Diffusion-based generative models have shown great potential for image synthesis, but there is a lack of research on the security and privacy risks they may pose. In this paper, we investigate the vulnerability of diffusion models to Membership Inference Attacks (MIAs), a common privacy concern. Our results indicate that existing MIAs designed for GANs or VAE are largely ineffective on diffusion models, either due to inapplicable scenarios (e.g., requiring the discriminator of GANs) or inappropriate assumptions (e.g., closer distances between synthetic samples and member samples). To address this gap, we propose Step-wise Error Comparing Membership Inference (SecMI), a query-based MIA that infers memberships by assessing the matching of forward process posterior estimation at each timestep. SecMI follows the common overfitting assumption in MIA where member samples normally have smaller estimation errors, compared with hold-out samples. We consider both the standard diffusion models, e.g., DDPM, and the text-to-image diffusion models, e.g., Latent Diffusion Models and Stable Diffusion. Experimental results demonstrate that our methods precisely infer the membership with high confidence on both of the two scenarios across multiple different datasets. Code is available at https://github.com/jinhaoduan/SecMI.

翻译：基于扩散的生成模型在图像合成领域展现出巨大潜力，但对其可能引发的安全与隐私风险研究尚存空白。本文探究了扩散模型对成员推理攻击（Membership Inference Attacks, MIAs）的脆弱性——这是一类常见的隐私威胁。实验结果表明，现有针对生成对抗网络（GAN）或变分自编码器（VAE）设计的成员推理攻击方法对扩散模型基本无效，其原因或在于应用场景不匹配（例如需依赖GAN判别器），或在于假设条件不成立（例如合成样本与成员样本距离更近）。为弥补这一缺陷，我们提出逐步骤误差比较成员推理方法（Step-wise Error Comparing Membership Inference, SecMI），这是一种基于查询的成员推理攻击，通过评估各时间步前向过程后验估计的匹配程度来推断成员资格。SecMI遵循成员推理攻击中常见的过拟合假设：相较于非成员样本，成员样本通常具有更小的估计误差。我们分别考察了标准扩散模型（如DDPM）与文本到图像扩散模型（如潜在扩散模型和稳定扩散模型）。实验结果表明，我们的方法在两类场景及多种数据集上均能以高置信度精确推断成员资格。代码已公开于https://github.com/jinhaoduan/SecMI。