense Against Malicious Image Edits
Jie Zhang 1,2, Shuai Dong 3, Shiguang Shan 1,2, Xilin Chen 1,2
Published on arXiv
2512.14341
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
TDAE achieves state-of-the-art performance in mitigating malicious diffusion-based image edits under both intra-model and cross-model (transferability) evaluations, outperforming prior immunization methods.
TDAE (FlatGrad Defense Mechanism + Dynamic Prompt Defense)
Novel technique introduced
Recent approaches employing imperceptible perturbations in input images have demonstrated promising potential to counter malicious manipulations in diffusion-based image editing systems. However, existing methods suffer from limited transferability in cross-model evaluations. To address this, we propose Transferable Defense Against Malicious Image Edits (TDAE), a novel bimodal framework that enhances image immunity against malicious edits through coordinated image-text optimization. Specifically, at the visual defense level, we introduce FlatGrad Defense Mechanism (FDM), which incorporates gradient regularization into the adversarial objective. By explicitly steering the perturbations toward flat minima, FDM amplifies immune robustness against unseen editing models. For textual enhancement protection, we propose an adversarial optimization paradigm named Dynamic Prompt Defense (DPD), which periodically refines text embeddings to align the editing outcomes of immunized images with those of the original images, then updates the images under optimized embeddings. Through iterative adversarial updates to diverse embeddings, DPD enforces the generation of immunized images that seek a broader set of immunity-enhancing features, thereby achieving cross-model transferability. Extensive experimental results demonstrate that our TDAE achieves state-of-the-art performance in mitigating malicious edits under both intra- and cross-model evaluations.
Key Contributions
- FlatGrad Defense Mechanism (FDM): gradient regularization that steers adversarial perturbations toward flat minima, improving transferability to unseen editing models
- Dynamic Prompt Defense (DPD): adversarial optimization of text embeddings that periodically refines prompt representations to broaden immunity-enhancing features across diverse editing contexts
- TDAE bimodal framework combining FDM and DPD achieves state-of-the-art cross-model transferability in blocking malicious diffusion-based image edits
🛡️ Threat Analysis
The paper creates protective adversarial perturbations embedded in images to prevent malicious AI editing — directly implementing the 'anti-deepfake perturbations / style-transfer protections' category of content integrity defenses that ML09 explicitly references. The primary contribution is a content protection scheme ensuring that diffusion model outputs cannot be maliciously manipulated, i.e., maintaining output/content integrity.