Epistemic Uncertainty for Generated Image Detection

We thank the reviewer for the thorough review and constructive feedback. We address each concern below.

Q1. Lack of standard uncertainty quantification baselines. For instance, the authors could use a pretrained ImageNet classifier and use the maximum predicted probability (or logit), or the entropy as a confidence indicator. Without this, it is hard to know whether the WePe method based on weight perturbation is necessary.

We express our gratitude for the reviewer’s insightful suggestion. Two primary considerations preclude the adoption of conventional metrics for assessing confidence levels in our study:

• In the context of detecting AI-generated images, image categories is diverse and inherently open-ended. Classifiers trained on the ImageNet dataset—which encompasses a finite set of categories—can only yield reliable confidence scores for in-distribution categories. For images beyond this taxonomy—whether natural or generated—the confidence scores produced are unreliable.

• Standard image classifiers generate confidence scores that reflect their confidence in predicting object categories. However, the distinction between natural and generated images lies not in categorical differences but in attributes such as texture and structural patterns. Consequently, we opted for WePe over classifier outputs to estimate uncertainty.

To address the reviewer’s concerns, we conducted experiments using a ResNet18 model pretrained on ImageNet to differentiate between natural and generated images, employing maximum softmax probability (MSP) and entropy as confidence metrics. As demonstrated in the table below, these metrics exhibit suboptimal performance.

Thanks again for your insightful question. We have added the above explanations to our revision.

Q2. Not enough details on the data for the results and figures. If the natural images for ImageNet include the training data, then all other images would have very different features, even for natural images from validation set (because DINOv2 was trained on ImageNet train set). Because of the assumptions made, it is necessary to provide such details.

We express our gratitude for the reviewer’s valuable suggestion. For Figures 1 and 3, natural images are sourced from the LSUN dataset, and generated images are produced using the ProGAN model. For Figure 3, natural images are sampled from the LSUN-Bedroom dataset, with generated images created by the following models: ADM, DDPM, iDDPM, StyleGAN, Diffusion-Projected GAN, Projected GAN, and Unleashing Transformers.

Q3. Are you sure that "DINOv2 is exclusively pre-trained on natural images" (line 172)? In my opinion it is impossible to really know, and this assumption will likely be even less true with more recent models because generated images are more and more present online.

Thanks for pointing out this potentially confusing statement. The original statement is overly absolute. The DINOv2 model leverages multiple curated datasets composed of natural images. Additionally, it incorporates data sourced from the internet that aligns with these curated datasets, potentially introducing some AI-generated images. However, due to the known issue of mode collapse [1], few foundational models intentionally include a substantial proportion of generated images during training. Consequently, generated images remain a long-tail component relative to natural images. Nevertheless, as generative models advance, the increasing prevalence of generated images online may contaminate training datasets for new models. To address this, we propose precise calibration to effectively widen the uncertainty gap between natural and generated images. The efficacy of this approach is substantiated by our experimental results.

Reference:

[1]: AI models collapse when trained on recursively generated data. Shumailov et al. Nature 2024

We thank the reviewer for the thorough review and constructive feedback. We address each concern below.

Q1. Some important results are delegated to the Appendix, which may hinder the overall flow of the paper.

Thank you for your kind suggestion. We agree with your point, and, in the revised version, we have reorganized the tables to enhance the clarity and flow of the paper.

Q2. It is not entirely clear what statistical analysis has been carried out on the reported results, and the paper lacks confidence intervals in the main tables.

Thanks for your constructive suggestion. Since the perturbations are random, the results of our method are the average values under five random seeds. In Figure 9, we report the error bars of our method. For clarity, we have added this information to the revised table. For other methods, since some of the results were obtained directly from related papers, we did not report this information.

Q3. The related work on Uncertainty Quantification feels somewhat limited in scope.

In response to your valuable suggestion, we have expanded the discussion on uncertainty estimation in the related work section to provide a more comprehensive and rigorous analysis.

Blundell et al. (2015) introduce Bayes by Backprop, a method for estimating weight uncertainty in neural networks by modeling the posterior distribution over weights using variational inference, improving model generalization and robustness. Similarly, Ferrante et al. (2024) leverage weight perturbation techniques to estimate neural network uncertainty, demonstrating improved classification accuracy through robust uncertainty quantification. Pearce et al. (2018) explore distribution-free uncertainty estimation, using conformal prediction and quantile regression to estimate bounds on aleatoric uncertainty. Chan et al. (2025) introduce hyper-diffusion models, allowing to accurately estimate both epistemic and aleatoric uncertainty with a single model.

Q4. Comments on typos.

Thank you for your careful review! We have carefully revised all typos.

Q5. Possible notation inconsistencies and results inconsistencies.

Thank you for pointing out these issues! We have revised these inconsistencies in the revised version.

Q6. Clarity improvements.

We have incorporated a discussion on PatchCraft, FatFormer, and DRCT in the related work section and revised the title from "Robustness to Perturbations" to "Robustness to Image Perturbations" for greater clarity.

Q7. Given that epistemic uncertainty captures the lack of knowledge about a distribution, wouldn’t it be beneficial to also consider aleatoric uncertainty—especially if the generated distribution is misaligned with the natural one? Additionally, should domain uncertainty (often considered a third type of uncertainty related to OOD data) be taken into account in this context?

We appreciate your insightful feedback. Aleatoric uncertainty quantifies the inherent noise within observational data. Given the distinct data distributions of natural and generated images, their aleatoric uncertainties may differ, potentially serving as a discriminative feature to distinguish between them. Domain uncertainty, arising from shifts in data distribution, may exhibit effects comparable to those of epistemic uncertainty.

Q8. In Equation (13), since the expression is an upper bound, could the authors elaborate on its implications? In particular, how do you ensure (or to what extent can we expect) that it provides a reliable basis for ranking the instances?

In formula 13, the inequality is obtained through the Cauchy-Schwarz inequality, and we can explore the validity of the upper bound by calculating the difference between the two sides of the inequality. We define the difference as:

$\triangle = ||f\left(\mathbf{x} ; \theta_k\right)-\frac{1}{n} \sum_j^n f\left(\mathbf{x} ; \theta_j\right)||^2 \cdot ||f\left(\mathbf{x} ; \theta_t\right)||^2 - ||(f\left(\mathbf{x} ; \theta_k\right)-\frac{1}{n} \sum_j^n f\left(\mathbf{x} ; \theta_j\right)) \cdot (f\left(\mathbf{x} ; \theta_t\right))||^2$

Thus, the difference $\triangle$ can be written as:

where $\theta$ is the angle between $f\left(\mathbf{x} ; \theta_t\right)$ and $f\left(\mathbf{x} ; \theta_k\right)-\frac{1}{n} \sum_j^n f\left(\mathbf{x} ; \theta_j\right)$.

And finally, we obtain the following expression:

Using the trigonometric identity, we have:

This result indicates that the smaller the angle between $f\left(\mathbf{x} ; \theta_k\right)-\frac{1}{n} \sum_j^n f\left(\mathbf{x} ; \theta_j\right)$ and $f\left(\mathbf{x} ; \theta_t\right)$, the tighter the upper bound. In our experiment, the perturbation applied to the model is extremely small, causing the image features to remain virtually unchanged, resulting in an extremely weak deviation between $f\left(\mathbf{x} ; \theta_k\right)-\frac{1}{n} \sum_j^n f\left(\mathbf{x} ; \theta_j\right)$ and $f\left(\mathbf{x} ; \theta_t\right)$, thereby enabling the upper bound to provide a reliable basis for ranking the instances.

I appreciate the effort the authors made in addressing my review. The revisions regarding formatting, typos, and inconsistencies in notation and results (Q1, Q4, Q5, Q6) are welcome, and I believe the paper is now more readable.

However, I still have concerns about the statistical analysis presented, particularly in relation to Figure 9 (Q2). While the rebuttal mentions that the figure shows error bars derived from five runs of your method, it remains unclear what exactly is being represented. I attempted to reconcile the means shown in the tables with the points in the figure, but I was unable to clearly understand the correspondence. Additionally, the source and nature of the reported variance are not sufficiently explained. I understand that for baseline methods taken from related literature it may not be possible to include variance, but for your own method, it would be important to show the error bars for all metrics wherever applicable. Ideally, this should be done not only in graphical form (as in Figure 9), but also explicitly in tabular form, so the reader can interpret the results with more confidence. A clarification of what exactly is shown in Figure 9 and how it aligns with the rest of the results would be very helpful.

The additional references you included on UQ (Q3) are more adequate to the scope of the paper. These are references presenting methods that work on the model’s weights, leveraging their variations to measure uncertainties. This motivates better your method.

Regarding the answer to Q7 on aleatoric and domain uncertainty, while the distinction between types of uncertainty is well outlined and their sources are acknowledged, the response does not elaborate on how these forms of uncertainty could be incorporated into the proposed method.

Finally, the response to the question on the upper bound of uncertainty (Q8) is sufficiently rigorous and resolves the issue raised. I would suggest including this derivation in the Appendix so that readers can follow the reasoning in detail.

I think this a good paper and, in general, the rebuttal addressed my concerns. I will increase my score to accept.

We thank the reviewer for the thorough review and constructive feedback. We address each concern below.

Q1. The novelty is incremental in terms of core methodological innovation. While combining uncertainty estimation with weight perturbation for this task is insightful, it builds on well-known ideas from OOD detection and uncertainty quantification without introducing fundamentally new learning paradigms.

To address your concern, we have added the following clarifications in our revised paper, aiming to highlighting the distinct contributions of our work compared to OOD detection and uncertainty quantification methods:

• Contrast with OOD Detection: Conventional OOD detection [1,2] usually relies on Maximum Softmax Probability (MSP) scores, exploiting fixed ID categories to identify OOD samples with low probabilities. In contrast, AI-generated detection involves diverse, unbounded categories, rendering MSP scores ineffective. WePe introduces a novel uncertainty estimation approach tailored for detecting generated images, achieving robust performance where traditional OOD methods falter.

• Contrast with Uncertainty Quantification: Standard techniques like MC-Dropout and DeepEnsemble are ill-suited for DINOv2. Training multiple DINOv2 models for DeepEnsemble is computationally infeasible, and the absence of dropout in DINOv2 undermines MC-Dropout’s efficacy. Our proposed weight perturbation method overcomes these limitations, delivering a practical and effective uncertainty estimation tailored to DINOv2’s architecture, as validated by our experiments.

These advancements position our approach as a pioneering solution, adeptly addressing the unique demands of AI-generated image detection with superior adaptability and performance.

Q2. The method relies heavily on the assumption that future generative models will still induce detectable uncertainty gaps; while acknowledged by the authors, this limitation poses a potential risk to long-term applicability.

We sincerely appreciate your insightful feedback. We acknowledge the potential limitation in assuming that future generative models will consistently produce detectable uncertainty gaps. However, this assumption lies in the fact that uncertainty approaches can detect the distribution shifts. Thus, these approaches are expected to detect the distribution discrepancy between natural and generated images. The potential failure case would be that future models generate images causing little distribution shift from natural images. In this context, it is hard to ensure whether human beings can identify these generated images.

Q3. The experiments could include broader comparison with more recent detection frameworks or more diverse pre-trained models (e.g., stronger multimodal models beyond CLIP and BLIP).

We appreciate your kind suggestion. To further validate the robustness of WePe, we evaluated its performance using advanced multimodal models, namely SigLIP-So400m-patch16-256 [3] and InternViT-6B-224px [4]. As presented in the table below, WePe demonstrates strong performance across these models, affirming its effectiveness and generalizability.

Q4. Could you provide more insights (e.g., failure case examples) to illustrate how the weight perturbation affects the feature space for natural vs. generated images?

We appreciate your insightful suggestion. WePe leverages the differential epistemic uncertainty exhibited by pre-trained models, such as DINOv2, when processing natural versus generated images to differentiate between them. Specifically, DINOv2, having been trained on an extensive dataset of natural images, demonstrates lower epistemic uncertainty for such images. Images that diverge from the distribution of the training dataset—despite not being generated by a generative model—tend to elicit higher uncertainty from DINOv2, leading to their misclassification as generated images. In the revised manuscript, we visualized the feature shifts in DINOv2’s representations for a set of cartoon images, which were not produced by generative models, before and after weight perturbation. These images, due to their deviation from the training natural distribution, exhibited significant feature shifts post-perturbation, rendering them indistinguishable from generated images in our analysis.

Q5. Regarding computational cost, the author mention that WePe requires two forward passes. Could you clarify whether any optimizations (e.g., batching, parallelization) were applied in your reported efficiency measurements, and how the method scales to larger datasets?

We appreciate your kind suggestion. To evaluate computational efficiency, we adhered to standard testing protocols, utilizing a dataloader for parallel computation. For each batch of samples, we first extract features using the original model, followed by feature extraction with the perturbed model, necessitating two forward passes on a single GPU. For large-scale datasets, we can employ two GPUs: one to compute features from the original model and another for the perturbed model. This configuration enables the acquisition of prediction results for each sample within the duration of a single forward pass, enhancing computational efficiency.

Q6. Have you considered whether the proposed weight perturbation technique could be applied dynamically (e.g., with adaptive perturbation magnitudes) or combined with input-space perturbations for further performance gains?

Thank you for your inspiring question. Implementing adaptive perturbation may necessitate training an additional perceptron to determine the appropriate perturbation amplitude, which would incur additional computational overhead. As an alternative, we propose perturbing the model multiple times with varying amplitudes and computing the average feature values to approximate the effect of adaptive perturbation. This approach, as demonstrated in the table below, enhances the performance of WePe. Furthermore, integrating this method with input perturbation also improves WePe's performance.

Reference:

[1]: DICE: Leveraging Sparsification for Out-of-Distribution Detection. Sun et al. ECCV 2022

[2]: Extremely Simple Activation Shaping for Out-of-Distribution Detection. Djurisic et al. ICLR 2023

[3]: SigLIP 2: Multilingual Vision-Language Encoders with Improved Semantic Understanding, Localization, and Dense Features. Tschannen et al. arXiv 2025

[4]: Internvl: Scaling up vision foundation models and aligning for generic visual-linguistic tasks. Chen et al. CVPR 2024

We thank the reviewer for the thorough review and constructive feedback. We address each concern below.

Q1. Since the method fundamentally relies on detecting distributional shifts from the training data of pre-trained models, it may exhibit elevated uncertainty for legitimate natural images that differ from the training distribution due to factors such as varying image resolutions, color-space conversions, or domain shifts. This could lead to false positive detections where genuine natural images are incorrectly classified as AI-generated. The method lacks mechanisms to differentiate between uncertainty arising from AI generation versus uncertainty from other distributional mismatches, potentially limiting its reliability in real-world applications where input images may come from varied and unpredictable sources.

We appreciate your insightful comments. WePe leverages heightened epistemic uncertainty arising from distribution shifts to differentiate between natural and AI-generated images. However, natural images that diverge from the training distribution may be misclassified as generated. To mitigate this challenge, we made two efforts in our paper:

• We select DINOv2 as the feature extractor, as its training on a diverse and extensive dataset of natural images ensures a broad and inclusive training distribution, encompassing a wide range of natural image variations.

• We further amplify the uncertainty induced by AI generation through confidence calibration, enhancing the robustness of our detection approach. Specifically, to enhance the differentiation of uncertainty induced by AI-generatation, we fine-tune the model using a dataset comprising both natural and generated images. This approach aims to amplify the sensitivity of generated images to model perturbations while preserving the robustness of natural images against such perturbations. Consequently, this methodology widens the uncertainty gap between the model's responses to natural and generated images, thereby improving the distinguishability of their respective outputs.

Q2. The method's success appears to be reliant on the specific properties of DINOv2. The paper would be more impactful if it provided a deeper analysis into which properties of DINOv2 are crucial for this task to establish a more general principle.

We appreciate your suggestion. We attribute DINOv2’s superior performance in distinguishing natural images from generated images, in part, to its self-supervised learning conducted exclusively on images, enabling robust capture of visual features. In our paper, we also evaluated WePe using CLIP as the feature extractor, where it exhibited reduced performance compared to DINOv2. This may result from CLIP’s reliance on text supervision during training, which results in image features that are predominantly semantic. In contrast, the distinction between natural and generated images hinges primarily on low-level features no semantic information, which DINOv2 captures more effectively owing to its image-only self-supervised training paradigm.

Q3. How does WePe differentiate between epistemic uncertainty arising from AI generation versus uncertainty from other natural distributional shifts (e.g., domain changes, resolution variations, or color-space differences)? Could you discuss potential strategies to mitigate confusion with non-generative OOD samples?

Thanks for your constructive comments. We believe the following explanations would significantly improve the quality of our work. To alleviate the mentioned challenge, we first select DINOv2 as the feature extractor, as its training on a diverse set of natural images maximizes the inclusivity of the natural distribution, thereby reducing the likelihood of misclassifying natural distribution shifts. Second, when training is feasible, we further enhance the detection of AI-induced distribution shifts through distribution calibration, optimizing the method’s ability to distinguish generated images from natural ones.

Q4. If an attacker has white‐box access, they could conceivably craft images whose feature representations remain insensitive to weight perturbations, defeating the core detection signal. What defenses might mitigate such targeted attacks?

We appreciate your inspiring comments. We believe this would be a promising direction in our community.

In this regard, input randomization [1] serves as a potential defense against white-box adversarial attacks. During inference, applying random transformations to the input image, such as varying the image resolution, can disrupt the specific structure of adversarial perturbations, thereby enhancing the robustness of our method.

Meanwhile, we find that advanced diffusion models provide a promising solution to mitigate adversarial attacks. However, this in turn leads to a further question: once a natural image is reconstructed by a diffusion model, should the reconstructed image be considered real or generated in our detection problem?

We are looking forward to your further inspiring feedback in this promising direction.

Reference:

[1]: Mitigating adversarial effects through randomization. Xie et al. ICLR 2018

Thank you for the detailed rebuttal and the additional experiments in response to other reviewers, which have addressed my concerns—I will be maintaining my score.