GuardT2I: Defending Text-to-Image Models from Adversarial Prompts

To Reviewer EP5J

Thank you for your time and effort in reviewing our paper. We greatly appreciate your insightful comments and have addressed each point below.

---

[Weakness 1] .. lack of comparison with other defenses, such as SLD and concept removal methods[3].

---

[Answer 1] Thanks for recommending these necessary baselines. To address this concern, we have conducted additional experiments to compare GuardT2I with SLD-Medium, SLD-Strong, and ESD.

Experiment settings: SLD and ESD are designed to reduce the probability of NSFW generation. Therefore, we use the Attack Success Rate (ASR) as our evaluation metric. For GuardT2I, we set the threshold at FPR@5%, a common adaptation. As a concept-erasing method, ESD [3] only removes a single NSFW concept, "nudity," by fine-tuning the T2I model. This limitation means it fails to mitigate other NSFW themes such as violence, and illegal content. Consequently, our evaluation focuses solely on "adult content." All implementations of the baseline models and the tested adversarial prompts are released by their original papers.

Table R1. Comparison of Attack Success Rate with Concept-Erasing Methods (Lower is Better ↓)

Our results show that GuardT2I consistently outperforms other types of defenses across various adversarial attacks. We will include these comparisons in the revised manuscript to provide a more comprehensive evaluation of our approach.

---

[Weakness 2]: Settings of Table 6 are not clearly explained.

---

[Answer 2] Thank you for pointing out the unclear point. Your understanding is correct. In Table 6, we report the best inference time of GuardT2I. The high-speed inference time of GuardT2I is due to its decoding technique. Specifically, the c$\cdot$LLM can use a range of decoding methods, with the Table 6 results reflecting a single-pass, full-sequence decoding. Although fast, this method might compromise quality as it ignores preceding words. Conversely, greedy decoding, which predicts tokens sequentially, provides better quality at the expense of speed. We include the inference time for greedy decoding in Table 6 (see Reviewer 1mLf Answer 2). The reported inference time is averaged over 1000 normal prompts, each containing an average of 12 tokens. Additionally, we use greedy decoding in other evaluation experiments.

---

[Weakness 3] ... Ring-A-Bell [4], and P4D attack [6], are not included... .

---

[Answer3] Thank you for your insightful suggestion. We've added an evaluation of GuardT2I on the necessary adversarial prompts in the expanded Table 2, now including Ring-A-Bell [4] and P4D [6]. It's important to note that QF-Attack primarily focuses on disabling T2I without considering high-quality NSFW generation; we will discuss this attack in the related work section. The best performance is highlighted in bold, and the runner-up is in italics.

Due to space limitations, we report the modified part of Table 2 as follows.

As demonstrated in the table, GuardT2I consistently outperforms baseline methods across most cases in both new adversarial prompt datasets. It achieves the highest average AUROC and AUPRC, underscoring its superior capability in defending against adversarial prompts. Notably, it also exhibits the lowest FPR at a TPR of 95%, indicating fewer false alarms while maintaining a high true positive rate. These results highlight GuardT2I's consistent and reliable performance across diverse adversarial scenarios. We will add the above results to our main paper.

We hope this extended evaluation addresses your concerns. Thank you for your insightful comments.

To Reviewer 1Dsg

Thank you for your time and effort in reviewing our paper. We greatly appreciate your insightful comments, which we have addressed point by point below.

---

[Weakness 1] Lacks evaluation and comparison on the standard text-to-image generation task. I am curious about the impact of GuardT2I on benign text prompts.

---

[Answer 1] Thank you for your insightful comment. We recognize the importance of evaluating GuardT2I on standard text-to-image generation tasks. To address this, we conducted additional experiments to assess the impact of GuardT2I on benign text prompts, focusing on image quality (FID), text alignment (CLIP-Score), and False Positive Rate.

We compared our approach with the concept-erasing defense methods ESD [11] and SLD [36], which aim to reduce the probability of generating NSFW images. Additionally, we reported the average Attack Success Rate (ASR) to indicate the effectiveness of the defense methods. The experimental settings are consistent with those in our main paper. Our results are summarized in the table below:

Table R2. GuardT2I’s image fidelity and text alignment. Bold font indicates the best performance, and italic indicates the second best.

GuardT2I maintains competitive FID scores and achieves the highest CLIP-Score, ensuring that image quality and text alignment remain unaffected in normal use cases. Additionally, its superior defense effectiveness demonstrates robustness against adversarial prompts.

Frequent misclassification of benign prompts as adversarial can frustrate normal users. Therefore, an ideal defensive method should achieve a low False Positive Rate (FPR) while correctly banning most adversarial prompts. In Table R3, we report the FPR@TPR95% of GuardT2I. As shown in the table, GuardT2I demonstrates decent performance.

Tabel R3. Comparison of Impacts on Normal Prompts with FPR@TPR95%. Bold font indicates the best performance, and italic indicates the second best.

---

[Question 1] I also want to know if the training dataset for GuardT2I includes adversarial prompts generated by methods like Sneakyprompt. How is the generalization of the trained LLM ensured ?

---

[Answer 2] Thank you for raising this question. The training dataset for GuardT2I does not include any adversarial prompts, making it an attack-agnostic defense framework. GuardT2I is trained solely on plain-text prompts.

The excellent generalization capability of GuardT2I is due to its use of text embeddings within T2I models for generation. We observed that for an effective adversarial attack, the text embedding of the adversarial prompt must closely resemble that of the corresponding plain-text target prompt. This similarity is a common characteristic of adversarial prompts.

GuardT2I leverages this insight by generating prompt interpretations directly on the text embeddings, thereby reconstructing the content of the target prompt associated with the adversarial prompt. Consequently, it demonstrates strong generalization ability across various types of adversarial attacks. We will enhance the clarity of this explanation in our main paper.

---

Thank you once again for your thoughtful and constructive feedback. Your comments have been instrumental in improving the quality of our work. We hope that our responses have adequately addressed your concerns.

To Reviewer 1mLf

---

[Weakness 1] ... it is important to evaluate the impact of the proposed solutions on normal use cases (e.g., image quality) ..., the potential metrics could be FID, etc.

---

[Answer 1]

We appreciate the reviewer's insightful comment. To address this concern, we conducted additional experiments to evaluate the performance of our method using the FID and CLIP-Score metrics to assess image quality and text alignment. We compared our approach to the concept-erasing defense methods ESD [11] and SLD [36], which aim to reduce the probability of generating NSFW images. Additionally, we reported the average Attack Success Rate (ASR) to indicate the effectiveness of the defense methods. The experimental settings are consistent with those in our main paper. Our results are summarized in the table below:

By maintaining competitive FID scores and achieving the highest CLIP-Score, GuardT2I ensures that image quality and text alignment are not adversely affected in normal use cases. Moreover, its superior defense effectiveness highlights its robustness against adversarial prompts.

[X2] I. Pavlov, A. Ivanov, and S. Stafievskiy. Text-to-Image Benchmark: A benchmark for generative models. September 2023.

---

[Weakness 2 & Question 1] ... I disagree with the claim in Section 5 that the proposed approach does not introduce additional inference time. ... What is the additional latency in running the proposed defenses?

---

[Answer 2]

We thank the reviewer for highlighting this unclear point. GuardT2I operate in parallel with T2I models. As long as GuardT2I's inference speed is faster than the image generation speed of the T2I model, it does not introduce additional latency from the user's perspective. Typically, generating an image with a T2I model requires 50 to 100 steps (e.g., 17.803s for SDv1.5 with 50 steps), while GuardT2I's inference time is at most 0.419s.

This process is illustrated in Figures 1(c) and 1(d), where GuardT2I can halt the diffusion steps of malicious prompts early. Detailed latency metrics for GuardT2I are reported in Table 6, which we have included below for reference.

Tabel 6. Comparison of Model Parameters and Inference Times

These results demonstrate that GuardT2I introduces no additional latency compared to the overall image generation process of T2I models. This ensures that the implementation of GuardT2I on commercial platforms will not significantly impact the user experience. We would like to provide further clarification on this issue in our main paper.

---

[Weakness 3] The claim that GuardT2I outperforms leading commercial solutions by a significant margin should be toned down, as Table 2 and Figure 5 indicate scenarios where baselines still perform on par with the proposed methods.

---

[Answer 3] Thank you for pointing out this unclear statement. Our intention was to highlight that GuardT2I generally outperforms the baselines on average, as demonstrated in the last two columns of Table 2. We acknowledge that there are scenarios, as indicated in Table 2 and Figure 5, where the baselines perform on par with our proposed method. We will refine this claim for clarity in the final version of our paper.

---

[Weakness 4] ... missed a key related work [X]...

---

[Answer 4] We appreciate the importance of including comprehensive related work in our paper. We will update the related work section to discuss RIATIG as a function-level adversarial attack for T2Is.

---

[Weakness 5 & Question 2] ... How is the approachable to infer the actual meaning of NSFW prompts correctly during inference, given it learns to reconstruct NSFW prompts during training?

---

[Answer 5]

Thank you for raising this concern. Our method effectively infers the true meaning of adversarial prompts due to the specific mechanism used in their generation. During the creation of adversarial prompts, an attacker sets a target NSFW prompt, such as "a completely naked man," or a target NSFW concept, like "nudity," as the optimization objective. The adversarial prompt is then designed to exclude explicit sensitive words while ensuring that its text embedding in the T2I's latent space closely resembles that of the target one, thereby achieving the desired attack effect.

Since our cLLM is trained on a readable, normal dataset, it tends to generate the target NSFW prompt when given the text embedding of an adversarial prompt, rather than simply reconstructing the adversarial prompt itself. This ensures our model can accurately reveal the true meaning behind adversarial prompts without inadvertently reconstructing them.

---

Thank you for recognizing our work! Your comments help us enhance our contribution.

To Reviewer 7kN6:

Thank you for the time and effort you have invested in reviewing our paper. We greatly appreciate your insightful comments, which we have addressed point by point below.

---

[Weakness 1] The effectiveness of the proposed method heavily relies on the performance of the c·LLM, which could be limited by the quality of its training data. The bias within the c.LLM could also lead to biased interpretations of prompts, such as scenes involving cultural background.

---

[Answer 1]

• The proposed c$\cdot$LLM within GuardT2I is a Large Language Model (LLM) pretrained on an extensive and diverse corpus. Therefore, it inherits a broad knowledge base, resulting in strong generalizability across various scenarios. This is evidenced by the results in Table 2, where our model outperforms classifier-based baselines.

• Additionally, T2I services such as Midjourney, DALL-E, and Leonardo.AI can fine-tune GuardT2I using the same dataset that trains the T2I models. This ensures that prompt interpretations generated by GuardT2I align closely with those of the T2I models, maintaining consistency and accuracy.

• We acknowledge that addressing biases and the quality of training data in LLMs is an ongoing challenge, even for widely-used models like GPT-4 and Gemini Pro. While tackling these challenges is beyond the scope of this paper, extensive research is being conducted in this area. Fortunately, GuardT2I is built upon LLM technology. Consequently, the strategies developed to mitigate biases and address uneven training data in LLMs can be effectively applied to enhance the performance and fairness of our model.

---

[Weakness 2] GuardT2I could lead to higher false positive rates where benign prompts are misclassified as adversarial. This could make the benign users sad.

---

[Answer 2]

• Rather than having a higher False Positive Rate (FPR), GuardT2I demonstrates a significantly lower FPR, even when compared to commercial defensive solutions. This is evidenced in the FPR@TPR95% section of Table 2, where compared to the second-best OpenAI Moderation, our GuardT2I reduces the False Rejection Rate (FRR) by 89.23%.

• This improvement is attributed to GuardT2I's unique approach as the first generative paradigm defensive framework. Unlike classifiers such as OpenAI Moderation, which make relatively ambiguous decisions at the category level, GuardT2I performs case-by-case assessments. It compares each input prompt with its corresponding prompt interpretation, thereby detecting malicious prompts more accurately without compromising performance on benign prompts.

---

[Question 1] What about the performance of GuardT2I on other T2I models like SD2.0, SD2.1, Midjourney, DALLE-3 and so on?

---

[Answer 3]

• We conduct experiments primarily on Stable Diffusion (SD) V1.5 due to its extensive adoption within the community and its status as a prototype for commercial T2I models. Since GuardT2I operates on the text-encoder embeddings of T2I models, SD V2.0 and V2.1, which employ the same text-encoder architecture as SD V1.5, should have similar performance on malicious prompts. Specifically, with the same text-encoder, the identification ability of GuardT2I is not affected by the diffusion models. Besides, GuardT2I's excellent performance on SD V1.5, combined with the inherent filtering of sexual content in SD V2.0 and V2.1, we believe GuardT2I will demonstrate even better effectiveness in preventing NSFW content generation in these versions.

• Regarding commercial models such as Midjourney and DALL-E, they have shown vulnerabilities to adversarial prompts like those from MMA-Diffusion and Sneakprompt. In contrast, GuardT2I has demonstrated strong defensive capabilities against these adversarial prompts. Consequently, integrating GuardT2I into these commercial models will significantly enhance their security, which is the primary objective of our proposed GuardT2I.

---

We would like to reemphasize the aforementioned points in our main paper and hope that our responses have adequately addressed your concerns. Thanks again for your time.