Table of Contents
Fetching ...

VidLeaks: Membership Inference Attacks Against Text-to-Video Models

Li Wang, Wenyu Chen, Ning Yu, Zheng Li, Shanqing Guo

TL;DR

VidLeaks introduces the first systematic membership inference attacks against text-to-video (T2V) models by targeting sparse-temporal memorization with two signals: $S_{SRF}$ for sparse spatial fidelity and $S_{TGS}$ for stable temporal dynamics. SRF uses Top-$K$ keyframe matching to amplify memorization on salient anchors, while TGS measures cross-generation semantic stability across multiple queries, combining them in a fusion framework. The attack is evaluated under three black-box threat models (Supervised, Reference-based, Query-only) on AnimateDiff, Mira, and InstructVideo, obtaining strong leakage—e.g., AUCs of $82.92\%$ to $97.01\%$ and notable low-FPR TPRs—even in the most restrictive query-only setting. The results reveal that modern T2V models memorize training data in both spatial and temporal dimensions, underscoring privacy and copyright concerns and motivating defense-friendly auditing and data curation strategies. $SRF$ and $TGS$ are shown to be complementary across architectures and threat models, providing a foundation for future privacy-preserving video generation research.

Abstract

The proliferation of powerful Text-to-Video (T2V) models, trained on massive web-scale datasets, raises urgent concerns about copyright and privacy violations. Membership inference attacks (MIAs) provide a principled tool for auditing such risks, yet existing techniques - designed for static data like images or text - fail to capture the spatio-temporal complexities of video generation. In particular, they overlook the sparsity of memorization signals in keyframes and the instability introduced by stochastic temporal dynamics. In this paper, we conduct the first systematic study of MIAs against T2V models and introduce a novel framework VidLeaks, which probes sparse-temporal memorization through two complementary signals: 1) Spatial Reconstruction Fidelity (SRF), using a Top-K similarity to amplify spatial memorization signals from sparsely memorized keyframes, and 2) Temporal Generative Stability (TGS), which measures semantic consistency across multiple queries to capture temporal leakage. We evaluate VidLeaks under three progressively restrictive black-box settings - supervised, reference-based, and query-only. Experiments on three representative T2V models reveal severe vulnerabilities: VidLeaks achieves AUC of 82.92% on AnimateDiff and 97.01% on InstructVideo even in the strict query-only setting, posing a realistic and exploitable privacy risk. Our work provides the first concrete evidence that T2V models leak substantial membership information through both sparse and temporal memorization, establishing a foundation for auditing video generation systems and motivating the development of new defenses. Code is available at: https://zenodo.org/records/17972831.

VidLeaks: Membership Inference Attacks Against Text-to-Video Models

TL;DR

VidLeaks introduces the first systematic membership inference attacks against text-to-video (T2V) models by targeting sparse-temporal memorization with two signals: for sparse spatial fidelity and for stable temporal dynamics. SRF uses Top- keyframe matching to amplify memorization on salient anchors, while TGS measures cross-generation semantic stability across multiple queries, combining them in a fusion framework. The attack is evaluated under three black-box threat models (Supervised, Reference-based, Query-only) on AnimateDiff, Mira, and InstructVideo, obtaining strong leakage—e.g., AUCs of to and notable low-FPR TPRs—even in the most restrictive query-only setting. The results reveal that modern T2V models memorize training data in both spatial and temporal dimensions, underscoring privacy and copyright concerns and motivating defense-friendly auditing and data curation strategies. and are shown to be complementary across architectures and threat models, providing a foundation for future privacy-preserving video generation research.

Abstract

The proliferation of powerful Text-to-Video (T2V) models, trained on massive web-scale datasets, raises urgent concerns about copyright and privacy violations. Membership inference attacks (MIAs) provide a principled tool for auditing such risks, yet existing techniques - designed for static data like images or text - fail to capture the spatio-temporal complexities of video generation. In particular, they overlook the sparsity of memorization signals in keyframes and the instability introduced by stochastic temporal dynamics. In this paper, we conduct the first systematic study of MIAs against T2V models and introduce a novel framework VidLeaks, which probes sparse-temporal memorization through two complementary signals: 1) Spatial Reconstruction Fidelity (SRF), using a Top-K similarity to amplify spatial memorization signals from sparsely memorized keyframes, and 2) Temporal Generative Stability (TGS), which measures semantic consistency across multiple queries to capture temporal leakage. We evaluate VidLeaks under three progressively restrictive black-box settings - supervised, reference-based, and query-only. Experiments on three representative T2V models reveal severe vulnerabilities: VidLeaks achieves AUC of 82.92% on AnimateDiff and 97.01% on InstructVideo even in the strict query-only setting, posing a realistic and exploitable privacy risk. Our work provides the first concrete evidence that T2V models leak substantial membership information through both sparse and temporal memorization, establishing a foundation for auditing video generation systems and motivating the development of new defenses. Code is available at: https://zenodo.org/records/17972831.
Paper Structure (62 sections, 7 equations, 10 figures, 10 tables, 3 algorithms)

This paper contains 62 sections, 7 equations, 10 figures, 10 tables, 3 algorithms.

Figures (10)

  • Figure 1: Illustration of the T2V generation process.
  • Figure 2: Differences between members and non-members under SRF and TGS signals. (a) Distribution of SRF scores computed from Top-$K$ similarities. (b) Per-dimension TGS instability across repeated generations.
  • Figure 3: Overview of our sparse-temporal MIA framework. The attack begins with only a target video. A public video captioning tool generates a proxy text, which is then used to query the T2V model. The signal extraction stage computes SRF and TGS from the original and generated videos. Finally, the membership inference module, instantiated according to the threat model, outputs the final membership decision.
  • Figure 4: ROC curves for the supervised attack on different T2V models.
  • Figure 5: ROC curves for the reference-based attack on different T2V models.
  • ...and 5 more figures