{"id":13561633,"url":"https://github.com/MadryLab/photoguard","last_synced_at":"2025-04-03T17:31:31.033Z","repository":{"id":62657774,"uuid":"561175504","full_name":"MadryLab/photoguard","owner":"MadryLab","description":"Raising the Cost of Malicious AI-Powered Image Editing","archived":false,"fork":false,"pushed_at":"2023-02-27T07:40:51.000Z","size":17888,"stargazers_count":561,"open_issues_count":5,"forks_count":45,"subscribers_count":14,"default_branch":"main","last_synced_at":"2024-11-04T13:37:48.618Z","etag":null,"topics":["adversarial-attacks","adversarial-examples","computer-vision","deep-learning","deepfakes","robustness","stable-diffusion"],"latest_commit_sha":null,"homepage":"https://gradientscience.org/photoguard/","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MadryLab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-11-03T05:37:34.000Z","updated_at":"2024-11-04T07:03:00.000Z","dependencies_parsed_at":"2024-01-14T03:46:00.135Z","dependency_job_id":"291811a3-c0ee-4071-bd40-971545416c6c","html_url":"https://github.com/MadryLab/photoguard","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MadryLab%2Fphotoguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MadryLab%2Fphotoguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MadryLab%2Fphotoguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MadryLab%2Fphotoguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MadryLab","download_url":"https://codeload.github.com/MadryLab/photoguard/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247046952,"owners_count":20874746,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversarial-attacks","adversarial-examples","computer-vision","deep-learning","deepfakes","robustness","stable-diffusion"],"created_at":"2024-08-01T13:00:59.367Z","updated_at":"2025-04-03T17:31:26.021Z","avatar_url":"https://github.com/MadryLab.png","language":"Jupyter Notebook","funding_links":[],"categories":["Jupyter Notebook"],"sub_categories":[],"readme":"# Raising the Cost of Malicious AI-Powered Image Editing\n\nThis repository contains the code for our recent work on safe-guarding images against manipulation by ML-powerd photo-editing models such as [stable diffusion](https://stability.ai/blog/stable-diffusion-public-release).\n\n**Raising the Cost of Malicious AI-Powered Image Editing** \u003cbr\u003e\n_Hadi Salman\\*, Alaa Khaddaj\\*, Guillaume Leclerc\\*, Andrew Ilyas, Aleksander Madry_ \u003cbr\u003e\n**Paper:** https://arxiv.org/abs/2302.06588 \u003cbr\u003e\n**Blog post:** https://gradientscience.org/photoguard \u003cbr\u003e\n**Interactive demo:** https://huggingface.co/spaces/hadisalman/photoguard (check [below](#new-interactive-demo) for how to run it locally) \u003cbr\u003e\n\n```bibtex\n    @article{salman2023raising,\n      title={Raising the Cost of Malicious AI-Powered Image Editing},\n      author={Salman, Hadi and Khaddaj, Alaa and Leclerc, Guillaume and Ilyas, Andrew and Madry, Aleksander},\n      journal={arXiv preprint arXiv:2302.06588},\n      year={2023}\n    }\n```\n\n\u003cp\u003e\n\u003ckbd\u003e\n\u003cimg src=\"assets/hero_fig.PNG\" width=\"1000\" \u003e\n\u003c/kbd\u003e\n\u003c/p\u003e\n\n## Getting started\n\nOur code relies on the [stable diffusion code on Hugging Face](https://github.com/huggingface/diffusers).\n\n1.  Clone our repo: `git clone https://github.com/madrylab/photoguard.git`\n\n2.  Install dependencies:\n\n    ```\n      conda create -n photoguard python=3.10\n      conda activate photoguard\n      pip install -r requirements.txt\n      huggingface-cli login\n    ```\n\n3.  You should now be all set! Check out our notebooks!\n\n## [New] Interactive demo\n\nWe created an interactive demo using [gradio](https://gradio.app/), and we are hosting it on [this HuggingFace space](https://huggingface.co/spaces/hadisalman/photoguard).\n\n[![image alt text](assets/demo_screenshot.png)](https://www.youtube.com/watch?v=aTC59Q6ZDNM)\n\nHowever, for faster inference, you can run the demo locally on your machine! Simply do this:\n\n```\nconda activate photoguard\ncd demo\npython app.py\n```\n\n## Generating high-quality fake images\n\nThe first step is we will walk you through how you can generate high quality fake images. Check out this notebook! The result will be such images:\n\nSee [this notebook](notebooks/generating_fake_images.ipynb)!\n[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/drive/1pwfeSe6MUjD7UfqdWxurMSWWZhic9TPl?usp=sharing)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"assets/hadi_trevor.png\" width=\"1000\" \u003e\n\u003c/p\u003e\n\n## Simple photo-guarding (Encoder Attack):\n\nNow, we describe the simplest form of photo safeguarding that we implement. In particular, we implement a simple PGD attack on the image embedding part of the stable diffusion model. We have two demos demonstrating the efficacy of such photo safeguarding method. The goal of both is to cause the stable diffusion model to generate something that is either unrealistic, or unrelated to the original image.\n\n### Photo-guarding against Image-to-Image pipelines\n\nThe first is the case where someone uses an image + prompt to modify the input image based on the prompt description.\n\nSee [this notebook](notebooks/demo_simple_attack_img2img.ipynb)!\n[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/drive/1P9_Xkbb05d5ynuvucFO6TjXJoXLq_Vyg?usp=sharing)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"assets/simple_attack_img2img.png\" width=\"1000\" \u003e\n\u003c/p\u003e\n\n### Photo-guarding against Inpainting pipelines\n\nThe second is the more interesting scenario where someone wants to edit parts of an existing image via inpainting. The generated images after immunization are clearly fake!\n\nSee [this notebook](notebooks/demo_simple_attack_inpainting.ipynb)!\n[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/drive/1q-p8_PWROVOAl6B07znev0W-Z9gKgoW2?usp=sharing)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"assets/simple_attack_inpaint.png\" width=\"1000\" \u003e\n\u003c/p\u003e\n\n## Complex photo-guarding (Diffusion attack)\n\nFor more effective photo-guarding especially against image inpainting, we need to attack the stable diffusion model end-to-end. Now, the generated images after immunization are even more clearly fake than above!\n\nSee [this notebook](notebooks/demo_complex_attack_inpainting.ipynb)!\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"assets/complex_attack_inpaint.png\" width=\"1000\" \u003e\n\u003c/p\u003e\n\nThat's it! Please let us know if you have any questions. And check our paper for details about each of these attacks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMadryLab%2Fphotoguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMadryLab%2Fphotoguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMadryLab%2Fphotoguard/lists"}