Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Is Diffusion Model Safe? Severe Data Leakage via Gradient-Guided Diffusion Model

Jiayang Meng, Tao Huang, Hong Chen, Cuiping Li

TL;DR

"Is Diffusion Model Safe? Severe Data Leakage via Gradient-Guided Diffusion Model" demonstrates that leaked gradients in distributed/federated settings can be exploited to reconstruct high-resolution training images by fine-tuning a pre-trained diffusion model under gradient guidance. The authors formalize a gradient-guided fine-tuning objective that aligns generated gradients with leaked ones, enabling reconstruction up to $512\times512$—far beyond prior low-resolution attacks like DLG. Across CIFAR-10, CelebA-HQ, LSUN, and ImageNet, the approach outperforms SOTA baselines in pixel-level fidelity and time efficiency, and shows partial resilience to differential privacy defenses. The work highlights substantial privacy risks from gradient exchanges and points to future directions in strengthening defenses and scaling to higher resolutions, including exploring ViT-based diffusion models."

Abstract

Gradient leakage has been identified as a potential source of privacy breaches in modern image processing systems, where the adversary can completely reconstruct the training images from leaked gradients. However, existing methods are restricted to reconstructing low-resolution images where data leakage risks of image processing systems are not sufficiently explored. In this paper, by exploiting diffusion models, we propose an innovative gradient-guided fine-tuning method and introduce a new reconstruction attack that is capable of stealing private, high-resolution images from image processing systems through leaked gradients where severe data leakage encounters. Our attack method is easy to implement and requires little prior knowledge. The experimental results indicate that current reconstruction attacks can steal images only up to a resolution of $128 \times 128$ pixels, while our attack method can successfully recover and steal images with resolutions up to $512 \times 512$ pixels. Our attack method significantly outperforms the SOTA attack baselines in terms of both pixel-wise accuracy and time efficiency of image reconstruction. Furthermore, our attack can render differential privacy ineffective to some extent.

Is Diffusion Model Safe? Severe Data Leakage via Gradient-Guided Diffusion Model

TL;DR

"Is Diffusion Model Safe? Severe Data Leakage via Gradient-Guided Diffusion Model" demonstrates that leaked gradients in distributed/federated settings can be exploited to reconstruct high-resolution training images by fine-tuning a pre-trained diffusion model under gradient guidance. The authors formalize a gradient-guided fine-tuning objective that aligns generated gradients with leaked ones, enabling reconstruction up to —far beyond prior low-resolution attacks like DLG. Across CIFAR-10, CelebA-HQ, LSUN, and ImageNet, the approach outperforms SOTA baselines in pixel-level fidelity and time efficiency, and shows partial resilience to differential privacy defenses. The work highlights substantial privacy risks from gradient exchanges and points to future directions in strengthening defenses and scaling to higher resolutions, including exploring ViT-based diffusion models."

Abstract

Gradient leakage has been identified as a potential source of privacy breaches in modern image processing systems, where the adversary can completely reconstruct the training images from leaked gradients. However, existing methods are restricted to reconstructing low-resolution images where data leakage risks of image processing systems are not sufficiently explored. In this paper, by exploiting diffusion models, we propose an innovative gradient-guided fine-tuning method and introduce a new reconstruction attack that is capable of stealing private, high-resolution images from image processing systems through leaked gradients where severe data leakage encounters. Our attack method is easy to implement and requires little prior knowledge. The experimental results indicate that current reconstruction attacks can steal images only up to a resolution of pixels, while our attack method can successfully recover and steal images with resolutions up to pixels. Our attack method significantly outperforms the SOTA attack baselines in terms of both pixel-wise accuracy and time efficiency of image reconstruction. Furthermore, our attack can render differential privacy ineffective to some extent.
Paper Structure (28 sections, 9 equations, 17 figures, 8 tables)

This paper contains 28 sections, 9 equations, 17 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Gradient Leakage and Image Reconstruction
  4. Diffusion Models
  5. Gradient as Embedding: Stealing Images via Gradient-Guided Diffusion Model
  6. Gradient-Guided Fine-tuning
  7. Pipelines in Stealing Images
  8. Algorithm Details
  9. Experiments
  10. Experimental Setup
  11. Experiment Results
  12. Comparison with Stealing Capability of DLG
  13. Comparison with Stealing Capability of Additional Baselines
  14. Comparison of Time Efficiency
  15. Noisy Gradients
  16. ...and 13 more sections

Figures (17)

  • Figure 1: Image reconstruction via gradient-guided diffusion model.
  • Figure 2: Reconstruction processes and results of DLG and our method.
  • Figure 3: Comparison of the detail images of the reconstruction results via DLG and our gradient-guided diffusion model.
  • Figure 4: Changing trends of reconstruction loss, Mean Squared Error (MSE) between reconstructed image and target image, as well as the appearance of images with increasing iteration on CelebA-HQ.
  • Figure 5: Reconstruction results of additional SOTA baselines and our method.
  • ...and 12 more figures