A research team led by Virginia Tech cybersecurity expert Bimal Viswanath has discovered a significant blind spot in today’s image protection technologies designed to prevent malicious actors from stealing online content for unauthorized artificial intelligence training, style copying, and deepfake manipulation.
The research team found that attackers can break existing security using off-the-shelf artificial intelligence (AI) models and simple commands. Additionally, “there is currently no reliable, mathematically guaranteed way to protect publicly posted images by users from attackers using off-the-shelf GenAI models,” Viswanath said.
The work was presented at the 4th IEEE Conference on Secure and Dependable Machine Learning in Munich, Germany. Authors include Viswanath, doctoral students Xavier Preimling and Sifat Muhammad Abdullah, assistant professor Peng Gao and Murtuza Jadriwala of the University of Texas at San Antonio, and Gunjan Barde and Mainak Mondal of the Indian Institute of Technology, Kharagpur.
As AI tools become more powerful and accessible, this study highlights the growing need for stronger cybersecurity, trusted AI, privacy, and digital forensics protections.
GenAI makes fraud easier
Until now, fraudsters have had to use special proprietary methods to circumvent image security technology. This made it difficult for bad actors to use authentic content for deepfakes, facial identity theft, or artistic style imitations.
“However, our researchers used today’s off-the-shelf image-to-image generative AI models and simple text prompts to easily and effectively remove these various protections,” Biswanath said.
They demonstrated this security weakness through eight case studies across six diverse protection schemes. This vulnerability impacts a wide range of defenses, including perturbations aimed at protecting specific semantic properties such as a person’s facial identity, invisible “protection noise” applied through the AI’s latent space, and robust protections specifically designed to withstand downstream fine-tuning tasks.
“Our general-purpose attack not only evades these defenses, but actually outperforms existing specialized attacks while preserving the usefulness of the imagery for the adversary,” Biswanath said.
Competing to solve growing problems
This research exposes significant and pervasive vulnerabilities in the current landscape of image protection, proving that adding imperceptible protection noise to images is no longer sufficient to thwart data scrapers and counterfeiters.
“This is particularly concerning because current security practices can provide a false sense of security,” Biswanath said. “We urgently need to develop robust defenses and establish that future protection mechanisms can defend against attacks from off-the-shelf generative AI models.”
This means the cybersecurity community needs to completely re-evaluate its approach to protecting visual content.
“Future protection mechanisms will need to be not only evaluated against purpose-built attacks, but also rigorously benchmarked against simple text-guided attacks from widely available off-the-shelf GenAI models,” said Viswanath. “Researchers should also keep in mind that GenAI’s image-to-image models will continue to improve over time, potentially making defense efforts even more difficult.”
