AEGIS: A Mechanism-Guided Defense against Visual Synonym Jailbreaks in Text-to-Image Models

· Source: cs.CV updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

Text-to-image diffusion models like SD 1.4, SD 2.1, and FLUX.1 are vulnerable to "visual synonym attacks" (VSA), where benign-looking prompts elicit prohibited imagery. Existing alignment paradigms often face a safety-utility dilemma, either under-mitigating VSA threats or over-suppressing visually similar benign concepts. This work introduces Aegis, an inference-time defense that dynamically traces how unsafe semantics emerge during generation. Mechanistic analysis reveals VSA and explicit unsafe prompts converge through sparse "semantic-injecting attention heads." Aegis applies similarity-aware repulsion only at these identified vulnerable heads. On SD 1.4, Aegis reduces Attack Success Rate (ASR) to 0.00/0.03 for in-domain violence/nudity VSA and achieves ASRs ≤0.09 for out-of-domain explicit and adversarial attacks, while preserving benign fidelity (FID 66.70, CLIP 30.55) and transferring to SD 2.1 and FLUX.1.

Key takeaway

For AI Security Engineers deploying text-to-image models, you should consider implementing dynamic, inference-time defenses like Aegis to counter evolving visual synonym attacks. This approach, which targets specific "semantic-injecting attention heads" rather than broad content filters, offers robust safety (ASR ≤0.09) without degrading benign generation utility (FID 66.70). Prioritize solutions that adaptively steer internal model mechanisms to avoid over-mitigation and ensure cross-architecture transferability.

Key insights

Unsafe visual semantics in T2I models emerge via sparse "semantic-injecting attention heads" that can be dynamically steered.

Principles

Method

Aegis identifies sparse semantic-injecting attention heads via Lasso regression on signature profiles. It then applies similarity-aware adaptive repulsion at these heads during inference, steering activations away from malicious anchor embeddings.

In practice

Topics

Code references

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.CV updates on arXiv.org.