poisoning.ai
Reliability

LightShed explained

By The Poisoning.ai team
5 min read
Contents

LightShed is a research tool that detects and then strips the invisible perturbations that art-protection tools like Glaze and Nightshade add to an image, which is why 2025 headlines said it “defeats” art protection. The reality is narrower than the headline: its widely quoted 99.98% figure is a detection accuracy on Nightshade-protected images, not a claim that 99.98% of protected art can be perfectly restored, and not a one-click app you can download to clean a folder of pictures.

What LightShed is

LightShed (Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi, USENIX Security 2025) is described by its own authors as “a generalizable depoisoning attack that effectively identifies poisoned images and removes adversarial perturbations.” In plain terms it does two things in sequence. First it recognises whether an image carries a protective perturbation, the imperceptible noise that first-generation tools add. Then it removes that perturbation so a model can train on the image roughly as if it had never been protected. It was presented at the 34th USENIX Security Symposium in 2025 and evaluated against the two best-known protections: Nightshade, presented at IEEE S&P 2024, and Glaze, published at USENIX Security 2023.

What the 99.98% number actually means

This is the figure to get right, because it is the one most often misread. According to Foerster, Behrouzi, Rieger, Jadliwala and Sadeghi (USENIX Security 2025), LightShed identifies poisoned samples with a true-positive rate of 99.98% and a true-negative rate of 100% on Nightshade, and only then depoisons them. That number is a detection score: of the images it was shown, it correctly flagged almost every Nightshade-protected one and never misflagged a clean image. It is not a measure of how faithfully the artist’s original is rebuilt after the perturbation is stripped, and it is not a statement that “99.98% of art is now unprotected.”

Reported claimWhat it meansWhat it does not mean
99.98% true-positive rateNightshade detection in the paper’s settingA universal removal or restoration score
100% true-negative rateClean images were not misflaggedNo side effects on any possible image
Works against Glaze tooDemonstrated beyond NightshadeEvery protection scheme is broken for good
Generalizes across perturbationsOne model spots more than one poisonNo future defence can ever adapt

Does it generalise?

Partly, and this is where careful reading matters. The paper’s own claim is that LightShed “generalizes across perturbation techniques, enabling a single model to recognize poisoned images,” and it demonstrates this against both Nightshade and Glaze, two tools built on different mechanisms. That is a real and useful result: a single stripper that handles more than one protection rather than a one-off trick against a single tool. But generalising across the two tools it was tested on is a narrower statement than “it beats every protection ever built.” A research attack shown on two tools is strong evidence of a pattern, not a universal solvent, and LightShed is a research artifact rather than a consumer product.

Why it matters for artists

LightShed does not stand alone, and that is the real story. It sits beside a second, independent result from Hönig, Rando, Carlini and Tramèr (ICLR 2025), who showed that a cheap “noisy upscaling” step removes first-generation art protection well enough that reviewers preferred the copy more than half the time, with best-of-four mimicry success of 56.6% for Glaze, 56.6% for Anti-DreamBooth, and 62.0% for Mist, where 50% means a copy is indistinguishable from one trained on unprotected art. Two separate teams, two separate methods, the same conclusion: the imperceptible perturbations first-generation tools rely on can be detected and removed with modest effort and only black-box access.

The counter-move already exists, though it is unproven. A newer class of tools is built specifically to survive removal. BlurGuard (Kim, Nam, Kim, Kim, Jeong, NeurIPS 2025) reports retaining 92.9% of its protective efficacy after a worst-case purification stack, against 38.5% to 48.4% for earlier methods; StyleGuard (Li, Zhang, Lyu, Liu, Xiao, NeurIPS 2025) trains its perturbation against purifiers and upscalers so simple removal does not strip it; and AntiPure (Yang, Cao, Duan, He, 2025) embeds perturbations meant to “persist under representative purification settings.” The caveat is the same for all three: they are newer than the strongest attacks, none has been independently bypassed, and every survival number is self-reported by the tool’s own authors.

The bottom line

LightShed matters because it makes the arms race concrete. It is a working demonstration that first-generation art protection can be identified and stripped, not a doomsday button and not a tool that hands anyone a clean dataset at the press of a key. Its 99.98% is a detection rate on Nightshade, its generalisation is shown on two tools, and rebuilding an artist’s exact original is harder than removing the poison. If the work matters enough that you need durable control, do not rely on perturbation alone: treat Glaze and Nightshade as deterrents that raise a copier’s cost, and pair them with provenance, licensing, access control, and takedown workflows rather than assuming any single tool is permanent. The same pattern shows up outside images, where Fan, Chen, Liu, Zhang and Yu (ICML 2025) demonstrated a purification attack against protective voice perturbations too.

For how these removal methods fit the wider picture, see can Glaze and Nightshade be bypassed? and does Glaze actually work?; for a side-by-side of every tool, see the AI art-protection scorecard.

Sources

  • Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
  • Shan, Ding, Passananti, Wu, Zheng, Zhao (2024). Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models. IEEE S&P 2024.
  • Shan, Cryan, Wenger, Zheng, Hanocka, Zhao (2023). GLAZE: Protecting Artists from Style Mimicry by Text-to-Image Models. USENIX Security 2023.
  • Hönig, Rando, Carlini, Tramèr (2025). Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI. ICLR 2025.
  • Kim, Nam, Kim, Kim, Jeong (2025). BlurGuard: A Simple Approach for Robustifying Image Protection Against AI-Powered Editing. NeurIPS 2025.
  • Li, Zhang, Lyu, Liu, Xiao (2025). StyleGuard: Preventing Text-to-Image-Model-based Style Mimicry Attacks by Style Perturbations. NeurIPS 2025.
  • Yang, Cao, Duan, He (2025). Towards Robust Defense against Customization via Protective Perturbation Resistant to Diffusion-based Purification (AntiPure).
  • Fan, Chen, Liu, Zhang, Yu (2025). De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. ICML 2025.
#lightshed#nightshade#glaze#purification
Get new protection tests & guides

New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.