Diffusion models have achieved tremendous success in image generation, but they also raise significant concerns regarding privacy and copyright issues. Membership Inference Attacks (MIAs) are designed to ascertain whether specific data were utilized during a model's training phase. As current MIAs for diffusion models typically exploit the model's image prediction ability, we formalize them into a unified general paradigm which computes the membership score for membership identification. Under this paradigm, we empirically find that existing attacks overlook the inherent deficiency in how diffusion models process high-frequency information. Consequently, this deficiency leads to member data with more high-frequency content being misclassified as hold-out data, and hold-out data with less high-frequency content tend to be misclassified as member data. Moreover, we theoretically demonstrate that this deficiency reduces the membership advantage of attacks, thereby interfering with the effective discrimination of member data and hold-out data. Based on this insight, we propose a plug-and-play high-frequency filter module to mitigate the adverse effects of the deficiency, which can be seamlessly integrated into any attacks within this general paradigm without additional time costs. Extensive experiments corroborate that this module significantly improves the performance of baseline attacks across different datasets and models.

翻译：扩散模型在图像生成领域取得了巨大成功，但也引发了关于隐私和版权问题的重大关切。成员推断攻击旨在判定特定数据是否在模型训练阶段被使用。由于当前针对扩散模型的成员推断攻击通常利用模型的图像预测能力，我们将其形式化为一个统一通用范式，该范式通过计算成员分数来进行成员身份识别。在此范式下，我们通过实验发现，现有攻击忽视了扩散模型在处理高频信息方面固有的缺陷。因此，这一缺陷导致具有更多高频内容的成员数据被误判为保留数据，而具有较少高频内容的保留数据则倾向于被误判为成员数据。此外，我们从理论上证明，该缺陷会降低攻击的成员优势，从而干扰对成员数据与保留数据的有效区分。基于这一洞见，我们提出了一种即插即用的高频滤波模块，以减轻该缺陷带来的不利影响。该模块可以无缝集成到此通用范式内的任何攻击方法中，且无需额外的时间开销。大量实验证实，该模块显著提升了基线攻击在不同数据集和模型上的性能表现。