PersGuard uses model backdoors to prevent malicious AI personalization

Researchers have proposed a novel defense against the misuse of AI image generators, embedding protective backdoors directly into diffusion models to prevent them from being personalized to generate unauthorized portraits or replicate artistic styles.

The paper, titled PersGuard and published on arXiv, introduces what its authors describe as the first backdoor-based framework for preventing malicious personalization of text-to-image (T2I) diffusion models. Existing defenses primarily rely on adding adversarial perturbations to reference images before they are used for fine-tuning, an approach that assumes all training images are pre-perturbed and fails when datasets contain clean images or undergo minor transformations.

PersGuard takes a fundamentally different approach: instead of perturbing the input images, it embeds a protective backdoor into the model itself before release. If a downstream user fine-tunes the model on protected images, the backdoor remains active and the model generates predefined protective outputs, effectively unusable images. If the model is fine-tuned on unprotected, legitimate images, the backdoor is automatically removed during training and the model retains its normal utility.

The framework formulates backdoor injection as a unified optimization problem with three objectives: a backdoor behavior loss that activates the protection, a prior preservation loss that maintains standard generation for clean inputs, and a novel retention loss that mirrors the personalization loss to ensure the backdoor survives downstream fine-tuning.

The researchers tested PersGuard across grey-box scenarios (where the attacker knows a defense exists but not the backdoor specifics) and black-box scenarios (no knowledge of the defense), as well as on multi-object protection (preventing personalization of multiple subjects) and facial identity protection. The method demonstrated better robustness than adversarial perturbation methods, particularly when datasets included clean images.

The paper was authored by Xinwei Liu, Xiaojun Jia, Yuan Xun, Hua Zhang, and Xiaochun Cao, and was revised on July 15, 2026, having originally been submitted in February 2025.

The approach addresses a growing concern as T2I models become more powerful and accessible. Services such as Midjourney, DALL-E, and open-weight models like Stable Diffusion have made it trivially easy to generate images in a specific person’s likeness or a particular artist’s style, raising urgent privacy and copyright questions that existing legal frameworks have struggled to address.

Source: arXiv

Scroll to Top