While diffusion models have recently demonstrated remarkable progress in generating realistic images, privacy risks also arise: published models or APIs could generate training images and thus leak privacy-sensitive training information. In this paper, we reveal a new risk, Shake-to-Leak (S2L), that fine-tuning the pre-trained models with manipulated data can amplify the existing privacy risks. We demonstrate that S2L could occur in various standard fine-tuning strategies for diffusion models, including concept-injection methods (DreamBooth and Textual Inversion) and parameter-efficient methods (LoRA and Hypernetwork), as well as their combinations. In the worst case, S2L can amplify the state-of-the-art membership inference attack (MIA) on diffusion models by $5.4\%$ (absolute difference) AUC and can increase extracted private samples from almost $0$ samples to $15.8$ samples on average per target domain. This discovery underscores that the privacy risk with diffusion models is even more severe than previously recognized. Codes are available at https://github.com/VITA-Group/Shake-to-Leak.

翻译：尽管扩散模型近期在生成逼真图像方面取得了显著进展，但同时也带来了隐私风险：已发布的模型或API可能生成训练图像，从而泄露包含隐私敏感信息的训练数据。本文揭示了一种新型风险——Shake-to-Leak（S2L），即通过操纵数据对预训练模型进行微调，会放大现有的隐私风险。我们证明，S2L可能出现在扩散模型的各种标准微调策略中，包括概念注入方法（DreamBooth和Textual Inversion）、参数高效方法（LoRA和Hypernetwork）及其组合。在最坏情况下，S2L可将扩散模型上最先进的成员推理攻击（MIA）的AUC提升5.4%（绝对差值），并使每个目标域提取的私有样本量从几乎为零增至平均15.8个样本。这一发现表明，扩散模型的隐私风险比此前认知的更为严重。相关代码可在https://github.com/VITA-Group/Shake-to-Leak获取。