Image AutoRegressive generation has emerged as a new powerful paradigm with image autoregressive models (IARs) matching state-of-the-art diffusion models (DMs) in image quality (FID: 1.48 vs. 1.58) while allowing for a higher generation speed. However, the privacy risks associated with IARs remain unexplored, raising concerns regarding their responsible deployment. To address this gap, we conduct a comprehensive privacy analysis of IARs, comparing their privacy risks to the ones of DMs as reference points. Concretely, we develop a novel membership inference attack (MIA) that achieves a remarkably high success rate in detecting training images (with True Positive Rate at False Positive Rate = 1% of 94.57% vs. 6.38% for DMs with comparable attacks). We leverage our novel MIA to provide dataset inference (DI) for IARs, and show that it requires as few as 4 samples to detect dataset membership (compared to 200 for DI in DMs), confirming a higher information leakage in IARs. Finally, we are able to extract hundreds of training data points from an IAR (e.g., 698 from VAR-\textit{d}30). Our results suggest a fundamental privacy-utility trade-off: while IARs excel in image generation quality and speed, they are \textit{empirically} significantly more vulnerable to privacy attacks compared to DMs that achieve similar performance. We release the code at https://github.com/sprintml/privacy_attacks_against_iars for reproducibility.
翻译:图像自回归生成已成为一种新的强大范式,图像自回归模型(IARs)在图像质量(FID:1.48对比1.58)上匹配了最先进的扩散模型(DMs),同时实现了更高的生成速度。然而,与IARs相关的隐私风险尚未被探索,这引发了对其负责任部署的担忧。为填补这一空白,我们对IARs进行了全面的隐私分析,并将其隐私风险与DMs作为参考基准进行比较。具体而言,我们提出了一种新颖的成员推理攻击(MIA),在检测训练图像方面取得了显著高的成功率(在假阳性率为1%时,真阳性率达94.57%,而使用可比攻击的DMs仅为6.38%)。我们利用这一新颖的MIA为IARs提供数据集推理(DI),并表明仅需4个样本即可检测数据集成员关系(相比之下,DMs的DI需要200个样本),证实了IARs中存在更高的信息泄露。最后,我们能够从单个IAR中提取数百个训练数据点(例如,从VAR-d30中提取698个)。我们的结果表明存在一种基本的隐私-效用权衡:虽然IARs在图像生成质量和速度上表现出色,但经验上它们比性能相近的DMs更易受到隐私攻击。我们已在https://github.com/sprintml/privacy_attacks_against_iars发布代码以确保可复现性。