A research team led by Virginia Tech cybersecurity expert Bimal Viswanath has found a critical blind spot in today's image protection techniques designed to prevent bad actors from stealing online content for unauthorized artificial intelligence training, style mimicry, and deepfake manipulations.
The research team found that attackers can defeat existing security using off-the-shelf artificial intelligence (AI) models and simple commands. Furthermore, "there is currently no foolproof, mathematically guaranteed way for users to protect publicly posted images against an adversary using off-the-shelf GenAI models," Viswanath said.
The work was presented at the fourth IEEE Conference on Secure and Trustworthy Machine Learning, in Munich, Germany. The authors include Viswanath, doctoral students Xavier Pleimling and Sifat Muhammad Abdullah, Assistant Professor Peng Gao , Murtuza Jadliwala of the University of Texas at San Antonio, and Gunjan Balde and Mainack Mondal of Indian Institute of Technology, Kharagpur.
As AI tools become more powerful and accessible, this work highlights the growing need for stronger cybersecurity, trustworthy AI, privacy, and digital forensics protections.
GenAI makes fraud easier
Previously, fraudsters needed to use specialized, purpose-built methods to circumvent image security techniques that made it difficult for bad actors to use authentic content for deepfakes, facial identity theft, or artistic style mimicry.
"But using today's off-the-shelf, image-to-image generative AI models and a simple text prompt, our researchers easily and effectively removed a wide range of these protections," Viswanath said.
They demonstrated this security weakness across eight case studies spanning six diverse protection schemes. The vulnerabilities impact a wide spectrum of defenses, including perturbations meant to protect specific semantic properties, like a person's facial identity, invisible "protective noise" applied through an AI's latent space, and even robust protections specifically designed to survive downstream fine-tuning tasks.
"Our general-purpose attack not only circumvents these defenses but actually outperforms existing specialized attacks, while preserving the image's utility for the adversary," Viswanath said.
Racing to solve a growing problem
This work has exposed a critical and widespread vulnerability in the current landscape of image protection, proving that simply adding imperceptible protective noise to an image is no longer enough to stop data scrapers and forgers.
"It is especially concerning because current security methods can give a false sense of security," Viswanath said. "We urgently need to develop robust defenses and establish that any future protection mechanism can defend against attacks from off-the-shelf generative AI models."
This means the cybersecurity community must wholly re-evaluate its approach to secure visual content.
"Any future protection mechanism must be strictly benchmarked against simple, text-guided attacks from widely available, off-the-shelf GenAI models, not just evaluating them against specialized, purpose-built attacks," Viswanath said. "Researchers should also note that GenAI image-to-image models will continue to improve over time, potentially making defense efforts harder."
