Identity-Focused Inference and Extraction Attacks on Diffusion Models

TL;DR

A novel identity inference framework to hold model owners accountable for including individuals' identities in their training data is introduced, moving beyond traditional membership inference attacks by focusing on identity-level inference, providing a new perspective on data privacy violations.

Abstract

The increasing reliance on diffusion models for generating synthetic images has amplified concerns about the unauthorized use of personal data, particularly facial images, in model training. In this paper, we introduce a novel identity inference framework to hold model owners accountable for including individuals' identities in their training data. Our approach moves beyond traditional membership inference attacks by focusing on identity-level inference, providing a new perspective on data privacy violations. Through comprehensive evaluations on two facial image datasets, Labeled Faces in the Wild (LFW) and CelebA, our experiments demonstrate that the proposed membership inference attack surpasses baseline methods, achieving an attack success rate of up to 89% and an AUC-ROC of 0.91, while the identity inference attack attains 92% on LDM models trained on LFW, and the data extraction attack achieves 91.6% accuracy on DDPMs, validating the effectiveness of our approach across diffusion models.

Figures (5)

• Figure 1: Overview of the denoising process in diffusion models with attack objectives: (1) Membership inference attack: determining if a specific query image was used in the training dataset. (2) Identity inference attack: verifying whether any data point related to the query image's identity was part of the training set. (3) Inferred identity generation attack: generating new data points related to the query image's identity used in the training dataset.
• Figure 2: AUC-ROC and confidence value distributions for different face mask occlusion types on the CelebA dataset. The method shows the highest ASR for 'Ey' (eyes occluded), while occlusions involving the mouth (M) lead to reduced ASR. Confidence value ranges highlight the robustness of the inference mechanism for partial occlusions.
• Figure 3: Comparison of Attack Accuracy and Area Under Curve (AUC-ROC) across different diffusion models (DDPM, DDIM, LDM) using various number of query images. The diffusion models are trained on the LFW. The figure illustrates the performance of identity inference attacks using 1, 3, 5, 8, and 10 query images.
• Figure 4: AUC-ROC vs. Sampling Time Steps for Different Datasets: LFW, CelebA, and LFW+CelebA. For query image lists of size 5.
• Figure 5: One example of data extraction success, where an image of Justin Timberlake was queried from the LFW dataset.