《Towards Black-Box Membership Inference Attack for Diffusion Models》论文笔记

《Towards Black-Box Membership Inference Attack for Diffusion Models》

Abstract

  1. 识别艺术品是否用于训练扩散模型的挑战,重点是人工智能生成的艺术品中的成员推断攻击------copyright protection
  2. 不需要访问内部模型组件的新型黑盒攻击方法
  3. 展示了在评估 DALL-E 生成的数据集方面的卓越性能。

作者主张

previous methods are not yet ready for copyright protection in diffusion models.

Contributions(文章里有三点,我觉得只有两点)

  1. ReDiffuse:using the model's variation API to alter an image and compare it with the original one.
  2. A new MIA evaluation dataset:use the image titles from LAION-5B as prompts for DALL-E's API 31 to generate images of the same contents but different styles.

Algorithm Design

target model:DDIM

为什么要强行引入一个版权保护的概念???

定义black-box variation API

x ^ = V θ ( x , t ) \hat{x}=V_{\theta}(x,t) x^=Vθ(x,t)

细节如下:

总结为: x x x加噪变为 x t x_t xt,再通过DDIM连续降噪变为 x ^ \hat{x} x^

intuition

Our key intuition comes from the reverse SDE dynamics in continuous diffusion models.

one simplified form of the reverse SDE (i.e., the denoise step)
X t = ( X t / 2 − ∇ x log ⁡ p ( X t ) ) + d W t , t ∈ 0 , T (3) X_t=(X_t/2-\nabla_x\log p(X_t))+dW_t,t\in0,T\tag{3} Xt=(Xt/2−∇xlogp(Xt))+dWt,t∈0,T(3)

The key guarantee is that when the score function is learned for a data point x, then the reconstructed image x ^ i \hat{x}_i x^i is an unbiased estimator of x x x.(算是过拟合的另一种说法吧)

Hence,averaging over multiple independent samples x ^ i \hat{x}_i x^i would greatly reduce the estimation error (see Theorem 1).

On the other hand, for a non-member image x ′ x' x′, the unbiasedness of the denoised image is not guaranteed.

details of algorithm:

  1. independently apply the black-box variation API n times with our target image x as input
  2. average the output images
  3. compare the average result x ^ \hat{x} x^ with the original image.

evaluate the difference between the images using an indicator function:
f ( x ) = 1 D ( x , x \^ ) \< τ f(x)=1D(x,\\hat{x})\<\\tau f(x)=1D(x,x\^)\<τ

A sample is classified to be in the training set if D ( x , x ^ ) D(x,\hat{x}) D(x,x^) is smaller than a threshold τ \tau τ ( D ( x , x ^ ) D(x,\hat{x}) D(x,x^) represents the difference between the two images)

ReDiffuse
Theoretical Analysis

什么是sampling interval???

MIA on Latent Diffusion Models

泛化到latent diffusion model,即Stable Diffusion

ReDiffuse+

variation API for stable diffusion is different from DDIM, as it includes the encoder-decoder process.
z = E n c o d e r ( x ) , z t = α ‾ t z + 1 − α ‾ t ϵ , z ^ = Φ θ ( z t , 0 ) , x ^ = D e c o d e r ( z ^ ) (4) z={\rm Encoder}(x),\quad z_t=\sqrt{\overline{\alpha}_t}z+\sqrt{1-\overline{\alpha}t}\epsilon,\quad \hat{z}=\Phi{\theta}(z_t,0),\quad \hat{x}={\rm Decoder}(\hat{z})\tag{4} z=Encoder(x),zt=αt z+1−αt ϵ,z^=Φθ(zt,0),x^=Decoder(z^)(4)
modification of the algorithm

independently adding random noise to the original image twice and then comparing the differences between the two restored images x ^ 1 \hat{x}_1 x^1 and x ^ 2 \hat{x}_2 x^2:
f ( x ) = 1 D ( x \^ 1 , x \^ 2 ) \< τ f(x)=1D(\\hat{x}_1,\\hat{x}_2)\<\\tau f(x)=1D(x\^1,x\^2)\<τ

Experiments

Evaluation Metrics
  1. AUC
  2. ASR
  3. TPR@1%FPR
same experiment's setup in previous papers 5, 18.
target model DDIM Stable Diffusion
version 《Are diffusion models vulnerable to membership inference attacks?》 original:stable diffusion-v1-5 provided by Huggingface
dataset CIFAR10/100,STL10-Unlabeled,Tiny-Imagenet member set:LAION-5B,corresponding 500 images from LAION-5;non-member set:COCO2017-val,500 images from DALL-E3
T 1000 1000
k 100 10
baseline methods 5Are diffusion models vulnerable to membership inference attacks?: SecMIA 18An efficient membership inference attack for the diffusion model by proximal initialization. 28Membership inference attacks against diffusion models
publication International Conference on Machine Learning arXiv preprint 2023 IEEE Security and Privacy Workshops (SPW)
Ablation Studies
  1. The impact of average numbers
  2. The impact of diffusion steps
  3. The impact of sampling intervals
相关推荐
编程(变成)小辣鸡3 小时前
如何防止接口被恶意刷?
java·后端·网络安全
ylscode9 小时前
OpenSSH 10.4 正式发布:后量子加密落地,多项高危漏洞得到修复
网络·安全·网络安全
HackTwoHub17 小时前
ARL灯塔重构版:支持APP/小程序/WEB资产同步扫描
人工智能·安全·web安全·网络安全·小程序·重构·自动化
ccino .19 小时前
Hackerone-地址栏xss
网络安全·xss
数据知道20 小时前
网络安全工具箱:100+ 工具分类速查与选型建议
安全·web安全·网络安全
txg66620 小时前
路径级持久化模糊测试:XSSky 如何精准击破 XSS 漏洞
深度学习·安全·web安全·网络安全·xss
红信鸽21 小时前
2026 年 AI 钓鱼攻击现状与防御深度解析
网络安全
chnyi6_ya1 天前
论文阅读笔记:VideoWeaver — 面向智能体长视频生成的技能评估与进化
论文阅读·笔记·音视频
数据知道1 天前
安全实验室搭建指南:一台电脑搭出完整靶场环境
安全·网络安全·电脑
LYFlied2 天前
EVMbench解读:AI Agent如何检测、修复并利用智能合约漏洞
人工智能·网络安全·openai·智能合约·ai agent·evm·智能合约区块链