Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Defending Diffusion Models Against Membership Inference Attacks via Higher-Order Langevin Dynamics

Benjamin Sterling, Yousef El-Laham, Mónica F. Bugallo

TL;DR

This work addresses membership inference attacks on diffusion models and proposes a defense based on critically-damped higher-order Langevin dynamics (HOLD++) that introduces auxiliary variables into the forward diffusion to inject randomness early in the process. It provides a theoretical analysis showing HOLD++ achieves Rényi differential privacy with bounds that depend on the initial variance parameter $\epsilon_{\text{num}}$ and the model order, while also relying on the non-deterministic score to further deter attacks. Empirically, the authors validate the approach on a toy dataset and LJ Speech, demonstrating that higher model orders $n$ and larger variance factors $\beta$ reduce membership leakage as measured by AUROC, with FID used to assess sample quality. The results suggest a favorable privacy-utility trade-off for HOLD++ compared to standard DP approaches, and the authors release code for reproducibility.

Abstract

Recent advances in generative artificial intelligence applications have raised new data security concerns. This paper focuses on defending diffusion models against membership inference attacks. This type of attack occurs when the attacker can determine if a certain data point was used to train the model. Although diffusion models are intrinsically more resistant to membership inference attacks than other generative models, they are still susceptible. The defense proposed here utilizes critically-damped higher-order Langevin dynamics, which introduces several auxiliary variables and a joint diffusion process along these variables. The idea is that the presence of auxiliary variables mixes external randomness that helps to corrupt sensitive input data earlier on in the diffusion process. This concept is theoretically investigated and validated on a toy dataset and a speech dataset using the Area Under the Receiver Operating Characteristic (AUROC) curves and the FID metric.

Defending Diffusion Models Against Membership Inference Attacks via Higher-Order Langevin Dynamics

TL;DR

This work addresses membership inference attacks on diffusion models and proposes a defense based on critically-damped higher-order Langevin dynamics (HOLD++) that introduces auxiliary variables into the forward diffusion to inject randomness early in the process. It provides a theoretical analysis showing HOLD++ achieves Rényi differential privacy with bounds that depend on the initial variance parameter and the model order, while also relying on the non-deterministic score to further deter attacks. Empirically, the authors validate the approach on a toy dataset and LJ Speech, demonstrating that higher model orders and larger variance factors reduce membership leakage as measured by AUROC, with FID used to assess sample quality. The results suggest a favorable privacy-utility trade-off for HOLD++ compared to standard DP approaches, and the authors release code for reproducibility.

Abstract

Recent advances in generative artificial intelligence applications have raised new data security concerns. This paper focuses on defending diffusion models against membership inference attacks. This type of attack occurs when the attacker can determine if a certain data point was used to train the model. Although diffusion models are intrinsically more resistant to membership inference attacks than other generative models, they are still susceptible. The defense proposed here utilizes critically-damped higher-order Langevin dynamics, which introduces several auxiliary variables and a joint diffusion process along these variables. The idea is that the presence of auxiliary variables mixes external randomness that helps to corrupt sensitive input data earlier on in the diffusion process. This concept is theoretically investigated and validated on a toy dataset and a speech dataset using the Area Under the Receiver Operating Characteristic (AUROC) curves and the FID metric.

Paper Structure

This paper contains 6 sections, 2 theorems, 17 equations, 3 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Problem Formulation
  4. Methodology
  5. Experiments and Results
  6. Conclusion

Key Result

Lemma 4.1

The Random Mechanism $f(\mathbf{x}) = \exp(\mathcal{F}t)\mathbf{x} + \boldsymbol{\eta}$ where $\boldsymbol{\eta} \sim \mathcal{N}(\mathbf{0}, \boldsymbol{\Sigma}_t)$ satisfies RDP($\alpha$, $\frac{\alpha \Delta f_t}{2}$).

Figures (3)

  • Figure 1: Generated Spirals grouped by model order $n$, variance factor $\beta$, and $\epsilon_{\text{num}}$ for $L^{-1}=1$. $95\%$ confidence intervals of the AUROC's with $25$ sample runs are presented.
  • Figure 2: AUROC with 95% confidence intervals for $n$ as a function of diffusion time for spiral dataset. These are obtained by directly thresholding $R$ (not $\Bar{R}$) referring to Algorithm \ref{['alg:PIAHOLD']}.
  • Figure 3: Generated image comparison (left $n=2$, right $n=1$) between model orders 1 and 2 at 190 epochs.

Theorems & Definitions (4)

  • Lemma 4.1
  • proof
  • Lemma 4.2
  • proof