Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Low Resource Reconstruction Attacks Through Benign Prompts

Sol Yarkoni, Mahmood Sharif, Roi Livni

TL;DR

The paper investigates privacy and copyright risks in diffusion-based models by introducing a low-resource reconstruction attack that uses benign prompts and domain knowledge rather than training-data access. It collects a diverse set of prompts drawn from e-commerce and PoD templates, searches for near-duplicates with segmentation-guided masking and CLIP-based clique analysis, and traces sources to real-world products, revealing template memorization that extends beyond verbatim copies. Key findings include large-scale template memorization (11,400 images) across multiple models, visible copies of real humans, and persistent leakage and interpolations even in newer models (e.g., SD 3.5 and Midjourney under constrained prompts), highlighted by a user study validating perceptual copying. The work underscores practical privacy risks posed by template-based memorization and argues for rethinking data stewardship and mitigation strategies in generative systems, supported by publicly released code for replication.

Abstract

Recent advances in generative models, such as diffusion models, have raised concerns related to privacy, copyright infringement, and data stewardship. To better understand and control these risks, prior work has introduced techniques and attacks that reconstruct images, or parts of images, from training data. While these results demonstrate that training data can be recovered, existing methods often rely on high computational resources, partial access to the training set, or carefully engineered prompts. In this work, we present a new attack that requires low resources, assumes little to no access to the training data, and identifies seemingly benign prompts that can lead to potentially risky image reconstruction. We further show that such reconstructions may occur unintentionally, even for users without specialized knowledge. For example, we observe that for one existing model, the prompt ``blue Unisex T-Shirt'' generates the face of a real individual. Moreover, by combining the identified vulnerabilities with real-world prompt data, we discover prompts that reproduce memorized visual elements. Our approach builds on insights from prior work and leverages domain knowledge to expose a fundamental vulnerability arising from the use of scraped e-commerce data, where templated layouts and images are closely tied to pattern-like textual prompts. The code for our attack is publicly available at https://github.com/TheSolY/lr-tmi.

Low Resource Reconstruction Attacks Through Benign Prompts

TL;DR

The paper investigates privacy and copyright risks in diffusion-based models by introducing a low-resource reconstruction attack that uses benign prompts and domain knowledge rather than training-data access. It collects a diverse set of prompts drawn from e-commerce and PoD templates, searches for near-duplicates with segmentation-guided masking and CLIP-based clique analysis, and traces sources to real-world products, revealing template memorization that extends beyond verbatim copies. Key findings include large-scale template memorization (11,400 images) across multiple models, visible copies of real humans, and persistent leakage and interpolations even in newer models (e.g., SD 3.5 and Midjourney under constrained prompts), highlighted by a user study validating perceptual copying. The work underscores practical privacy risks posed by template-based memorization and argues for rethinking data stewardship and mitigation strategies in generative systems, supported by publicly released code for replication.

Abstract

Recent advances in generative models, such as diffusion models, have raised concerns related to privacy, copyright infringement, and data stewardship. To better understand and control these risks, prior work has introduced techniques and attacks that reconstruct images, or parts of images, from training data. While these results demonstrate that training data can be recovered, existing methods often rely on high computational resources, partial access to the training set, or carefully engineered prompts. In this work, we present a new attack that requires low resources, assumes little to no access to the training data, and identifies seemingly benign prompts that can lead to potentially risky image reconstruction. We further show that such reconstructions may occur unintentionally, even for users without specialized knowledge. For example, we observe that for one existing model, the prompt ``blue Unisex T-Shirt'' generates the face of a real individual. Moreover, by combining the identified vulnerabilities with real-world prompt data, we discover prompts that reproduce memorized visual elements. Our approach builds on insights from prior work and leverages domain knowledge to expose a fundamental vulnerability arising from the use of scraped e-commerce data, where templated layouts and images are closely tied to pattern-like textual prompts. The code for our attack is publicly available at https://github.com/TheSolY/lr-tmi.

Paper Structure

This paper contains 29 sections, 16 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background and Existing Attacks
  4. Random selection
  5. Training data duplication
  6. One-Step Synthesis
  7. Our Attack
  8. Data Collection
  9. Collections from previous work
  10. Searching near-duplicates
  11. Tracing the Source Image
  12. Results
  13. Images with identified source
  14. Real Humans
  15. Comparison with previous attacks
  16. ...and 14 more sections

Figures (16)

  • Figure 1: An image that we generated on a SD 1.4 with the prompt "Walter White wall mural" that was extracted from the database of real-world used prompts DiffusionDB SDprompts (right). On its left a corresponding source image the contains elements that were copied. See \ref{['ssec:prompts_in_the_wild']} for further details.
  • Figure 2: Examples of template-memorized images reconstructed through our attack on SD 1.4. For each pair, the source image (left), the generated image (center), and the corresponding text prompt (right) are shown.
  • Figure 3: Examples of image cliques found through our segmentation and masking method. Segmentation category is listed in brackets.
  • Figure 4: Number of collocations tested vs the number of identified image templates, mean of 5 permutations.
  • Figure 5: Examples across product categories, showing different prompt themes (columns) and their corresponding real source image (last column).
  • ...and 11 more figures