AdvI2I: Adversarial Image Attack on Image-to-Image Diffusion Models

Thank you for the insightful comments. Below, we thoroughly address each point with additional experiments and clarifications.

W1: Experiments mostly conducted in a white-box setting; limited effectiveness on SDv3.0.

A1: We have conducted additional black-box experiments to evaluate transferability across I2I models. Table 7 in manuscript shows strong black-box transferability from SDv1.5 to SDv2.0 and SDv2.1 (ASR of 80.5% and 84.0%, respectively; adaptive version: 73.5% and 77.5%), validating real-world applicability.

We also evaluated AdvI2I-Adaptive under defenses across multiple I2I models. The results demonstrate the attack persistence when transferring from SDv1.5 to (black-box) SDv2.0 and SDv2.1.

Moreover, we extended our evaluation to newer diffusion models. Transferring attacks from SDv1.5 to SDXL-Turbo and FLUX yields ASRs of 62.5% and 74.0%, respectively, further highlighting the method’s generalization capability across model architectures in black-box setting.

Regarding the explanations on reduced ASR on SDv3.0, please refer to our response Reviewer rvyv's A6.

W2: Evaluation against multimodal LLMs.

A2: We appreciate this valuable suggestion. Evaluating AdvI2I against a multimodal LLM defense (GPT-4o) significantly reduced ASR from 81.5% to 9.5%, demonstrating promising defensive potential. However, we observed practical limitations of directly using multimodel LLM as defense:

• High computational overhead: GPT-4o detection (2.94 sec/image) exceeds generation time (1.39 sec/image, SDv2.1 with 50 steps).
• Misclassifications due to limited visual understanding, even with carefully designed prompts ( (Detailed examples and failure cases are in this link.)).
• Potential vulnerability to adaptive adversarial attacks [1, 2].

Thus, while promising, multimodal LLM-based defenses currently face practical challenges. Improving these methods remains an important future research direction.

[1] Stop Reasoning! When Multimodal LLM with Chain-of-Thought Reasoning Meets Adversarial Image.

[2] On the Robustness of Large Multimodal Models Against Image Adversarial Attacks.

W3: Evaluation on online services.

A3: Thank you for this suggestion. We conducted additional experiments on Leonardo.Ai (Phoenix 1.0). Despite strong protections of the online platform, AdvI2I (34.5%) and AdvI2I-Adaptive (31.5%) still significantly outperform the baseline MMA (28.0%), further confirming our method’s real-world effectiveness.

W4: Limited evaluation dataset size and dependency on training data. Guidelines for dataset selection needed.

A4: We clarify that our training and test samples were randomly split without complete overlap. We have also verified sample transferability of AdvI2I on a completely unseen set (new images and prompts never seen during training) in the manuscript's Table 5.

For training dataset selection, we specifically chose non-NSFW images from the "sexy" category provided by the NSFW Data Scraper [1] because these images prominently feature people, closely aligning with real-world scenarios and attack contexts that attackers are likely to target.

Regarding the explanations on reduced ASR on SDv3.0, please refer to our response Reviewer rvyv's A6.

[1] https://github.com/alex000kim/nsfw_data_scraper?tab=readme-ov-file#nsfw-data-scraper

C1: Potential as a defensive method.

A5: We appreciate your insight. We tested our method’s defensive potential by using AdvI2I to embed a "wearing clothes" concept into images. Interestingly, this significantly reduced the ASR (96.5% → 24.5%) of explicit prompts (e.g., "Make the woman naked") on SDv1.5-Inpainting. This demonstrates AdvI2I’s broader conceptual versatility and suggests promising future defensive applications. We will include this discussion in our revised paper to suggest directions for future research.

Q1: Can diffusion-based purification counter the proposed method?

A6: Please see our response Reviewer FsK8's A1. Thank you.

Q2: The implementation of MMA-Diffusion used in this paper.

A7: MMA generates adversarial text prompts and corresponding images to bypass diffusion model safety filters. We replaced standard prompts in our dataset with MMA-generated adversarial prompts and optimised adversarial images from our test images.

Thank you for insightful feedback. We have conducted additional analyses and experiments to address your concerns.

W1: The robustness of the method against adversarial defense strategies, such as DiffPure.

A1: We have now evaluated the robustness of AdvI2I against DiffPure as suggested. DiffPure reduces the ASR for the SDv1.5-Inpainting model (nudity concept) from 82.5% to 72.5%, a modest decline indicating AdvI2I’s robustness to such purification defenses.

W2: Runtime comparisons or discussion on the computational costs of the proposed method.

A2: Thank you for highlighting this point. We conducted additional experiments comparing AdvI2I to MMA on SDv1.5-Inpainting, measuring ASR and runtime cost. The results clearly demonstrate AdvI2I’s efficiency advantage. AdvI2I maintains high ASR (82.5%) at an extremely low attack runtime (only 0.008 sec/image), demonstrating superior practical utility.

W3: More advanced versions of Stable Diffusion or other models like FLUX.

A3: We appreciate this valuable suggestion. We have now evaluated AdvI2I on recent advanced diffusion models, including SDXL-Turbo (incorporating a refiner block) and FLUX (using diffusion transformers). As summarized in table below, AdvI2I consistently exhibits strong generalization capabilities across these new models.

W4: The proposed attack requires a white-box setting with a safety checker.

A4: The safety checker we evaluated is widely adopted across diffusion models. However, to comprehensively assess black-box transferability, we additionally evaluated AdvI2I-Adaptive using an entirely different NSFW detector (MHSC [1]) as the safety checker. Results below confirm that AdvI2I-Adaptive achieves significantly higher transferability (41.0%) compared to MMA (20.5%), underscoring the generalization advantages provided by our learned adversarial noise generator.

W5: Clarify the distinction between AdvI2I-Adaptive and the Image-Modal Attack in MMA.

A5: The key differences are as follows:

• Attack Requirement: MMA’s adversarial image targets only the safety checker, and still requires an unsafe prompt to induce the diffusion model to generate NSFW content. This reliance makes it easier to defend against (see Table 2 in our manuscript). In contrast, AdvI2I-Adaptive requires only an adversarial image, which simultaneously fools both the diffusion model and the safety checker, without needing an unsafe prompt.
• Attack Method: MMA performs direct image-space optimization per input, while AdvI2I-Adaptive uses a generator to produce adversarial images conditioned on clean inputs. This makes our method more effective (see Table 9 in the manuscript) and more efficient (see A2 of Reviewer FsK8).

Q1: In line 15 of Algorithm 1, should it refer to Eq. 2 instead of Eq. 4 when not using AdvI2I-Adaptive?

A6: You are correct; line 15 of Algorithm 1 should reference Eq. 2 when describing the standard AdvI2I (non-adaptive version). We sincerely appreciate your careful observation and will correct this mistake.

Q2: How can SAM be used to defend your model similarly to MACE: Mass Concept Erasure in Diffusion Models? I believe applying SAM as a defense could effectively mitigate most attacks.

A7: We appreciate your insightful suggestion. However, we found that directly applying SAM to detect and mask NSFW content of generated images is ineffective. Specifically, SAM indiscriminately masks entire human bodies or clothes, regardless of actual NSFW content presence. In our validation with 200 non-NSFW images, SAM consistently produced masks inaccurately labeling human figures as containing nudity—even when explicitly prompted with specific sensitive body parts (e.g., "breasts," "genitalia") that were absent. This suggests SAM inherently attempts to mask areas matching textual prompts, regardless of content appropriateness, and struggles to accurately interpret abstract concepts such as "nudity". Consequently, using SAM as an effective defense would require methodological refinements, which we believe represent a valuable direction for future research.

We provide representative examples in this link.

Thank you again for these valuable comments. We will include these experiments and analyses in the revised version.

Thank you for the insightful comments and suggestions.

W1: Concerns regarding sample transferability.

A1: Our training and test samples were randomly split, meaning images are not entirely overlapping. We have also verified sample transferability of AdvI2I on unseen data (new images and prompts never seen during training) in manuscript's Table 5.

For the model transferability, manuscript's Table 7 shows that AdvI2I achieves high ASRs (80.5% on SDv2.0 and 84.0% on SDv2.1) when transferred from SDv1.5. Regarding the relatively lower ASR on SDv3.0, please see our explanation in response A6.

We also extended our evaluation to newer diffusion models. Results below highlighting the method’s transferability across model architectures.

W2: High adversarial noise intensity.

A2: We compared AdvI2I against baselines using a lower noise bound (16/255) on InstructPix2Pix. The results confirm that AdvI2I maintains effectiveness.

In addition to quantity results, manuscript's Figure 2 also qualitatively shows that our noise generator produces perturbations (64/255) that remain visually imperceptible to humans.

W3: Evaluation depends on algorithmic detectors.

A3: We follow the common practice in prior studies [1, 2, 3, 4] to use these detectors (NudeNet, Q16) for consistent quantitative benchmarking. These detectors are trained on human-labeled datasets and thus reflect human perception to some extent.

To further strengthen our evaluation, we tested AdvI2I using a multimodal LLM (GPT-4o) with carefully designed prompts to simulate human judgment. The prompt, examples and results are shown in the file. The results closely align with algorithmic detectors.

[1] Safe latent diffusion: Mitigating inappropriate degeneration in diffusion models.

[2] Ring-A-Bell! How Reliable are Concept Removal Methods For Diffusion Models?.

[3] Sneakyprompt: Jailbreaking text-to-image generative models.

[4] Mma-diffusion: Multimodal attack on diffusion models.

W4: Insufficient coverage of concepts, and small test size.

A4: We appreciate this suggestion. In addition to the "nudity" and "violence" concept covered in our manuscript, we further evluated the suggested "political extremism" concept. The concept vector is constructed with prompts related to "extremism" and "terrorism.". The results confirm AdvI2I's versatility across diverse NSFW concepts.

Regarding sample size, our primary metric (ASR) typically does not require massive samples for reliable evaluation. Previous works ([1] Ring-A-Bell: 200 prompts, [2] MMA: 60 images) employed similar or smaller evaluation sets. Nonetheless, we now increased our test set to 500 images, and AdvI2I continues to demonstrate consistent effectiveness.

Additionally, for image quality (Section F of our manuscript), we use several metrics in addition to FID. These metrics are less sensitive to sample size and consistently validate the high visual quality of our generated images.

W5: Evaluations on new I2I models.

A5: Please see our response Reviewer FsK8's A3. Thank you for your advice.

W6: The low ASR on SDv3.0.

A6: The relatively lower performance on SDv3.0 is primarily due to its explicitly filtered training dataset, as noted in [1]. Interestingly, when we directly used prompts to request nudity content on SDv2.1 and SDv3.0 without defenses, SDv2.1 easily generated such content, while SDv3.0 did not. And even adversarial prompts (e.g. QF, Ring, etc.) fail significantly more often on SDv3.0 compared to earlier SD models.

This suggests that SD3.0 has less risk of generating NSFW content, regardless of attack methods. Therefore, a potential future direction to enhance I2I safety is to totally nullify the NSFW concept from the model by thoroughly cleaning the training data.

[1] Scaling rectified flow transformers for high-resolution image synthesis.

Thank you again for your valuable feedback.