To address the vulnerability of text-to-image (T2I) models to white-box attacks—where adversaries fine-tune models to bypass existing safety mechanisms and generate harmful content—this paper proposes Patronus, a robust defense framework. Methodologically, Patronus introduces (1) a learnable internal moderation module that decodes semantic features of harmful text inputs into zero vectors, enabling fine-grained input classification and precise blocking; and (2) a non-fine-tunable alignment training mechanism, achieved by freezing critical representation layers and incorporating robust supervision to prevent adversarial tampering with safety alignment. Extensive experiments demonstrate that Patronus achieves 100% blocking rate against diverse white-box attacks while preserving the original model’s fidelity, safety, and diversity in generating benign content.

Text-to-image (T2I) models, though exhibiting remarkable creativity in image generation, can be exploited to produce unsafe images. Existing safety measures, e.g., content moderation or model alignment, fail in the presence of white-box adversaries who know and can adjust model parameters, e.g., by fine-tuning. This paper presents a novel defensive framework, named Patronus, which equips T2I models with holistic protection to defend against white-box adversaries. Specifically, we design an internal moderator that decodes unsafe input features into zero vectors while ensuring the decoding performance of benign input features. Furthermore, we strengthen the model alignment with a carefully designed non-fine-tunable learning mechanism, ensuring the T2I model will not be compromised by malicious fine-tuning. We conduct extensive experiments to validate the intactness of the performance on safe content generation and the effectiveness of rejecting unsafe content generation. Results also confirm the resilience of Patronus against various fine-tuning attacks by white-box adversaries.