[論文レビュー] Are Diffusion Models Vulnerable to Membership Inference Attacks?
本論文はGANs/VAEs向けの既存のMIAが拡散モデルではほとんど機能しないことを示し、SecMIを導入する。SecMIはステップごとの誤差ベース、クエリ駆動のMIAで、DDPM、LDMs、Stable Diffusionを含む拡散モデルのメンバーシップを効果的に推定する。
Diffusion-based generative models have shown great potential for image synthesis, but there is a lack of research on the security and privacy risks they may pose. In this paper, we investigate the vulnerability of diffusion models to Membership Inference Attacks (MIAs), a common privacy concern. Our results indicate that existing MIAs designed for GANs or VAE are largely ineffective on diffusion models, either due to inapplicable scenarios (e.g., requiring the discriminator of GANs) or inappropriate assumptions (e.g., closer distances between synthetic samples and member samples). To address this gap, we propose Step-wise Error Comparing Membership Inference (SecMI), a query-based MIA that infers memberships by assessing the matching of forward process posterior estimation at each timestep. SecMI follows the common overfitting assumption in MIA where member samples normally have smaller estimation errors, compared with hold-out samples. We consider both the standard diffusion models, e.g., DDPM, and the text-to-image diffusion models, e.g., Latent Diffusion Models and Stable Diffusion. Experimental results demonstrate that our methods precisely infer the membership with high confidence on both of the two scenarios across multiple different datasets. Code is available at https://github.com/jinhaoduan/SecMI.
研究の動機と目的
- Assess whether existing membership inference attacks (MIAs) designed for GANs/VAEs apply to diffusion models.
- Evaluate diffusion models (DDPM, Latent Diffusion Models, Stable Diffusion) against conventional MIAs.
- Develop a diffusion-specific MIA leveraging forward-process posterior estimation.
- Demonstrate SecMI's effectiveness across multiple datasets and diffusion-model variants.
提案手法
- 五つの生成モデル用 MIAs を拡散モデル上で評価(必要に応じて CIFAR-10 の分割とシャドウモデルを使用)します。
- SecMI を開発します。SecMI は拡散時刻ごとのステップごとの事後推定誤差を比較するクエリベースの MIA です。
- 事後推定誤差を近似する t-error 指標を形式化し、学習目的条件の下で収束を証明します。
- SecMI を二つのバリアントで実装します:SecMI stat(統計的閾値設定)と SecMI NNs(ニューラルネットワークベースの推定)。
- SecMI を Latent Diffusion Models および Stable Diffusion のような大規模なテキスト対画像拡散モデルへ拡張します。
実験結果
リサーチクエスチョン
- RQ1Do existing MIAs for GANs/VAEs effectively disclose membership in diffusion models?
- RQ2Can a diffusion-specific MIA leverage forward-process posterior estimation to reveal membership?
- RQ3How well does SecMI perform across standard DDPMs, Latent Diffusion Models, and Stable Diffusion on multiple datasets?
- RQ4What is the impact of training dynamics and data augmentations on SecMI's effectiveness?
主な発見
- Existing MIAs largely fail to reveal membership in diffusion models under standard evaluation settings.
- SecMI, a step-wise error–based MIA, achieves high attack success and discrimination metrics across diffusion models and datasets.
- SecMI variants achieve strong performance in both statistics-based and neural-network-based inference.
- SecMI generalizes to Latent Diffusion Models and large pre-trained Stable Diffusion models.
- Data augmentations can modestly reduce SecMI effectiveness, while some defenses (like aggressive DP training) may prevent model convergence.
より良い研究を、今すぐ始めましょう
論文設計から論文執筆まで、研究時間を劇的に削減しましょう。
クレジットカード登録不要
このレビューはAIが作成し、人間の編集者が確認しました。