Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
157 tokens/sec
GPT-4o
43 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Membership Inference Attacks on Diffusion Models via Quantile Regression (2312.05140v1)

Published 8 Dec 2023 in cs.LG and cs.CR

Abstract: Recently, diffusion models have become popular tools for image synthesis because of their high-quality outputs. However, like other large-scale models, they may leak private information about their training data. Here, we demonstrate a privacy vulnerability of diffusion models through a \emph{membership inference (MI) attack}, which aims to identify whether a target example belongs to the training set when given the trained diffusion model. Our proposed MI attack learns quantile regression models that predict (a quantile of) the distribution of reconstruction loss on examples not used in training. This allows us to define a granular hypothesis test for determining the membership of a point in the training set, based on thresholding the reconstruction loss of that point using a custom threshold tailored to the example. We also provide a simple bootstrap technique that takes a majority membership prediction over a bag of weak attackers'' which improves the accuracy over individual quantile regression models. We show that our attack outperforms the prior state-of-the-art attack while being substantially less computationally expensive -- prior attacks required training multipleshadow models'' with the same architecture as the model under attack, whereas our attack requires training only much smaller models.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. Scalable membership inference attacks via quantile regression. pre-print, 2023.
  2. L. Breiman. Bagging predictors. Machine learning, 24:123–140, 1996.
  3. Membership inference attacks from first principles. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1897–1914, 2022.
  4. Extracting training data from diffusion models. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5253–5270, 2023.
  5. Extracting training data from large language models. ArXiv, abs/2012.07805, 2020.
  6. An analysis of single-layer networks in unsupervised feature learning. In Proceedings of the fourteenth international conference on artificial intelligence and statistics, pages 215–223. JMLR Workshop and Conference Proceedings, 2011.
  7. Are diffusion models vulnerable to membership inference attacks? In A. Krause, E. Brunskill, K. Cho, B. Engelhardt, S. Sabato, and J. Scarlett, editors, Proceedings of the 40th International Conference on Machine Learning, volume 202 of Proceedings of Machine Learning Research, pages 8717–8730. PMLR, 23–29 Jul 2023.
  8. Calibrating noise to sensitivity in private data analysis. In Conference on Theory of Cryptography, TCC ’06, pages 265–284, New York, NY, USA, 2006.
  9. C. Dwork and A. Roth. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, 9(3-4):211–407, 2014.
  10. Logan: Membership inference attacks against generative models. Proceedings on Privacy Enhancing Technologies, 2019:133–152, 01 2019.
  11. Denoising diffusion probabilistic models. arXiv preprint arxiv:2006.11239, 2020.
  12. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics, 4(8):e1000167, 2008.
  13. Auditing differentially private machine learning: How private is private sgd? In Advances in Neural Information Processing Systems, NeurIPS ’20, 2020. https://arxiv.org/abs/2006.07709.
  14. B. Jayaraman and D. Evans. Evaluating differentially private machine learning in practice. In USENIX Security Symposium, 2019.
  15. Revisiting membership inference under realistic assumptions. arXiv preprint arXiv:2005.10881, 2020.
  16. A. Krizhevsky. Learning multiple layers of features from tiny images. 2009.
  17. Tight auditing of differentially private machine learning. CoRR, abs/2302.07956, 2023.
  18. Adversary instantiation: Lower bounds for differentially private machine learning. In IEEE Symposium on Security & Privacy, IEEE S&P ’21, 2021. https://arxiv.org/abs/2101.04535.
  19. White-box membership inference attacks against diffusion models. arXiv preprint arXiv:2308.06405, 2023.
  20. Membership inference attacks against machine learning models. In IEEE Symposium on Security and Privacy (S&P), Oakland, 2017.
  21. Y. Song and S. Ermon. Generative modeling by estimating gradients of the data distribution. Advances in neural information processing systems, 32, 2019.
  22. Synthetic data - anonymisation groundhog day. In K. R. B. Butler and K. Thomas, editors, 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, pages 1451–1468. USENIX Association, 2022.
  23. Debugging differential privacy: A case study for privacy auditing. CoRR, abs/2202.12219, 2022.
  24. Membership inference attacks against synthetic data through overfitting detection. In F. J. R. Ruiz, J. G. Dy, and J. van de Meent, editors, International Conference on Artificial Intelligence and Statistics, 25-27 April 2023, Palau de Congressos, Valencia, Spain, volume 206 of Proceedings of Machine Learning Research, pages 3493–3514. PMLR, 2023.
  25. Efficient privacy-preserving nonconvex optimization. arXiv preprint arXiv:1910.13659, 2019.
  26. Privacy risk in machine learning: Analyzing the connection to overfitting. In IEEE Computer Security Foundations Symposium, CSF ’18, pages 268–282, 2018. https://arxiv.org/abs/1709.01604.
Citations (9)

Summary

We haven't generated a summary for this paper yet.

X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets