Diffusion models have attracted attention in recent years as innovative generative models. In this paper, we investigate whether a diffusion model is resistant to a membership inference attack, which evaluates the privacy leakage of a machine learning model. We primarily discuss the diffusion model from the standpoints of comparison with a generative adversarial network (GAN) as conventional models and hyperparameters unique to the diffusion model, i.e., time steps, sampling steps, and sampling variances. We conduct extensive experiments with DDIM as a diffusion model and DCGAN as a GAN on the CelebA and CIFAR-10 datasets in both white-box and black-box settings and then confirm if the diffusion model is comparably resistant to a membership inference attack as GAN. Next, we demonstrate that the impact of time steps is significant and intermediate steps in a noise schedule are the most vulnerable to the attack. We also found two key insights through further analysis. First, we identify that DDIM is vulnerable to the attack for small sample sizes instead of achieving a lower FID. Second, sampling steps in hyperparameters are important for resistance to the attack, whereas the impact of sampling variances is quite limited.

翻译：近年来，扩散模型作为创新性生成模型备受关注。本文探究扩散模型是否对成员推理攻击具有抵抗性——该攻击用于评估机器学习模型的隐私泄露风险。我们主要从与传统模型生成对抗网络（GAN）的对比以及扩散模型特有的超参数（即时间步、采样步与采样方差）两个角度展开讨论。通过在CelebA和CIFAR-10数据集上以DDIM作为扩散模型、DCGAN作为GAN进行白盒与黑盒场景下的广泛实验，我们验证了扩散模型是否与GAN具有相当的成员推理攻击抵抗力。实验表明，时间步的影响显著，且噪声调度中的中间步最易受攻击。通过进一步分析，我们获得两个关键发现：其一，DDIM在小样本规模下更易受攻击，而非在获得较低FID时；其二，超参数中的采样步对攻击抵抗力至关重要，而采样方差的影响则相当有限。