Defensive Unlearning with Adversarial Training for Robust Concept Erasure in Diffusion Models

Tables (referred to as Table Rx) can be found in the attached PDF file.

W1 & Q2 & Limitations: More attacks for ASR measure.

A: Thank you for the suggestions regarding two additional related works. We will cite them and expand our discussions in the related work section accordingly. Furthermore, following your recommendation, we have employed both the PEZ [1] and PHP2 [2] methods to evaluate our proposed method, AdvUnlearn, as detailed in Table R1. The results demonstrate that UnlearnDiffAtk consistently achieves a higher Attack Success Rate (ASR) compared to PEZ and PHP2, reaffirming its effectiveness as our primary tool for robustness evaluation among text-based adversarial attacks. More details and analysis can be found in General Response 1 (GR1).

In the revision, we will add a detailed comparison with the PEZ [1] and PHP2 [2] attacks and their discussion.

Q1: How is text encoder to be involved in optimization?

A: Sorry for the confusion. Eq. (5) outlines a generic bi-level optimization problem formulation used in AdvUnlearn, where $\boldsymbol \theta$ represents the upper-level optimization variables in a general sense. In Algorithm 1, $\boldsymbol \theta$ specifically refers to the parameters of the text encoder. Alternatively, $\boldsymbol \theta$ can be considered as a vector that includes the text encoder parameters to be optimized and the UNet parameters that remain frozen during the optimization process. Steps 10-12 in the algorithm are applied exclusively to the active text encoder parameters, ensuring that adjustments are made only where necessary for effective unlearning.

[1] Hard Prompts Made Easy: Gradient-Based Discrete Optimization for Prompt Tuning and Discovery, NeurIPS 2023.

[2] Prompting Hard or Hardly Prompting: Prompt Inversion for Text-to-Image Diffusion Model, CVPR 2024.

Dear Reviewer hd8m,

Thank you for recognizing our rebuttal efforts and for your continued engagement with our submission, particularly your request for further clarification. We provide our further response below.

We have now included the ASR for the original base model (SD v1.4) across different attack methods in Table R8 of our response. As indicated, UnlearnDiffAtk demonstrates higher ASRs compared to PEZ and PH2P, as well as CCE (see GR1). We acknowledge your correct assessment that PEZ, operating more like a black-box attack, leverages only the text encoder within the DM, thus exhibiting a weaker attack profile. In contrast, UnlearnDiffAtk, designed specifically to test the robustness of concept erasing/unlearning in DMs, shows a significantly stronger attack performance than other attack methods. This is also noted in our paper (Tables 5-7), where we showed a 100% ASR for UnlearnDiffAtk against the original DM to underscore its effectiveness as an effective attack method in evaluation. This high ASR reflects UnlearnDiffAtk's tailored approach as a white-box, text-based adversarial prompt method, which is valid for a rigorous assessment of unlearned models.

In light of your feedback, we will include these experimental justifications in the revised manuscript to address concerns regarding the selection of UnlearnDiffAtk and its comparative analysis with other prompt-level attack methods. Although these revisions strengthen our paper, they do not deviate from the original contributions, e.g., the validity of using UnlearnDiffAtk in evaluation.

Table R8: Attack evaluation of base model (w/o applying AdvUnlearn) in ASR across various generation concepts of our interest (Nudity, Style, Object) under distinct attacks. A higher ASR indicates stronger attack performance.

We hope the above response addresses your remaining concerns adequately. If you have any more questions or need further discussion, please feel free to reach out. We will try our best to ensure that all your concerns can be thoroughly addressed before the rebuttal period concludes.

Thank you very much,

Authors

Tables (referred to as Table Rx) can be found in the attached PDF file.

W1 & Q1: Lacks a sufficient number of attack methods.

A: Thank you for your insightful suggestion regarding the range of attack methods in our study. In response, we have incorporated three additional attack evaluation methods, as detailed in the General Response. Among all the text prompt-based attacks we assessed, UnlearnDiffAtk continues to stand out as the most effective, reaffirming its selection for our initial analysis. For a more detailed evaluation and comparison of these methods, please refer to the General Response 1 (GR1).

W2 & Q3: Introduction to $C_{retain}$ is inadequate.

A: Thank you for pointing out the need for clearer information regarding the construction of $C_{retain}$. First, we described the composition of the retaining dataset in Lines 246-249 and Appendix A. Specifically, the prompts in $C_{retain}$ are formatted as "a photo of [OBJECT CLASS]," where "OBJECT CLASS" is sampled from well-known object datasets such as ImageNet or COCO. These prompts undergo a filtering process using a large language model (LLM) to ensure they exclude any concepts targeted for erasure, maintaining their suitability as retain prompts (Appendix A). The finalized $C_{retain}$ consists of 243 distinct prompts. During training, 5 prompts from $C_{retain}$​ are randomly selected for each batch to support utility-retaining regularization. It's important to clarify that the role of $C_{retain}$​ is not to train the model on producing specific objects or concepts; instead, it aims to guide the model in generating general, non-forgetting content effectively. This approach helps counteract the potential performance drops often seen with adversarial training [1] (Lines 236-238). As evidenced in Fig. 4-6 of the submission, incorporating $C_{retain}$​ enhances the general utility of the unlearned DM during the testing phase. In these figures, test-time prompts include varied objects like "toilet," "Picasso," and "cassette player" which are not part of $C_{retain}$, demonstrating the unlearned model's generalization capabilities.

Q2: Why not consider embedding-based attacks?

A: Thank you for raising this question about the choice of attack method. We opted for UnlearnDiffAtack as our primary attack evaluation method for the following reasons:

• Our proposed defense, AdvUnlearn, is designed to fortify unlearned Diffusion Models (DMs) against text-based attacks post-unlearning in Eq. (5). Similar to how PGD attacks serve as a benchmark for evaluating adversarial training, we selected a prompt-based attack to assess the robustness of our unlearning approach.
• To the best of our knowledge, UnlearnDiffAtack is a state-of-the-art, prompt-based text adversarial attack specifically designed to challenge unlearned DMs. It has demonstrated superior Attack Success Rate (ASR) compared to other text-based prompt inversion methods such as PEZ [2] and PH2P [3], as validated in our additional experiments detailed in the General Response 1 (GR1) and Table R1.

However, we recognize the value of exploring diverse types of attacks, including embedding-based attacks such as CCE [4]. The CCE attack, which utilizes textual inversion to embed adversarial content, indeed shows higher ASR than discrete text-based attacks, as shown in Table R1. This is expected as our defense, AdvUnlearn, primarily addresses discrete prompt-based attacks. The continuous search space offered by CCE provides greater optimization flexibility, potentially allowing it to bypass certain defensive mechanisms.

Acknowledging that the arms race between attack and defense is ongoing, similar to adversarial scenarios in discriminative models, we are committed to including an evaluation against the CCE attack in our revised paper and clarify the above points regarding our choice of UnlearnDiffAtack.

[1] Unlabeled data improves adversarial robustness, NeurIPS 2019.

[2] Hard Prompts Made Easy: Gradient-Based Discrete Optimization for Prompt Tuning and Discovery, NeurIPS 2023.

[3] Prompting Hard or Hardly Prompting: Prompt Inversion for Text-to-Image Diffusion Model, CVPR 2024.

[4] Circumventing Concept Erasure Methods For Text-to-Image Generative Model, ICLR 2023.

Tables can be found in the attached PDF file.

W1: Lack of Sufficient Evaluation across various attacks

A: Thank you for your valuable feedback concerning the scope of our evaluation. We have included more attacks (including CCE and RAB) for evaluation. Details can be found in General Response 1 (GR1).

W2: Lack of Completeness: Missing quantitative erasure results of AdvUnlearn.

A: Following the reviewer’s suggestion, we have included additional experiments in Table R3 in the attached PDF file. More detailed analysis can be found in General Response 2 (GR2).

Q1: More explanation about prompt subset creation for Nudity unlearning.

A: In alignment with the established UnlearnDiffAtk protocol, we used the subset of 142 prompts selected from the I2P dataset. These prompts were specifically chosen based on the NudeNet score of the images they generated, where only those prompts generating images with a score higher than 0.75 were included. This threshold was selected to ensure that the prompts represent the most explicit and potentially harmful cases for nudity generation. We continue using this subset because it facilitates us to evaluate the robustness of our method against the worst-case prompt set (characterized by high nudity levels). Additionally, given the substantial computational costs associated with UnlearnDiff evaluations, focusing on this subset characterized by high nudity levels enables a more efficient use of resources while still rigorously assessing the performance of multiple models under challenging conditions.

Q2: Impact of style unlearning on other art styles.

A: Based on your suggestion, we have conducted further experiments to specifically assess the impact of erasing Van Gogh's style on the generation of images styled after Monet, Paul Cezanne, and Andy Warhol. These experiments, detailed in Table R4, use a style classifier similar to that employed in our attack evaluations. Higher accuracy in this context suggests that the unlearning process has less impact on other artistic styles. Our results indicate that the style of Monet, who shared the Impressionist movement with Van Gogh, exhibited the most significant influence. In contrast, the styles of artists that more loosely relate to Van Gogh, such as Cezanne and Warhol, showed minimal impact. This suggests that unlearning tends to have side effects primarily on concepts closely related to the target of the unlearning process. These observations align with recent findings on the retainability of concept erasing in the recent study UnlearnCanvas [1]. We will include these additional experimental results and discussions in our revised manuscript. Thank you for the insightful comment.

Q3: Missing erasure performance and its effects on object generation utility in object unlearning, with considerations on evaluation prompt set size.

A: The omission of detailed erasing results for unperturbed forgetting prompts follows the rationale previously outlined in our response to W2. For further detail, please refer to the additional erasing results in Table R3, which include outcomes for objects such as Church, Garbage Truck, Parachute, and Tench (used in Figure 6 and Appendix E).

Responding to another of your suggestions, we have expanded our robustness evaluation to include a larger set of 150 prompts, as presented in Table R5. The results from this expanded set align with our initial findings using 50 prompts, confirming the consistency of our method's performance. We are open to further expanding our prompt set to 500, akin to the baseline method ESD, when we can get more computing resources in the revision.

Regarding the assessment of utility loss in our study, we utilized both FID and CLIP scores (Lines 345-346) to evaluate utility across various unlearning tasks. As shown in Table 7, there is a noticeable reduction in utility across different unlearning methods for object unlearning scenarios. However, AdvUnlearn demonstrates the favorable balance between maintaining utility and achieving robustness. Additionally, we conducted a comparative analysis of AdvUnlearn and ESD focusing on their image generation accuracy for both the targeted forgetting class and the remaining classes (500 images per class). The results, presented in Table R6, indicate that AdvUnlearn outperforms ESD in preserving utility for the remaining classes. This is attributed to the inclusion of utility regularization in our method, which significantly enhances the utility-unlearning tradeoff, as shown in Table 7.

Q4: Considerations on evaluation prompt set size for utility performance evaluation and higher utility performance variances for AdvUnlearn.

A: We evaluated models across different unlearning tasks using datasets of 10k and 30k prompts and found that they achieved similar results. As indicated in Table R7, the variance in FID and CLIP scores for the AdvUnlearn models is small. Consequently, we decided to utilize 10k prompts for evaluations to moderate computational requirements, ensuring efficiency without compromising the integrity of our results.

We acknowledge that as the unlearning task varies, there is a higher variance in FID and CLIP scores for AdvUnlearn compared to ESD, which can be attributed to differences in the "optimization variables" (i.e., the specific modules optimized during unlearning) between these two methods. As illustrated in Figure 8, unlearning global knowledge concepts such as nudity requires tuning the entire text encoder to achieve the best unlearning performance. This involvement of more layers tends to result in more utility degradation. Conversely, as noted in Lines 452-454, specific styles and objects represent more localized concepts. This allows for the tuning of only the first layer of the text encoder, which is sufficient to unlearn while preserving better overall utility.

[1] Unlearncanvas…., Arxiv.