Immune2V: Image Immunization Against Dual-Stream Image-to-Video Generation

Image-to-video (I2V) generation has the potential for societal harm because it enables the unauthorized animation of static images to create realistic deepfakes. While existing defenses effectively protect against static image manipulation, extending these to I2V generation remains underexplored and non-trivial. In this paper, we systematically analyze why modern I2V models are highly robust against naive image-level adversarial attacks (i.e., immunization). We observe that the video encoding process rapidly dilutes the adversarial noise across future frames, and the continuous text-conditioned guidance actively overrides the intended disruptive effect of the immunization. Building on these findings, we propose the Immune2V framework which enforces temporally balanced latent divergence at the encoder level to prevent signal dilution, and aligns intermediate generative representations with a precomputed collapse-inducing trajectory to counteract the text-guidance override. Extensive experiments demonstrate that Immune2V produces substantially stronger and more persistent degradation than adapted image-level baselines under the same imperceptibility budget.

Key Contributions

Systematic analysis showing I2V models are robust to naive image-level adversarial attacks due to temporal noise dilution and text-guidance override
Immune2V framework enforcing temporally balanced latent divergence at encoder level to prevent signal dilution across frames
Alignment of intermediate generative representations with collapse-inducing trajectories to counteract text-conditioned guidance

🛡️ Threat Analysis

Input Manipulation Attack

Proposes adversarial perturbations added to images at the input level to disrupt I2V model inference, causing generation failures — this is an adversarial attack on generative models to prevent their misuse.