DiffVax: Optimization-Free Image Immunization Against Diffusion-Based Editing

Conference: ICLR 2026 arXiv: 2411.17957 Code: Available (Project Webpage) Area: Diffusion Models / Security Keywords: Image immunization, adversarial perturbation, diffusion model editing protection, feed-forward network, video protection

TL;DR

DiffVax trains a feed-forward immunizer (UNet++) that generates imperceptible adversarial perturbations for arbitrary images in a single forward pass (~70ms), causing diffusion-based malicious editing to fail. Compared to prior per-image optimization methods, DiffVax achieves a 250,000× speedup and is the first to extend immunization to video content.

Background & Motivation

Background: The editing capabilities of diffusion models (e.g., Stable Diffusion) are rapidly advancing. Tools such as inpainting and InstructPix2Pix enable photorealistic image manipulation, which malicious users exploit to generate deepfakes, non-consensual intimate imagery, and other harmful content.

Limitations of Prior Work: Existing image immunization methods (PhotoGuard, DAYN) require running projected gradient descent (PGD) optimization independently for each image, consuming 10 minutes to several hours per image and demanding over 15GB of GPU memory, with no ability to generalize to unseen content.

Key Challenge: Effective immunization requires backpropagating through diffusion models to craft adversarial perturbations, yet the per-image optimization paradigm fundamentally cannot scale to large-scale scenarios such as social media platforms, where millions of images and videos are uploaded daily.

Goal: (a) Transform immunization from per-image optimization to feed-forward inference; (b) ensure perturbations remain imperceptible while causing editing to fail; (c) maintain robustness against counter-attacks (JPEG compression, denoising).

Key Insight: A image-conditioned perturbation generator is trained to learn "how to strategically place noise" from a large collection of training samples, rather than optimizing from scratch for each input. This design generalizes to unseen images, unseen prompts, and even video frames.

Core Idea: Replace per-image optimization with an end-to-end trained UNet++ immunizer that learns to generate low-frequency, imperceptible, and highly disruptive perturbations via a dual objective \(\mathcal{L}_{\text{noise}} + \mathcal{L}_{\text{edit}}\).

Method

Overall Architecture

Training proceeds in two stages. In Stage 1, the immunizer \(f(\cdot;\theta)\) generates a perturbation \(\epsilon_{\mathrm{im}}\) for an input image \(\mathbf{I}\); the perturbation is multiplied by mask \(\mathbf{M}\) and added to the image to obtain the immunized image \(\mathbf{I}_{\mathrm{im}}\). In Stage 2, the immunized image is passed through a frozen SD Inpainting model for editing, and the editing-failure loss is computed. At inference time, only a single forward pass through Stage 1 is required.

Key Designs

1. UNet++ Immunizer:

   • Function: Maps an input image to an adversarial perturbation map.
   • Mechanism: Employs UNet++ rather than a standard U-Net; its nested dense skip connections provide richer multi-scale feature aggregation, empirically yielding better training stability for the notoriously unstable task of adversarial noise prediction.
   • Design Motivation: Generating precise perturbations requires multi-level information collaboration.

2. Decoupling of Training and Editing:

   • Function: The immunization mask and the editing mask need not match between training and inference.
   • Mechanism: The immunizer takes no prompt as input (experiments confirm that the noise is prompt-agnostic) and is not tied to any specific mask shape.
   • Design Motivation: Addresses the vulnerability in prior methods where adversaries can bypass protection by using a different mask.

3. Data Construction:

   • Uses 1,000 portrait images from the CCP dataset, masks generated by SAM, and diverse background-editing prompts generated by ChatGPT (2,000 prompts in total).
   • Split 80/20 into seen/unseen subsets.

Loss & Training

\[\mathcal{L} = \alpha \cdot \mathcal{L}_{\text{noise}} + \mathcal{L}_{\text{edit}}\]

• \(\mathcal{L}_{\text{noise}} = \frac{1}{\text{sum}(\mathbf{M})} \|(\mathbf{I}_{\mathrm{im}} - \mathbf{I}) \odot \mathbf{M}\|_1\): ensures perturbation imperceptibility.
• \(\mathcal{L}_{\text{edit}} = \frac{1}{\text{sum}(\sim\mathbf{M})} \|\text{SD}(\mathbf{I}_{\mathrm{im}}, \sim\mathbf{M}, \mathcal{P}) \odot (\sim\mathbf{M})\|_1\): forces the edited region output toward all-black, indicating complete editing failure.

Training runs for 350 epochs with batch size 5, Adam optimizer at lr=1e-5, \(\alpha=4\), approximately 22 hours on an A100 in 16-bit precision.

Key Experimental Results

Main Results

Method	SSIM↓ (seen/unseen)	PSNR↓ (seen/unseen)	SSIM(Noise)↑	CLIP-T↓	Runtime(s)↓	GPU(MiB)↓
PhotoGuard-E	0.558/0.565	15.29/15.63	0.956	31.69/30.88	207.0	9,548
PhotoGuard-D	0.531/0.523	14.70/14.92	0.978	29.61/29.27	911.6	15,114
DiffusionGuard	0.551/0.556	14.37/14.71	0.965	26.98/27.10	131.1	6,750
DiffVax	0.510/0.526	13.96/14.32	0.989	23.13/24.17	0.07	5,648

Robustness Against Counter-Attacks

Method	SSIM↓ (w/ Denoiser)	SSIM↓ (w/ JPEG 0.75)	SSIM↓ (w/ IMPRESS)
PG-D	0.702/0.709	0.664/0.674	0.578/0.563
DiffusionGuard	0.708/0.719	0.680/0.684	0.604/0.595
DiffVax	0.552/0.565	0.522/0.538	0.488/0.500

Key Findings

• DiffVax learns low-frequency perturbations (rather than high-frequency scattered noise), making it inherently resistant to JPEG compression and denoisers, which primarily remove high-frequency components.
• The average \(L_1\) perturbation magnitude is only 0.001, far smaller than baselines (0.003–0.012), indicating that the advantage lies in the strategic placement of noise rather than its magnitude.
• In a user study (67 participants), DiffVax achieves an average rank of 1.64 (least resembling the original edited output), substantially outperforming PG-D at 2.63.
• Video immunization: a 64-frame video is processed in 0.739 seconds versus 64 hours for PG-D.

Highlights & Insights

• Proof of Feasibility for the Feed-Forward Paradigm: The work demonstrates that the adversarial perturbation space possesses a learnable structure that can be generalized to unseen content via a neural network, eliminating the need for per-image optimization.
• Low-Frequency Perturbations = Robustness: The \(L_1\) constraint in \(\mathcal{L}_{\text{noise}}\) naturally guides the model to learn a low-frequency perturbation distribution, which is both more efficient and more resistant to counter-attacks than a fixed \(L_\infty\) budget.
• Pioneer of Video Immunization: All prior methods are computationally intractable for video; DiffVax's efficiency makes this direction feasible for the first time.

Limitations & Future Work

• Protection degrades in scenes with many small objects, where noise is spread too thinly.
• Protection may partially fail when the immunization mask differs greatly from the editing mask.
• Cross-model transferability is limited (SD v1.5 → v2 is effective but imperfect).
• Training data consists of only 1,000 portrait images; extending to more diverse domains (animation, digital art) is an important future direction.

Related Work & Insights

• vs. PhotoGuard: PG performs per-image PGD optimization, which is ~3,000× slower, and its high-frequency noise is easily removed by JPEG compression; DiffVax learns strategic low-frequency perturbations.
• vs. DiffusionGuard: DG extends PG with augmented mask optimization but remains a per-image paradigm at 131s/image; DiffVax processes each image in 0.07s.
• vs. DAYN: An attention-based semantic attack that reduces computation but likewise cannot generalize.
• Insights: The feed-forward adversarial perturbation generator paradigm is transferable to other security scenarios (e.g., audio deepfake protection).

Rating

• Novelty: ⭐⭐⭐⭐ The feed-forward immunizer paradigm is novel, though the core idea (training a noise generator) has precedent in the adversarial attack literature.
• Experimental Thoroughness: ⭐⭐⭐⭐⭐ Comprehensive coverage including ablations, counter-attack evaluations, cross-model transfer, user studies, video, and multiple editing tools.
• Writing Quality: ⭐⭐⭐⭐ Clear structure with rich figures and tables.
• Value: ⭐⭐⭐⭐ Highly practical; the 250,000× speedup makes large-scale deployment feasible.

Related Papers

• [ICCV 2025] MotionFollower: Editing Video Motion via Lightweight Score-Guided Diffusion
• [CVPR 2026] On the Robustness of Diffusion-Based Image Compression to Bit-Flip Errors
• [ICLR 2026] Modality-free Graph In-context Alignment
• [ACL 2026] LLM Prompt Duel Optimizer: Efficient Label-Free Prompt Optimization
• [ACL 2026] CadLLM: Improving the Throughput of Diffusion-based LLMs via Training-Free Confidence-Aware Calibration