Generative models have demonstrated revolutionary success in various visual creation tasks, but in the meantime, they have been exposed to the threat of leaking private information of their training data. Several membership inference attacks (MIAs) have been proposed to exhibit the privacy vulnerability of generative models by classifying a query image as a training dataset member or nonmember. However, these attacks suffer from major limitations, such as requiring shadow models and white-box access, and either ignoring or only focusing on the unique property of diffusion models, which block their generalization to multiple generative models. In contrast, we propose the first generalized membership inference attack against a variety of generative models such as generative adversarial networks, [variational] autoencoders, implicit functions, and the emerging diffusion models. We leverage only generated distributions from target generators and auxiliary non-member datasets, therefore regarding target generators as black boxes and agnostic to their architectures or application scenarios. Experiments validate that all the generative models are vulnerable to our attack. For instance, our work achieves attack AUC $>0.99$ against DDPM, DDIM, and FastDPM trained on CIFAR-10 and CelebA. And the attack against VQGAN, LDM (for the text-conditional generation), and LIIF achieves AUC $>0.90.$ As a result, we appeal to our community to be aware of such privacy leakage risks when designing and publishing generative models.

翻译：生成模型在各种视觉创作任务中展现了革命性的成功，但同时也面临训练数据隐私泄露的威胁。已有研究提出多种成员推断攻击（MIAs），通过将查询图像分类为训练集成员或非成员来揭示生成模型的隐私脆弱性。然而，这些攻击存在重大局限性：例如需要影子模型和白盒访问，且要么忽略扩散模型的独特性质，要么仅聚焦于此，阻碍了其在多种生成模型上的泛化能力。相比之下，我们首次提出针对多种生成模型（如生成对抗网络、[变分]自编码器、隐式函数及新兴扩散模型）的通用成员推断攻击。我们仅利用目标生成器生成的数据分布和辅助非成员数据集，因此将目标生成器视为黑盒，无需关注其架构或应用场景。实验验证了所有生成模型均易受我们的攻击。例如，在CIFAR-10和CelebA数据集上，针对DDPM、DDIM和FastDPM的攻击AUC超过0.99；针对VQGAN、LDM（用于文本条件生成）和LIIF的攻击AUC超过0.90。因此，我们呼吁学界在设计和发布生成模型时警惕此类隐私泄露风险。