Exploring Adversarial Attacks against Latent Diffusion Model from the Perspective of Adversarial Transferability
This work addresses the incremental challenge of enhancing adversarial defenses for latent diffusion models, which is relevant for protecting against malicious image editing and copyright violations.
The paper tackles the problem of improving adversarial attacks against latent diffusion models by analyzing how surrogate model properties affect attack performance, finding that selecting smoother surrogate models substantially enhances adversarial transferability.
Recently, many studies utilized adversarial examples (AEs) to raise the cost of malicious image editing and copyright violation powered by latent diffusion models (LDMs). Despite their successes, a few have studied the surrogate model they used to generate AEs. In this paper, from the perspective of adversarial transferability, we investigate how the surrogate model's property influences the performance of AEs for LDMs. Specifically, we view the time-step sampling in the Monte-Carlo-based (MC-based) adversarial attack as selecting surrogate models. We find that the smoothness of surrogate models at different time steps differs, and we substantially improve the performance of the MC-based AEs by selecting smoother surrogate models. In the light of the theoretical framework on adversarial transferability in image classification, we also conduct a theoretical analysis to explain why smooth surrogate models can also boost AEs for LDMs.