🛡️ Anti-Tamper Protection for Unauthorized Individual Image Generation

November 6, 2025 · View on GitHub

Official Code for ICCV 2025 Paper
📄 Anti-Tamper Protection for Unauthorized Individual Image Generation

⚙️ Environment Setup

conda create --name ATP --file requirements.txt
conda activate ATP

🔐 Launch ATP

Download Dataset CelebA-HQ and VGGFace2. The links for datasets can be found from CelebA-HQ, VGGFace2. For authorization model trainng, FFHQ should also be downloaded
Download authorization model weights and the guiding mask
Set weights path in configs/authorization.yaml and mask path in configs/protection.yaml
Run

python perturb.py --device cuda:0 --input_dir path_to_cleanData --output_dir path_to_perturbedData --method CAAT --input-mask path_to_mask

Argument	Description	Example
`--device`	Decide to run the model on which gpu	`cuda:0`, `cuda:1`
`--input_dir`	Path to the clean input images	`./data/clean/`
`--output_dir`	Path to save the perturbed images	`./data/perturbed/`
`--method`	Protection perturbation method	`CAAT`, `ANTIDB`, `ADVDM`,`METACLOAK`
`--input-mask`	Path to the mask	`./mask/050_mask.pt`

We recommend integrate CAAT with ATP which achieves good balance in generation efficiency and protection performance. But we also supply code for integrating MetaCloak, Anti-DreamBooth and AdvDM.

📁 Output Directory Structure

output_dir/
├── Authorized/  # Authorized images
|       ├ {id}/ # Authorized images separated by id
|       ├ Authorization_messages/ # Authorization messages for each image
└── ATP_{method}/     # Protected Images by ATP+{method}
         ├ {id}/ # ATP Perturbed images separated by id

🔍 Verification

Set weights path in configs/verification.yaml
✅ Without Purification: Run

cd authorization
python verify.py --message_dir path_to_authorization_messages  --input_dir path_to_atp_protected_image --method CAAT

🔓 Under Purification

Naive Transformation: Run

cd authorization
python verify.py --message_dir path_to_authorization_messages  --input_dir path_to_atp_protected_image --method CAAT --noise-args 2 --noise-type Resize

cd authorization
python verify.py --message_dir path_to_authorization_messages  --input_dir path_to_atp_protected_image --method CAAT --noise-args 70 --noise-type JPEG

Advanced Purification: GridPure

First run the GridPure
Run

cd authorization
python verify.py --message_dir path_to_authorization_messages  --input_dir path_to_atp_protected_image --method GridPure

Argument	Description	Example
`--message_dir_dir`	Path to the authorization messages dir	`./data/Authorization_messages`
`--input_dir`	Path to the images for verification	`./data/perturbed/`
`--method`	Protection perturbation method	`CAAT`, `ANTIDB`, `ADVDM`,`METACLOAK`
`--noise-args`	Protection perturbation method	`2`, `50`
`--noise-type`	Protection perturbation method	`JPEG`, `Resize`

Example Output：

Average Bit-Error: 0.44984375 Unauthorized image Ratio: 1.0 Pass Verification Identity Num: 0

"Pass Verification Identity Num" can be used to calculate Protect Success Rate (PSR). Once the purification happen and the ideneity can't pass the verification. We regard it as a successful protection.

🧑‍🎨 Generation

If the images pass the verification, they can be used for generation.

✅ Without Purification: Run

 cd generation
 python generate.py --input_dir path_to_image_for_generation --method CAAT --device cuda:0

The results are saved in "DREAMBOOTH" directory.

🔓 Under Purification

Although the purified images are not utilized for generation in our experiments due to their complete failure in passing verification, we still include code for baseline algorithms to enable comparison.

For JPEG and Resize, Run:

 cd generation
 python generate.py --input_dir path_to_image_for_generation --method CAAT --device cuda:0 --purification naive

For Gridpure, you need to first run the GridPure, then use the purified images to run:

 cd generation
 python generate.py --input_dir path_to_image_for_generation --method CAAT --device cuda:0 --purification gridpure

🧾 Metrics Calculation

Download ID embedding from celebahq, vggface.
Modify the settings defined on ./configs/metrics.yaml. You need to define the path to the image to be evaluated （instance_dir） and the path to directory for storing evaluation result record file （output_dir）, the prompt used to do generation, ID embedding path（id_emb_path）.
Download LIQE.pt from url. Place it to ./metrics/LIQE/checkpoints

 cd metrics
 python eval_dir.py --dataset CelebA-HQ --method CAAT

Argument	Description	Example
`--dataset`	Dataset for evaluation	`CelebA-HQ`, `VGGFace2`
`--method`	Protection perturbation method	`CAAT`, `ANTIDB`, `ADVDM`,`METACLOAK`

The evaluation result will be saved in the output_dir you define in the metrics.yaml

 python show.py --path evaluation_results

Example Output：

CLIP-IQAC       LIQE            ISM             FDFR             PSR
-0.176525       1.033371        0.489084        0.406250        0.859375

(By modifying the eval_dir.py code in line 67 to line 68 (commented), you can also evaluate the purified generation result from naive transformation.)

📈 Training

You can also train your own authorization model.

Modify the settings in ./configs/authorization.yaml

cd authorization

bash scripts/train.sh

📚 Acknowledgement

To construct this project, we borrowed codes from: LIQE, GridPure, ANTIDB, METACLOAK, CAAT, HiDDeN, BasicSR.

Thanks for their excellent work!

📌 If you find this project useful in your research, please consider citing our paper.