Current copyright defenses in Latent Diffusion Models are built on a flawed assumption: that adversarial perturbations in latent space cannot be undone. A new paper introduces Two-Stage Latent Feature Optimization (TS-LFO), and it demonstrates exactly how to break those protections by restoring the very mapping the defenses try to sever.
Why Latent Perturbations Fail
Existing defenses drop persistent noise into the latent space of LDMs to degrade personalized outputs, hoping to block malicious content forgery. The trick works by disrupting the mapping between an input image and its latent representation — but that disruption is not fundamental. TS-LFO treats that broken mapping as a signal to be recovered, not a wall to be overcome.
How TS-LFO Rebuilds the Mapping
TS-LFO operates in two stages. In the Latent Denoising Stage, it jointly minimizes a Latent-Image Alignment Loss and a Latent Diffusion Loss with timestep-dependent weights. That combination suppresses the high-frequency noise injected by the defense while preserving semantic consistency. In the Latent Reconstruction Stage, pixel-level constraints recover low-frequency semantic information the denoising stage might miss. The result is a latent code that behaves as if the defense never existed.
The Arms Race Continues
I have seen plenty of papers claim to bypass defenses, but this one is unusually thorough. TS-LFO consistently beats state-of-the-art copyright attacks — DiffPure, GrIDPure, and IMPRESS — across diverse settings, according to the authors' experiments. That means every current perturbation-based defense strategy needs rethinking. Expect model developers to treat latent-space perturbations as a first layer rather than a final barrier, or risk their so-called copyright protections becoming trivial to bypass.
Source: Bypassing Copyright Protection in Diffusion-based Customization via Two-Stage Latent Feature Optimization
Domain: arxiv.org
Comments load interactively on the live page.