Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI
Authors: Robert Hรถnig, Javier Rando, Nicholas Carlini, Florian Tramer
ICLR 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this work, we evaluate the effectiveness of popular protections with millions of downloads and show they only provide a false sense of security. We find that low-effort and off-the-shelf techniques, such as image upscaling, are sufficient to create robust mimicry methods that significantly degrade existing protections. Through a user study, we demonstrate that all existing protections can be easily bypassed, leaving artists vulnerable to style mimicry. We caution that tools based on adversarial perturbations cannot reliably protect artists from the misuse of generative AI, and urge the development of alternative protective solutions. |
| Researcher Affiliation | Collaboration | Robert H onig ETH Zurich Javier Rando ETH Zurich Nicholas Carlini Google Deep Mind Florian Tram er ETH Zurich |
| Pseudocode | No | The paper describes methods and processes in text, such as in Section 4.3 'OUR ROBUST MIMICRY METHODS' and Appendix I 'ROBUST MIMICRY METHODS', but does not present any formal pseudocode or algorithm blocks. |
| Open Source Code | Yes | Code and images released at https://github.com/ethz-spylab/robust-style-mimicry. |
| Open Datasets | Yes | We select the artists A from contemporary and historical artists: We select 5 contemporary artists from Art Station and 5 historical artists from the Wiki Art dataset (Tan et al., 2019). We found 2 of the 4 artists used by Glaze and included them in our evaluation. ... Unfortunately, the LAION-5B dataset (Schuhmann et al., 2022) used to train SD 2.1 was taken offline (Cole, 2023), so we are unable to perform this verification. |
| Dataset Splits | No | We collate 10 image sets XA : A A from 10 different artists A. Each image set XA contains 18 images that we choose manually to follow a consistent style SA. ... We perform robust mimicry by finetuning on 18 different images per artist. We then generate images for 10 different prompts. The paper specifies the number of images used for finetuning (18 per artist) but does not explicitly describe traditional training/test/validation splits of these images for the style mimicry task itself, as evaluation is performed via a user study on generated images. |
| Hardware Specification | Yes | Table 4: Compute resources for our experiments. ... Finetuning RTX A6000 EPYC 7742 ... Image generation RTX A6000 EPYC 7742 ... Anti-DB RTX A6000 EPYC 7742 ... Glaze T4 16 v CPUs on GCP ... Mist RTX A6000 EPYC 7742 ... IMPRESS++ RTX A6000 EPYC 7742 ... Diff Pure RTX A6000 EPYC 7742 ... Noisy Upscaling RTX A6000 EPYC 7742 |
| Software Dependencies | No | We use Stable Diffusion version 2.1 (Stability AI, 2022)... We use an off-the-shelf Hugging Face finetuning script for Stable Diffusion (von Platen et al., 2024)... We use the DPM-Solver++(2M) Karras (Lu et al., 2022; Karras et al., 2022) scheduler... The paper mentions specific software components like Stable Diffusion 2.1 and a specific scheduler, but does not provide version numbers for general programming languages (e.g., Python) or common machine learning libraries (e.g., PyTorch, TensorFlow, CUDA). |
| Experiment Setup | Yes | Concretely, we use 2,000 training steps, batch size 4, learning rate 5 10 6, and set the remaining hyperparameters to their default values. We pair each image x with the prompt Px = Cx+ by w , where w = nulevoy 10. ... We use the DPM-Solver++(2M) Karras (Lu et al., 2022; Karras et al., 2022) scheduler for 50 steps to generate images of size 768 768. ... We set the number of iterations to N = 50, the PGD perturbation budget to p = 8/255, the PGD step size to ฮฑ = 5 10 3, and the number of PGD steps per ASPL iteration to NPGD = 6. |