Diffusion-based generative models have shown great potential for image synthesis, but there is a lack of research on the security and privacy risks they may pose. In this paper, we investigate the vulnerability of diffusion models to Membership Inference Attacks (MIAs), a common privacy concern. Our results indicate that existing MIAs designed for GANs or VAE are largely ineffective on diffusion models, either due to inapplicable scenarios (e.g., requiring the discriminator of GANs) or inappropriate assumptions (e.g., closer distances between synthetic images and member images). To address this gap, we propose Step-wise Error Comparing Membership Inference (SecMI), a black-box MIA that infers memberships by assessing the matching of forward process posterior estimation at each timestep. SecMI follows the common overfitting assumption in MIA where member samples normally have smaller estimation errors, compared with hold-out samples. We consider both the standard diffusion models, e.g., DDPM, and the text-to-image diffusion models, e.g., Stable Diffusion. Experimental results demonstrate that our methods precisely infer the membership with high confidence on both of the two scenarios across six different datasets

翻译：基于扩散的生成模型在图像合成方面展现出巨大潜力，但对其可能带来的安全与隐私风险的研究尚显不足。本文探讨了扩散模型对成员推断攻击（Membership Inference Attacks, MIAs）的脆弱性，这是一种常见的隐私问题。我们的结果表明，现有为生成对抗网络（GANs）或变分自编码器（VAE）设计的MIA方法在扩散模型上基本无效，原因在于要么适用场景不匹配（例如，需使用GAN的判别器），要么假设不恰当（例如，合成图像与成员图像之间的距离较小）。针对这一空白，我们提出了逐步误差比较成员推断（Step-wise Error Comparing Membership Inference, SecMI），这是一种黑盒MIA方法，通过评估每个时间步上前向过程后验估计的匹配程度来推断成员关系。SecMI遵循MIA中常见的过拟合假设，即成员样本通常比保留样本具有更小的估计误差。我们同时考虑了标准扩散模型（如DDPM）和文本到图像扩散模型（如Stable Diffusion）。实验结果表明，我们的方法在六个不同数据集上的两种场景中均能以高置信度精确推断成员关系。