Recent advances in score-based generative models have led to a huge spike in the development of downstream applications using generative models ranging from data augmentation over image and video generation to anomaly detection. Despite publicly available trained models, their potential to be used for privacy preserving data sharing has not been fully explored yet. Training diffusion models on private data and disseminating the models and weights rather than the raw dataset paves the way for innovative large-scale data-sharing strategies, particularly in healthcare, where safeguarding patients' personal health information is paramount. However, publishing such models without individual consent of, e.g., the patients from whom the data was acquired, necessitates guarantees that identifiable training samples will never be reproduced, thus protecting personal health data and satisfying the requirements of policymakers and regulatory bodies. This paper introduces a method for estimating the upper bound of the probability of reproducing identifiable training images during the sampling process. This is achieved by designing an adversarial approach that searches for anatomic fingerprints, such as medical devices or dermal art, which could potentially be employed to re-identify training images. Our method harnesses the learned score-based model to estimate the probability of the entire subspace of the score function that may be utilized for one-to-one reproduction of training samples. To validate our estimates, we generate anomalies containing a fingerprint and investigate whether generated samples from trained generative models can be uniquely mapped to the original training samples. Overall our results show that privacy-breaching images are reproduced at sampling time if the models were trained without care.

翻译：近期基于评分的生成模型取得了显著进展，推动了生成模型在下游应用中的大量发展，涵盖数据增强、图像与视频生成以及异常检测等领域。尽管这些训练后的模型已公开可用，但其在隐私保护数据共享方面的潜力尚未得到充分探索。在私有数据上训练扩散模型，并传播模型及其权重而非原始数据集，为创新的规模化数据共享策略铺平了道路，尤其是在医疗保健领域——保护患者个人健康信息至关重要。然而，未经数据采集对象（如患者）的个人同意而发布此类模型，需要确保可识别的训练样本永远不会被重现，从而保护个人健康数据并满足政策制定者与监管机构的要求。本文提出一种方法，用于估计采样过程中可识别训练图像重现概率的上界。该方法通过设计对抗性策略来搜索可能用于重新识别训练图像的解剖学指纹（如医疗设备或皮肤纹饰），进而利用训练后的基于评分的生成模型评估评分函数中可用于一对一复现训练样本的完整子空间概率。为验证我们的估计，我们生成包含指纹的异常样本，并考察训练后生成模型的生成样本是否能够唯一映射回原始训练样本。总体结果表明：若模型未经审慎训练，隐私泄露图像将在采样阶段被重现。