Shiqian Zhao (Nanyang Technological University), Chong Wang (Nanyang Technological University), Yiming Li (Nanyang Technological University), Yihao Huang (NUS), Wenjie Qu (NUS), Siew-Kei Lam (Nanyang Technological University), Yi Xie (Tsinghua University), Kangjie Chen (Nanyang Technological University), Jie Zhang (CFAR and IHPC, A*STAR, Singapore), Tianwei Zhang (Nanyang Technological University)

Text-to-Image (T2I) models, represented by DALL$cdot$E and Midjourney, have gained huge popularity for creating realistic images. The quality of these images relies on the carefully engineered prompts, which have become valuable intellectual property. While skilled prompters showcase their AI-generated art on markets to attract buyers, this business incidentally exposes them to textit{prompt stealing attacks}. Existing state-of-the-art attack techniques reconstruct the prompts from a fixed set of modifiers (textit{i.e.,} style descriptions) with model-specific training, which exhibit restricted adaptability and effectiveness to diverse showcases (textit{i.e.,} target images) and diffusion models.

To alleviate these limitations, we propose textbf{Prometheus}, a training-free, proxy-in-the-loop, search-based prompt-stealing attack, which reverse-engineers the valuable prompts of the showcases by interacting with a local proxy model. It consists of three innovative designs.
First, we introduce textit{dynamic modifiers}, as a supplement to static modifiers used in prior works. These dynamic modifiers provide more details specific to the showcases, and we exploit NLP analysis to generate them on the fly.
Second, we design a textit{contextual matching} algorithm to sort both dynamic and static modifiers. This offline process helps reduce the search space of the subsequent step.
Third, we interact with a local proxy model to invert the prompts with a greedy search algorithm. Based on the feedback guidance, we refine the prompt to achieve higher fidelity.
The evaluation results show that textbf{Prometheus} successfully extracts prompts from popular platforms like PromptBase and AIFrog against diverse victim models, including Midjourney, Leonardo.ai, and DALL$cdot$E, with an ASR improvement of 25.0%.
We also validate that textbf{Prometheus} is resistant to extensive potential defenses, further highlighting its severity in practice.

View More Papers

Prompt Injection Attack to Tool Selection in LLM Agents

Jiawen Shi (Huazhong University of Science and Technology), Zenghui Yuan (Huazhong University of Science and Technology), Guiyao Tie (Huazhong University of Science and Technology), Pan Zhou (Huazhong University of Science and Technology), Neil Zhenqiang Gong (Duke University), Lichao Sun (Lehigh University)

Read More

Adopt a PET! An Exploration of PETs, Policy, and...

Masoumeh Shafieinejad (Vector Institute), Xi He (Vector Institute and Univesity of Waterloo), Bailey Kacsmar (Amii & University of Alberta)

Read More

Cross-Boundary Mobile Tracking: Exploring Java-to-JavaScript Information Diffusion in WebViews

Sohom Datta (North Carolina State University, USA), Michalis Diamantaris (TTechnical University of Crete, Greece), Ahsan Zafar (North Carolina State University, USA), Junhua Su (North Carolina State University, USA), Anupam Das (North Carolina State University, USA), Jason Polakis (University of Illinois Chicago, USA), Alexandros Kapravelos (North Carolina State University, USA)

Read More