Are Diffusion Models Vulnerable to Membership Inference Attacks?

TL;DR

This work investigates privacy risks of diffusion-based generative models under membership inference. It shows that existing MIAs designed for GANs/VAEs largely fail on diffusion models, likely due to diffusion-specific properties and evaluation regimes. To address this, the authors introduce SecMI, a step-wise, query-based MIA that leverages forward-process posterior estimation errors, and demonstrate strong membership inference across DDPMs, Latent Diffusion Models, and Stable Diffusion on multiple datasets. The results reveal significant privacy leakage in diffusion models and underscore the need for targeted defenses and privacy-aware diffusion modeling in real-world deployments.

Abstract

Diffusion-based generative models have shown great potential for image synthesis, but there is a lack of research on the security and privacy risks they may pose. In this paper, we investigate the vulnerability of diffusion models to Membership Inference Attacks (MIAs), a common privacy concern. Our results indicate that existing MIAs designed for GANs or VAE are largely ineffective on diffusion models, either due to inapplicable scenarios (e.g., requiring the discriminator of GANs) or inappropriate assumptions (e.g., closer distances between synthetic samples and member samples). To address this gap, we propose Step-wise Error Comparing Membership Inference (SecMI), a query-based MIA that infers memberships by assessing the matching of forward process posterior estimation at each timestep. SecMI follows the common overfitting assumption in MIA where member samples normally have smaller estimation errors, compared with hold-out samples. We consider both the standard diffusion models, e.g., DDPM, and the text-to-image diffusion models, e.g., Latent Diffusion Models and Stable Diffusion. Experimental results demonstrate that our methods precisely infer the membership with high confidence on both of the two scenarios across multiple different datasets. Code is available at https://github.com/jinhaoduan/SecMI.

Figures (9)

• Figure 1: Comparing the TPR v.s. FPR of prior MIAs designed for generative models. Evaluations are conducted on DDPM with half of the CIFAR-10 training split as the member set and the other half as the hold-out set. Prior MIAs are largely ineffective on DDPM.
• Figure 2: Comparisons of $t$-errors for samples from the member and hold-out sets. Since the magnitudes are different at each step $t$, we set the $t$-errors of member set as 1 at every timestep and report the relative sizes of $t$-errors of Hold-out Set. It is shown that samples from the hold-out set have higher $t$-errors compared with samples from the member set, proving that $t$-error is an effective metric for identifying memberships.
• Figure 3: The $\tilde{\ell}_{t_{\textsc{SEC}}, x_0}$ and $f_{\mathcal{A}}(\tilde{\ell}_{t_{\textsc{SEC}}, x_0})$ distributions for samples from member set and hold-out set. It is clear that $t$-error is a desirable indicator for membership identification. The vertical black line refers to the selected threshold $\tau$ for each figure.
• Figure 4: ROC curves of SecMI on CIFAR10 and Tiny-IN datasets. The overall ROC curves show that our methods are largely effective on diffusion models. The log-scaled ROC curves indicate that our methods are capable of generating high-confidence predictions.
• Figure 5: AUC and ASR of SecMI$_{stat}$ v.s. timestep, among four datasets. The attack performances are stable and not sensitive to the selection of timestep $t_{\textsc{SEC}}$.

Theorems & Definitions (1)

• Definition 4.1: $t$-error