pith. machine review for the scientific record. sign in

arxiv: 2604.09688 · v1 · submitted 2026-04-06 · 💻 cs.CV

Recognition: no theorem link

Immunizing 3D Gaussian Generative Models Against Unauthorized Fine-Tuning via Attribute-Space Traps

Jianwei Zhang , Sihan Cao , Chaoning Zhang , Ziming Hong , Jiaxin Huang , Pengcheng Zheng , Caiyan Qin , Wei Dong
show 2 more authors
Yang Yang Tongliang Liu
Authors on Pith no claims yet

Pith reviewed 2026-05-10 19:24 UTC · model grok-4.3

classification 💻 cs.CV
keywords 3D Gaussian splattingfine-tuning defensemodel immunizationIP protectionattribute traps3D generative modelsunauthorized adaptation
0
0 comments X

The pith

GaussLock embeds traps in the position, scale, rotation, opacity and color attributes of 3D Gaussians to block unauthorized fine-tuning while preserving authorized adaptations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces GaussLock as a defense that immunizes publicly available 3D Gaussian generative models against adversaries who fine-tune them to steal specialized pre-trained knowledge. It combines a distillation process for legitimate use with attribute-aware trap losses that target the explicit structural parameters of the Gaussians. A sympathetic reader would care because these high-quality 3D synthesis models are vulnerable to simple gradient-based theft of their intellectual property once weights are released. The traps are optimized to collapse spatial distributions, distort shapes, align axes and suppress visibility so that unauthorized reconstructions fail. Experiments on large-scale models show the approach degrades stolen outputs while leaving authorized fine-tuning intact.

Core claim

GaussLock is the first parameter-space immunization framework for 3D Gaussian generative models. It jointly optimizes authorized distillation with trap losses on the five Gaussian attributes—position, scale, rotation, opacity and color—that are designed to systematically collapse spatial distributions, distort geometric shapes, align rotational axes and suppress primitive visibility. This dual-objective training preserves fidelity for authorized tasks while actively destroying structural integrity during unauthorized fine-tuning, as verified by higher LPIPS and lower PSNR on stolen reconstructions.

What carries the argument

Attribute-aware trap losses jointly optimized with authorized distillation, targeting the five explicit Gaussian attributes (position, scale, rotation, opacity, color) to induce structural collapse under unauthorized optimization.

If this is right

  • Unauthorized fine-tuning produces 3D reconstructions with substantially higher LPIPS and lower PSNR.
  • Authorized fine-tuning retains the original model performance on its intended tasks.
  • The traps cause systematic collapse of spatial distributions and distortion of geometric shapes in the Gaussian primitives.
  • The protection applies directly to large-scale pre-trained 3D Gaussian models without architectural changes.
  • The method provides the first defense tailored to the explicit attribute exposure in 3D Gaussian generators.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same trap idea could be tested on other 3D representations that expose explicit structural parameters during optimization.
  • If the traps prove hard to remove, open release of 3D models may need to include such immunizations by default to limit IP leakage.
  • Future work could examine whether custom optimizers or trap-pattern detection allow adversaries to circumvent the defense.

Load-bearing premise

Adversaries will apply standard gradient-based fine-tuning that activates the embedded traps without detecting or bypassing them, and the traps will leave authorized fine-tuning performance intact.

What would settle it

An adversary producing a fine-tuned model with low LPIPS and high PSNR on the specialized 3D task, or any significant drop in quality for authorized fine-tuning, would show the traps have failed.

Figures

Figures reproduced from arXiv: 2604.09688 by Caiyan Qin, Chaoning Zhang, Jianwei Zhang, Jiaxin Huang, Pengcheng Zheng, Sihan Cao, Tongliang Liu, Wei Dong, Yang Yang, Ziming Hong.

Figure 1
Figure 1. Figure 1: Overview of the proposed GaussLock framework. Teacher-student distillation ensures high utility on original source tasks (checked green box). For the [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Visualization of authorized domain utility preservation. [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Visualization of LoRA fine-tuning attack results on the unauthorized [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Visual comparison of target domain generation under continuous [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
read the original abstract

Recent large-scale generative models enable high-quality 3D synthesis. However, the public accessibility of pre-trained weights introduces a critical vulnerability. Adversaries can fine-tune these models to steal specialized knowledge acquired during pre-training, leading to intellectual property infringement. Unlike defenses for 2D images and language models, 3D generators require specialized protection due to their explicit Gaussian representations, which expose fundamental structural parameters directly to gradient-based optimization. We propose GaussLock, the first approach designed to defend 3D generative models against fine-tuning attacks. GaussLock is a lightweight parameter-space immunization framework that integrates authorized distillation with attribute-aware trap losses targeting position, scale, rotation, opacity, and color. Specifically, these traps systematically collapse spatial distributions, distort geometric shapes, align rotational axes, and suppress primitive visibility to fundamentally destroy structural integrity. By jointly optimizing these dual objectives, the distillation process preserves fidelity on authorized tasks while the embedded traps actively disrupt unauthorized reconstructions. Experiments on large-scale Gaussian models demonstrate that GaussLock effectively neutralizes unauthorized fine-tuning attacks. It substantially degrades the quality of unauthorized reconstructions, evidenced by significantly higher LPIPS and lower PSNR, while effectively maintaining performance on authorized fine-tuning.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 3 minor

Summary. The paper proposes GaussLock, a parameter-space immunization method for 3D Gaussian generative models. It jointly optimizes an authorized distillation objective with attribute-aware trap losses that target position, scale, rotation, opacity, and color attributes to collapse spatial distributions, distort geometry, align axes, and suppress visibility. The central claim is that this dual optimization embeds traps that activate under unauthorized gradient-based fine-tuning to degrade reconstruction quality (higher LPIPS, lower PSNR) while preserving fidelity on authorized fine-tuning tasks. Experiments on large-scale models are reported to support the effectiveness of this approach.

Significance. If the traps prove robust, the work would address a timely IP-protection gap for explicit 3D representations that are directly exposed to fine-tuning, extending beyond 2D and language-model defenses. The lightweight integration of traps during distillation is a practical strength, and the explicit targeting of Gaussian attributes provides a concrete mechanism that could be falsifiable with additional tests.

major comments (3)
  1. [Experiments] Experiments section: only standard (non-adaptive) fine-tuning is evaluated. No tests are presented against informed adversaries who could detect anomalous parameter regions or loss terms via gradient analysis/meta-optimization and then prune affected Gaussians or add a counter-term to suppress trap activation. This assumption—that traps reliably activate without bypass—is load-bearing for the claim that GaussLock 'effectively neutralizes unauthorized fine-tuning attacks.'
  2. [Method] Method section: the joint optimization of distillation and trap losses is described at a high level, but the weighting coefficients, exact formulations of the five attribute-specific trap terms, and any constraints ensuring they do not trivially reduce to zero are not provided. Without these, it is impossible to verify independence from the distillation objective or reproducibility of the reported degradation.
  3. [Abstract and Experiments] Abstract and Experiments: the performance claims rely on 'significantly higher LPIPS and lower PSNR' without reporting exact deltas, standard deviations across runs, number of trials, or statistical significance tests. This weakens the evidence that traps maintain authorized performance while degrading unauthorized reconstructions.
minor comments (3)
  1. [Abstract] The abstract would benefit from one or two concrete quantitative examples (e.g., LPIPS increase of X on dataset Y) rather than purely qualitative descriptors.
  2. [Related Work] Related-work discussion should explicitly compare to backdoor or poisoning techniques in generative models to clarify novelty.
  3. [Figures] Figure captions and axis labels in the experimental results could be expanded to include the exact fine-tuning hyperparameters used for both authorized and unauthorized cases.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments highlight important aspects of experimental robustness, methodological transparency, and quantitative reporting. We address each major comment point by point below and indicate the revisions we will make to the manuscript.

read point-by-point responses

  1. Referee: [Experiments] Experiments section: only standard (non-adaptive) fine-tuning is evaluated. No tests are presented against informed adversaries who could detect anomalous parameter regions or loss terms via gradient analysis/meta-optimization and then prune affected Gaussians or add a counter-term to suppress trap activation. This assumption—that traps reliably activate without bypass—is load-bearing for the claim that GaussLock 'effectively neutralizes unauthorized fine-tuning attacks.'

    Authors: We agree that the current evaluation is limited to standard fine-tuning and does not include tests against adaptive adversaries capable of detecting and bypassing traps. Our work establishes baseline effectiveness under the common unauthorized fine-tuning threat model. In the revision we will add a dedicated discussion subsection on potential adaptive attacks (e.g., gradient-based detection or counter-loss terms), explicitly state the assumed threat model, and note adaptive robustness as an important direction for future work. We will also moderate the strength of the neutralization claim to align with the evaluated scenarios. revision: partial

  2. Referee: [Method] Method section: the joint optimization of distillation and trap losses is described at a high level, but the weighting coefficients, exact formulations of the five attribute-specific trap terms, and any constraints ensuring they do not trivially reduce to zero are not provided. Without these, it is impossible to verify independence from the distillation objective or reproducibility of the reported degradation.

    Authors: The referee correctly identifies that the method description is insufficient for reproducibility. We will revise the Method section to provide the exact mathematical formulations of the five attribute-specific trap losses (position, scale, rotation, opacity, and color), the weighting coefficients used in the joint objective, and any regularization constraints that prevent trivial collapse. These additions will enable readers to verify independence from the distillation loss and reproduce the reported results. revision: yes

  3. Referee: [Abstract and Experiments] Abstract and Experiments: the performance claims rely on 'significantly higher LPIPS and lower PSNR' without reporting exact deltas, standard deviations across runs, number of trials, or statistical significance tests. This weakens the evidence that traps maintain authorized performance while degrading unauthorized reconstructions.

    Authors: We acknowledge that the quantitative claims require more precise reporting. In the revised manuscript we will update the abstract and Experiments section to include exact numerical deltas for LPIPS and PSNR, standard deviations computed over multiple independent runs (specifying the number of trials), and appropriate statistical significance tests. This will provide clearer and stronger empirical support for the performance claims. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical method with independent experimental validation

full rationale

The paper proposes GaussLock as a lightweight parameter-space immunization framework that jointly optimizes authorized distillation with attribute-aware trap losses on position, scale, rotation, opacity, and color. No mathematical derivation chain, equations, or predictions are presented that reduce to the inputs by construction. Claims rest on experimental results (higher LPIPS, lower PSNR for unauthorized fine-tuning while preserving authorized performance) rather than any self-definitional, fitted-input, or self-citation load-bearing steps. The approach is self-contained against external benchmarks with no ansatz smuggling or renaming of known results.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the domain assumption that fine-tuning directly exposes and optimizes Gaussian structural parameters, and that jointly optimized trap losses can selectively degrade unauthorized paths without side effects.

axioms (1)
  • domain assumption Adversaries perform unauthorized fine-tuning via gradient-based optimization on explicit Gaussian parameters
    Stated in the abstract as the core vulnerability of 3D generators versus 2D or language models.
invented entities (1)
  • attribute-space traps no independent evidence
    purpose: To collapse spatial distributions, distort shapes, align rotations, and suppress visibility during unauthorized optimization
    New mechanism introduced to destroy structural integrity; no independent evidence provided beyond the claimed experimental degradation.

pith-pipeline@v0.9.0 · 5540 in / 1199 out tokens · 43019 ms · 2026-05-10T19:24:38.021341+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

83 extracted references · 25 canonical work pages · 4 internal anchors

  1. [1]

    Learning rep- resentations and generative models for 3d point clouds,

    P. Achlioptas, O. Diamanti, I. Mitliagkas, and L. Guibas, “Learning rep- resentations and generative models for 3d point clouds,” inInternational conference on machine learning. PMLR, 2018, pp. 40–49

    2018

  2. [2]

    Learning generative models of 3d structures,

    S. Chaudhuri, D. Ritchie, J. Wu, K. Xu, and H. Zhang, “Learning generative models of 3d structures,” inComputer graphics forum, vol. 39, no. 2. Wiley Online Library, 2020, pp. 643–666

    2020

  3. [3]

    Get3d: A generative model of high quality 3d textured shapes learned from images,

    J. Gao, T. Shen, Z. Wang, W. Chen, K. Yin, D. Li, O. Litany, Z. Gojcic, and S. Fidler, “Get3d: A generative model of high quality 3d textured shapes learned from images,”Advances in neural information processing systems, vol. 35, pp. 31 841–31 854, 2022

    2022

  4. [4]

    Stereoscan: Dense 3d reconstruc- tion in real-time,

    A. Geiger, J. Ziegler, and C. Stiller, “Stereoscan: Dense 3d reconstruc- tion in real-time,” in2011 IEEE intelligent vehicles symposium (IV). Ieee, 2011, pp. 963–968

    2011

  5. [5]

    Simplerecon: 3d reconstruction without 3d convolutions,

    M. Sayed, J. Gibson, J. Watson, V . Prisacariu, M. Firman, and C. Go- dard, “Simplerecon: 3d reconstruction without 3d convolutions,” in European Conference on Computer Vision. Springer, 2022, pp. 1–19

    2022

  6. [6]

    Deep generative models on 3d representations: A survey,

    Z. Shi, S. Peng, Y . Xu, A. Geiger, Y . Liao, and Y . Shen, “Deep generative models on 3d representations: A survey,”arXiv preprint arXiv:2210.15663, 2022

    work page arXiv 2022

  7. [7]

    Rodin: A generative model for sculpting 3d digital avatars using diffusion,

    T. Wang, B. Zhang, T. Zhang, S. Gu, J. Bao, T. Baltrusaitis, J. Shen, D. Chen, F. Wen, Q. Chenet al., “Rodin: A generative model for sculpting 3d digital avatars using diffusion,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2023, pp. 4563–4573

    2023

  8. [8]

    Grm: Large gaussian reconstruction model for efficient 3d reconstruction and generation,

    Y . Xu, Z. Shi, W. Yifan, H. Chen, C. Yang, S. Peng, Y . Shen, and G. Wetzstein, “Grm: Large gaussian reconstruction model for efficient 3d reconstruction and generation,” inEuropean Conference on Computer Vision. Springer, 2024, pp. 1–20

    2024

  9. [9]

    3d shape contrastive representation learning with adversarial examples,

    C. Wen, X. Li, H. Huang, Y .-S. Liu, and Y . Fang, “3d shape contrastive representation learning with adversarial examples,”IEEE Transactions on Multimedia, vol. 27, pp. 679–692, 2023

    2023

  10. [10]

    Llava-fa: Learning fourier approximation for compressing large multimodal models

    P. Zheng, C. Zhang, J. Mo, G. Li, J. Zhang, J. Zhang, S. Cao, S. Zheng, C. Qin, G. Wanget al., “Llava-fa: Learning fourier ap- proximation for compressing large multimodal models,”arXiv preprint arXiv:2602.00135, 2026

    work page arXiv 2026

  11. [11]

    3d modelling and visualization based on the unity game engine–advantages and challenges,

    I. Buyuksalih, S. Bayburt, G. Buyuksalih, A. Baskaraca, H. Karim, and A. A. Rahman, “3d modelling and visualization based on the unity game engine–advantages and challenges,”ISPRS Annals of the Photogrammetry, Remote Sensing and Spatial Information Sciences, vol. 4, pp. 161–166, 2017

    2017

  12. [12]

    Cellary and K

    W. Cellary and K. Walczak,Interactive 3D multimedia content. Springer, 2012

    2012

  13. [13]

    Purifier +: Plug-and-play backdoor mitigation for pre-trained models via activation alignment,

    X. Zhang, Y . Jin, H. Tong, J. Lou, K. Wu, and X. Chen, “Purifier +: Plug-and-play backdoor mitigation for pre-trained models via activation alignment,”IEEE Transactions on Multimedia, vol. 27, pp. 3910–3924, 2025

    2025

  14. [14]

    One video to steal them all: 3d-printing ip theft through optical side-channels,

    T. Chattopadhyay, F. Ceschin, M. E. Garza, D. Zyunkin, A. Chhotaray, A. P. Stebner, S. Zonouz, and R. Beyah, “One video to steal them all: 3d-printing ip theft through optical side-channels,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, 2025, pp. 723–737

    2025

  15. [15]

    Turning hearsay into discovery: Industrial 3d printer side channel information translated to stealing the object design,

    A. Dolgavin, J. Gatlin, M. Yung, and M. Yampolskiy, “Turning hearsay into discovery: Industrial 3d printer side channel information translated to stealing the object design,”arXiv preprint arXiv:2509.18366, 2025

    work page arXiv 2025

  16. [16]

    arXiv preprint arXiv:2508.01782 , year=

    P. Zheng, X. Pu, K. Chen, J. Huang, M. Yang, B. Feng, Y . Ren, J. Jiang, C. Zhang, Y . Yanget al., “Joint lossless compression and steganography for medical images via large language models,”arXiv preprint arXiv:2508.01782, 2025

    work page arXiv 2025

  17. [17]

    Nerf: Representing scenes as neural radiance fields for view synthesis,

    B. Mildenhall, P. P. Srinivasan, M. Tancik, J. T. Barron, R. Ramamoorthi, and R. Ng, “Nerf: Representing scenes as neural radiance fields for view synthesis,”Communications of the ACM, vol. 65, no. 1, pp. 99–106, 2021

    2021

  18. [18]

    Graf: Generative radiance fields for 3d-aware image synthesis,

    K. Schwarz, Y . Liao, M. Niemeyer, and A. Geiger, “Graf: Generative radiance fields for 3d-aware image synthesis,”Advances in neural information processing systems, vol. 33, pp. 20 154–20 166, 2020

    2020

  19. [19]

    arXiv preprint arXiv:2602.09794 , year=

    J. Zhang, C. Zhang, S. Chen, X. Wang, Z. Huang, P. Zheng, S. Yuan, S. Zheng, Q. Sun, J. Zouet al., “Learning global hypothesis space for en- hancing synergistic reasoning chain,”arXiv preprint arXiv:2602.09794, 2026

    work page arXiv 2026

  20. [20]

    Langsplat: 3d language gaussian splatting,

    M. Qin, W. Li, J. Zhou, H. Wang, and H. Pfister, “Langsplat: 3d language gaussian splatting,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2024, pp. 20 051–20 060

    2024

  21. [21]

    Gaussiandreamer: Fast generation from text to 3d gaussians by bridging 2d and 3d diffusion models,

    T. Yi, J. Fang, J. Wang, G. Wu, L. Xie, X. Zhang, W. Liu, Q. Tian, and X. Wang, “Gaussiandreamer: Fast generation from text to 3d gaussians by bridging 2d and 3d diffusion models,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2024, pp. 6796–6807

    2024

  22. [22]

    L4gm: Large 4d gaussian reconstruction model,

    J. Ren, K. Xie, A. Mirzaei, H. Liang, X. Zeng, K. Kreis, Z. Liu, A. Torralba, S. Fidler, S. W. Kimet al., “L4gm: Large 4d gaussian reconstruction model,”Advances in Neural Information Processing Systems, vol. 37, pp. 56 828–56 858, 2024

    2024

  23. [23]

    Large images are gaussians: High-quality large image representation with levels of 2d gaussian splatting,

    L. Zhu, G. Lin, J. Chen, X. Zhang, Z. Jin, Z. Wang, and L. Yu, “Large images are gaussians: High-quality large image representation with levels of 2d gaussian splatting,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 10, 2025, pp. 10 977–10 985

    2025

  24. [24]

    Lgm: Large multi-view gaussian model for high-resolution 3d content creation,

    J. Tang, Z. Chen, X. Chen, T. Wang, G. Zeng, and Z. Liu, “Lgm: Large multi-view gaussian model for high-resolution 3d content creation,” in European Conference on Computer Vision. Springer, 2024, pp. 1–18

    2024

  25. [25]

    F3d-gaus: Feed-forward 3d-aware generation on imagenet with cycle-aggregative gaussian splatting,

    Y . Wang, Q. Wu, and D. Xu, “F3d-gaus: Feed-forward 3d-aware generation on imagenet with cycle-aggregative gaussian splatting,”arXiv preprint arXiv:2501.06714, 2025

    work page arXiv 2025

  26. [26]

    Prometheus: 3d-aware latent diffusion models for feed-forward text-to-3d scene generation,

    Y . Yang, J. Shao, X. Li, Y . Shen, A. Geiger, and Y . Liao, “Prometheus: 3d-aware latent diffusion models for feed-forward text-to-3d scene generation,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2025, pp. 2857–2869

    2025

  27. [27]

    Pref3r: Pose-free feed-forward 3d gaussian splatting from variable-length image sequence,

    Z. Chen, J. Yang, and H. Yang, “Pref3r: Pose-free feed-forward 3d gaussian splatting from variable-length image sequence,”arXiv preprint arXiv:2411.16877, 2024

    work page arXiv 2024

  28. [28]

    Lightweight medical image restoration via integrating reliable lesion- semantic driven prior,

    P. Zheng, K. Chen, J. Huang, B. Chen, J. Liu, Y . Ren, and X. Pu, “Lightweight medical image restoration via integrating reliable lesion- semantic driven prior,” inProceedings of the 33rd ACM International Conference on Multimedia, 2025, pp. 2977–2986

    2025

  29. [29]

    Fine- tuning is all you need to mitigate backdoor attacks,

    Z. Sha, X. He, P. Berrang, M. Humbert, and Y . Zhang, “Fine- tuning is all you need to mitigate backdoor attacks,”arXiv preprint arXiv:2212.09067, 2022

    work page arXiv 2022

  30. [30]

    Non-transferable learn- ing: A new approach for model ownership verification and applicability authorization,

    L. Wang, S. Xu, R. Xu, X. Wang, and Q. Zhu, “Non-transferable learn- ing: A new approach for model ownership verification and applicability authorization,”arXiv preprint arXiv:2106.06916, 2021

    work page arXiv 2021

  31. [31]

    Sophon: Non-fine-tunable learning to restrain task transferability for pre-trained models,

    J. Deng, S. Pang, Y . Chen, L. Xia, Y . Bai, H. Weng, and W. Xu, “Sophon: Non-fine-tunable learning to restrain task transferability for pre-trained models,” 2024. [Online]. Available: https://arxiv.org/abs/2404.12699

    work page arXiv 2024

  32. [32]

    Toward robust non-transferable learning: a survey and benchmark,

    Z. Hong, Y . Xiang, and T. Liu, “Toward robust non-transferable learning: a survey and benchmark,” inProceedings of the Thirty-Fourth Inter- national Joint Conference on Artificial Intelligence, 2025, pp. 10 455– 10 463

    2025

  33. [33]

    Representation noising: A defence mechanism against harmful finetuning,

    D. Rosati, J. Wehner, K. Williams, Łukasz Bartoszcze, D. Atanasov, R. Gonzales, S. Majumdar, C. Maple, H. Sajjad, and F. Rudzicz, “Representation noising: A defence mechanism against harmful finetuning,” 2024. [Online]. Available: https://arxiv.org/abs/2405.14577

    work page arXiv 2024

  34. [34]

    arXiv preprint arXiv:2507.21182 , year=

    Z. Chen, W. Lu, X. Lin, and Z. Zeng, “Sdd: Self-degraded defense against malicious fine-tuning,” 2025. [Online]. Available: https://arxiv.org/abs/2507.21182

    work page arXiv 2025

  35. [35]

    Harmful Fine-tuning Attacks and Defenses for Large Language Models: A Survey

    T. Huang, S. Hu, F. Ilhan, S. F. Tekin, and L. Liu, “Harmful fine- tuning attacks and defenses for large language models: A survey,”arXiv preprint arXiv:2409.18169, 2024

    work page internal anchor Pith review Pith/arXiv arXiv 2024

  36. [36]

    Point-E: A System for Generating 3D Point Clouds from Complex Prompts

    A. Nichol, H. Jun, P. Dhariwal, P. Mishkin, and M. Chen, “Point-e: A system for generating 3d point clouds from complex prompts,” 2022. [Online]. Available: https://arxiv.org/abs/2212.08751

    work page internal anchor Pith review arXiv 2022

  37. [37]

    Harnessing text- to-image diffusion models for point cloud self-supervised learning,

    Y . Chen, S. Zhao, L. Duan, C. Ding, and D. Tao, “Harnessing text- to-image diffusion models for point cloud self-supervised learning,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2025, pp. 26 156–26 166

    2025

  38. [38]

    Recurrent diffusion for 3d point cloud generation from a single image,

    Y . Zhou, D. Ye, H. Zhang, X. Xu, H. Sun, Y . Xu, X. Liu, and Y . Zhou, “Recurrent diffusion for 3d point cloud generation from a single image,” IEEE Transactions on Image Processing, 2025

    2025

  39. [39]

    Rethinking metrics and diffusion architecture for 3d point cloud generation,

    M. Bastico, D. Ryckelynck, L. Cort ´e, Y . Tillier, and E. Decenci `ere, “Rethinking metrics and diffusion architecture for 3d point cloud generation,” 2025. [Online]. Available: https://arxiv.org/abs/2511.05308

    work page arXiv 2025

  40. [40]

    Robust geometry-dependent attack for 3d point clouds,

    D. Liu, W. Hu, and X. Li, “Robust geometry-dependent attack for 3d point clouds,”IEEE Transactions on Multimedia, vol. 26, pp. 2866– 2877, 2023

    2023

  41. [41]

    Adversarial geometric attacks for 3d point cloud object tracking,

    R. Yao, A. Zhang, Y . Zhou, J. Zhao, B. Liu, and A. El Saddik, “Adversarial geometric attacks for 3d point cloud object tracking,”IEEE Transactions on Multimedia, 2025. SUBMITTED TO IEEE TRANSACTIONS ON MULTIMEDIA 10

    2025

  42. [42]

    Cgc-net: A context-guided constrained network for remote-sensing image super resolution,

    P. Zheng, J. Jiang, Y . Zhang, C. Zeng, C. Qin, and Z. Li, “Cgc-net: A context-guided constrained network for remote-sensing image super resolution,”Remote Sensing, vol. 15, no. 12, p. 3171, 2023

    2023

  43. [43]

    Jointly rs image deblurring and super-resolution with adjustable-kernel and multi-domain attention,

    Y . Zhang, P. Zheng, C. Zeng, B. Xiao, Z. Li, and X. Gao, “Jointly rs image deblurring and super-resolution with adjustable-kernel and multi-domain attention,”IEEE Transactions on Geoscience and Remote Sensing, vol. 63, pp. 1–16, 2024

    2024

  44. [44]

    Towards visual chain-of-thought reasoning: A comprehensive survey,

    P. Zheng, C. Zhang, M. Cui, G. Chen, Q. Sun, J. Huang, J. Zhang, T.-H. Kim, C. Qin, Y . Renet al., “Towards visual chain-of-thought reasoning: A comprehensive survey,” 2026

    2026

  45. [45]

    3d gaussian splatting for real-time radiance field rendering

    B. Kerbl, G. Kopanas, T. Leimk ¨uhler, G. Drettakiset al., “3d gaussian splatting for real-time radiance field rendering.”ACM Trans. Graph., vol. 42, no. 4, pp. 139–1, 2023

    2023

  46. [46]

    Dlgan: Depth-preserving latent generative adversarial network for 3d reconstruction,

    C. Liu, D. Kong, S. Wang, J. Li, and B. Yin, “Dlgan: Depth-preserving latent generative adversarial network for 3d reconstruction,”IEEE Trans- actions on Multimedia, vol. 23, pp. 2843–2856, 2020

    2020

  47. [47]

    Embedding water- marks into deep neural networks,

    Y . Uchida, Y . Nagai, S. Sakazawa, and S. Satoh, “Embedding water- marks into deep neural networks,” inProceedings of the 2017 ACM on international conference on multimedia retrieval, 2017, pp. 269–277

    2017

  48. [48]

    Turning your weakness into a strength: Watermarking deep neural networks by backdooring,

    Y . Adi, C. Baum, M. Cisse, B. Pinkas, and J. Keshet, “Turning your weakness into a strength: Watermarking deep neural networks by backdooring,” in27th USENIX security symposium (USENIX Security 18), 2018, pp. 1615–1631

    2018

  49. [49]

    Deep Neural Network Fingerprinting by Conferrable Adversarial Examples

    N. Lukas, Y . Zhang, and F. Kerschbaum, “Deep neural network fingerprinting by conferrable adversarial examples,”arXiv preprint arXiv:1912.00888, 2019

    work page arXiv 1912

  50. [50]

    Robust watermarking based on multi-layer watermark feature fusion,

    S. Wu, W. Lu, and X. Luo, “Robust watermarking based on multi-layer watermark feature fusion,”IEEE Transactions on Multimedia, 2025

    2025

  51. [51]

    Two-stage watermark removal framework for spread spectrum watermarking,

    J. You and Y . Zhou, “Two-stage watermark removal framework for spread spectrum watermarking,”IEEE Transactions on Multimedia, vol. 26, pp. 7687–7699, 2024

    2024

  52. [52]

    An automated and robust image watermarking scheme based on deep neural networks,

    X. Zhong, P.-C. Huang, S. Mastorakis, and F. Y . Shih, “An automated and robust image watermarking scheme based on deep neural networks,” IEEE Transactions on Multimedia, vol. 23, pp. 1951–1961, 2020

    1951

  53. [53]

    Diffw: Multi-encoder based on conditional diffusion model for robust image watermarking,

    T. Luo, R. Hu, Z. He, G. Jiang, H. Xu, Y . Song, and C.-C. Chang, “Diffw: Multi-encoder based on conditional diffusion model for robust image watermarking,”IEEE Transactions on Multimedia, vol. 28, pp. 837–852, 2025

    2025

  54. [54]

    arXiv preprint arXiv:2601.17089 , year=

    Q. Sun, C. Zhang, J. Zhang, X. Wang, J. Xie, P. Zheng, H. Wang, S. Lee, C.-l. A. Tai, Y . Yanget al., “Grasp: Guided region-aware sparse prompting for adapting mllms to remote sensing,”arXiv preprint arXiv:2601.17089, 2026

    work page arXiv 2026

  55. [55]

    Ghs-tda: A synergistic reasoning framework integrating global hypothesis space with topological data analysis,

    J. Zhang, C. Zhang, S. Chen, X. Wang, Z. Huang, P. Zheng, S. Yuan, S. Zheng, Q. Sun, J. Zouet al., “Ghs-tda: A synergistic reasoning framework integrating global hypothesis space with topological data analysis,”arXiv e-prints, pp. arXiv–2602, 2026

    2026

  56. [56]

    arXiv preprint arXiv:2603.13394 , year=

    S. Cao, J. Zhang, P. Zheng, J. Yan, C. Qin, Y . Ye, W. Dong, P. Wang, Y . Yang, and C. Zhang, “Language-guided token compression with reinforcement learning in large vision-language models,”arXiv preprint arXiv:2603.13394, 2026

    work page arXiv 2026

  57. [57]

    Glaze: Protecting artists from style mimicry by{Text-to-Image} models,

    S. Shan, J. Cryan, E. Wenger, H. Zheng, R. Hanocka, and B. Y . Zhao, “Glaze: Protecting artists from style mimicry by{Text-to-Image} models,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2187–2204

    2023

  58. [58]

    Nightshade: Prompt-specific poisoning attacks on text-to-image gener- ative models,

    S. Shan, W. Ding, J. Passananti, S. Wu, H. Zheng, and B. Y . Zhao, “Nightshade: Prompt-specific poisoning attacks on text-to-image gener- ative models,” in2024 IEEE symposium on security and privacy (SP). IEEE, 2024, pp. 807–825

    2024

  59. [59]

    Fawkes: Protecting privacy against unauthorized deep learning models,

    S. Shan, E. Wenger, J. Zhang, H. Li, H. Zheng, and B. Y . Zhao, “Fawkes: Protecting privacy against unauthorized deep learning models,” in29th USENIX security symposium (USENIX Security 20), 2020, pp. 1589– 1604

    2020

  60. [60]

    Poisoning language models during instruction tuning,

    A. Wan, E. Wallace, S. Shen, and D. Klein, “Poisoning language models during instruction tuning,” inInternational Conference on Machine Learning. PMLR, 2023, pp. 35 413–35 425

    2023

  61. [61]

    Targeted attack improves pro- tection against unauthorized diffusion customization,

    B. Zheng, C. Liang, and X. Wu, “Targeted attack improves pro- tection against unauthorized diffusion customization,”arXiv preprint arXiv:2310.04687, 2023

    work page arXiv 2023

  62. [62]

    Improving non-transferable representation learn- ing by harnessing content and style,

    Z. Hong, Z. Wang, L. Shen, Y . Yao, Z. Huang, S. Chen, C. Yang, M. Gong, and T. Liu, “Improving non-transferable representation learn- ing by harnessing content and style,” inThe twelfth international conference on learning representations, 2024

    2024

  63. [63]

    Say no to freeloader: Protecting intellectual property of your deep model,

    L. Wang, M. Wang, H. Fu, and D. Zhang, “Say no to freeloader: Protecting intellectual property of your deep model,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 46, no. 12, pp. 11 073–11 086, 2024

    2024

  64. [64]

    Towards building non-fine-tunable foundation models

    Z. Wang, N. Li, P. Li, G. Sun, T. Chen, and A. Li, “Towards building non-fine-tunable foundation models,”arXiv preprint arXiv:2602.00446, 2026

    work page arXiv 2026

  65. [65]

    Dynamic mask-pruning strategy for source-free model intellectual property protection,

    B. Peng, S. Qu, Y . Wu, T. Zou, L. He, A. Knoll, G. Chen, and C. Jiang, “Dynamic mask-pruning strategy for source-free model intellectual property protection,”International Journal of Computer Vision, vol. 134, no. 2, p. 56, 2026

    2026

  66. [66]

    Adaptive defense against harmful fine-tuning for large language models via bayesian data scheduler,

    Z. Hu, L. Shen, Z. Wang, Y . Wei, and D. Tao, “Adaptive defense against harmful fine-tuning for large language models via bayesian data scheduler,”arXiv preprint arXiv:2510.27172, 2025

    work page arXiv 2025

  67. [67]

    Booster: Tackling harmful fine-tuning for large language models via attenuating harmful perturbation,

    T. Huang, S. Hu, F. Ilhan, S. F. Tekin, and L. Liu, “Booster: Tackling harmful fine-tuning for large language models via attenuating harmful perturbation,” inThe Thirteenth International Conference on Learning Representations, 2025

    2025

  68. [68]

    Vaccine: Perturbation-aware alignment for large language models against harmful fine-tuning attack,

    T. Huang, S. Hu, and L. Liu, “Vaccine: Perturbation-aware alignment for large language models against harmful fine-tuning attack,”Advances in Neural Information Processing Systems, vol. 37, pp. 74 058–74 088, 2024

    2024

  69. [69]

    Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!

    X. Qi, Y . Zeng, T. Xie, P.-Y . Chen, R. Jia, P. Mittal, and P. Henderson, “Fine-tuning aligned language models compromises safety, even when users do not intend to!”arXiv preprint arXiv:2310.03693, 2023

    work page internal anchor Pith review arXiv 2023

  70. [70]

    Safety alignment should be made more than just a few tokens deep,

    X. Qi, A. Panda, K. Lyu, X. Ma, S. Roy, A. Beirami, P. Mittal, and P. Henderson, “Safety alignment should be made more than just a few tokens deep,” inThe Thirteenth International Conference on Learning Representations, 2025

    2025

  71. [71]

    Soft rasterizer: A differentiable renderer for image-based 3d reasoning,

    S. Liu, T. Li, W. Chen, and H. Li, “Soft rasterizer: A differentiable renderer for image-based 3d reasoning,” inProceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 7708–7717

    2019

  72. [72]

    Learning to predict 3d objects with an interpolation-based differentiable renderer,

    W. Chen, H. Ling, J. Gao, E. Smith, J. Lehtinen, A. Jacobson, and S. Fidler, “Learning to predict 3d objects with an interpolation-based differentiable renderer,”Advances in neural information processing systems, vol. 32, 2019

    2019

  73. [73]

    Intellectual property protection for 3d gaussian splatting assets: A survey,

    L. Zhao, Z. Hong, J. Huang, R. Chen, M. Gong, and T. Liu, “Intellectual property protection for 3d gaussian splatting assets: A survey,”arXiv preprint arXiv:2602.03878, 2026

    work page arXiv 2026

  74. [74]

    Machine unlearning in 3d generation: A perspective-coherent acceleration framework,

    S. Wang, J. Ye, and X. Wang, “Machine unlearning in 3d generation: A perspective-coherent acceleration framework,” inThe Thirty-ninth Annual Conference on Neural Information Processing Systems, 2025

    2025

  75. [75]

    Adlift: Lifting adversarial perturbations to safeguard 3d gaus- sian splatting assets against instruction-driven editing,

    Z. Hong, T. Huang, R. Chen, S. Ye, M. Gong, B. Han, and T. Liu, “Adlift: Lifting adversarial perturbations to safeguard 3d gaus- sian splatting assets against instruction-driven editing,”arXiv preprint arXiv:2512.07247, 2025

    work page arXiv 2025

  76. [76]

    RDSplat: Robust Watermarking for 3D Gaussian Splatting Against 2D and 3D Diffusion Editing

    L. Zhao, Z. Hong, Z. Ren, R. Chen, M. Gong, and T. Liu, “Rdsplat: Robust watermarking against diffusion editing for 3d gaussian splatting,” arXiv preprint arXiv:2512.06774, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  77. [77]

    Gaussianmarker: Uncertainty-aware copyright protection of 3d gaussian splatting,

    X. Huang, R. Li, Y .-m. Cheung, K. C. Cheung, S. See, and R. Wan, “Gaussianmarker: Uncertainty-aware copyright protection of 3d gaussian splatting,”Advances in Neural Information Processing Systems, vol. 37, pp. 33 037–33 060, 2024

    2024

  78. [78]

    U-net: Convolutional networks for biomedical image segmentation,

    O. Ronneberger, P. Fischer, and T. Brox, “U-net: Convolutional networks for biomedical image segmentation,” inInternational Conference on Medical image computing and computer-assisted intervention. Springer, 2015, pp. 234–241

    2015

  79. [79]

    Lora: Low-rank adaptation of large language models

    E. J. Hu, Y . Shen, P. Wallis, Z. Allen-Zhu, Y . Li, S. Wang, L. Wang, W. Chenet al., “Lora: Low-rank adaptation of large language models.” Iclr, vol. 1, no. 2, p. 3, 2022

    2022

  80. [80]

    Image quality metrics: Psnr vs. ssim,

    A. Hore and D. Ziou, “Image quality metrics: Psnr vs. ssim,” in2010 20th international conference on pattern recognition. IEEE, 2010, pp. 2366–2369

    2010

Showing first 80 references.