MetaCloak-JPEG: JPEG-Robust Adversarial Perturbation for Preventing Unauthorized DreamBooth-Based Deepfake Generation

The rapid progress of subject-driven text-to-image synthesis, and in particular DreamBooth, has enabled a consent-free deepfake pipeline: an adversary needs only 4-8 publicly available face images to fine-tune a personalized diffusion model and produce photorealistic harmful content. Current adversarial face-protection systems -- PhotoGuard, Anti-DreamBooth, and MetaCloak -- perturb user images to disrupt surrogate fine-tuning, but all share a structural blindness: none backpropagates gradients through the JPEG compression pipeline that every major social-media platform applies before adversary access. Because JPEG quantization relies on round(), whose derivative is zero almost everywhere, adversarial energy concentrates in high-frequency DCT bands that JPEG discards, eliminating 60-80% of the protective signal. We introduce MetaCloak-JPEG, which closes this gap by inserting a Differentiable JPEG (DiffJPEG) layer built on the Straight-Through Estimator (STE): the forward pass applies standard JPEG compression, while the backward pass replaces round() with the identity. DiffJPEG is embedded in a JPEG-aware EOT distribution (~70% of augmentations include DiffJPEG) and a curriculum quality-factor schedule (QF: 95 to 50) inside a bilevel meta-learning loop. Under an l-inf perturbation budget of eps=8/255, MetaCloak-JPEG attains 32.7 dB PSNR, a 91.3% JPEG survival rate, and outperforms PhotoGuard on all 9 evaluated JPEG quality factors (9/9 wins, mean denoising-loss gain +0.125) within a 4.1 GB training-memory budget.

翻译：主体驱动的文本到图像合成技术，特别是DreamBooth的快速发展，催生了一种无需同意的深度伪造流水线：攻击者仅需4-8张公开的人脸图像，即可微调个性化扩散模型，生成具有照片级真实感的有害内容。当前的对抗性面部保护系统——PhotoGuard、Anti-DreamBooth和MetaCloak——通过扰动用户图像来破坏代理微调过程，但它们均存在结构性的“盲点”：没有一个系统能在JPEG压缩流水线上反向传播梯度，而所有主流社交媒体平台在攻击者获取图像前都会应用此压缩。由于JPEG量化依赖于round()函数，其导数几乎处处为零，因此对抗能量集中在高频DCT频段，而JPEG会丢弃这些频段，导致60%-80%的保护信号失效。我们提出了MetaCloak-JPEG，通过插入一个基于直通估计器（STE）构建的可微分JPEG层（DiffJPEG）来弥补这一缺陷：前向传播执行标准JPEG压缩，反向传播则用恒等映射替代round()函数。DiffJPEG被嵌入一个JPEG感知的期望变换（EOT）分布中（约70%的数据增强包含DiffJPEG），并在双层元学习循环中采用课程式质量因子调度（质量因子从95递减至50）。在l无穷扰动预算ε=8/255的条件下，MetaCloak-JPEG达到了32.7 dB的峰值信噪比（PSNR）、91.3%的JPEG存活率，并在4.1 GB的训练内存预算内，在所有9个评估的JPEG质量因子下均优于PhotoGuard（9/9全胜，平均去噪损失增益+0.125）。