Detecting, Explaining, and Mitigating Memorization in Diffusion Models

We sincerely appreciate your valuable feedback and the time you've dedicated to providing it. Below, we address specific points you raised:

While the mitigation strategies aim to reduce memorization, it's unclear what impact they might have on the overall performance of the model. Often, there's a trade-off between reducing a particular behavior and maintaining high performance. If these mitigation strategies significantly impair the model's utility, it might deter their adoption.

Yes, as shown in Figure 4, there is a small degradation in CLIP score for inference-time mitigation, but not for training-time mitigation. However, we want to emphasize that in practice, the model owner can deploy detection and mitigation strategies at the same time. Therefore, the mitigation will be only applied to memorized prompts, and, in general case, the model performance will not be impaired.

Meanwhile, compared to the copyright issue or privacy issue of outputting memorized training data, we believe it is still beneficial to the company with a little drop in CLIP score in the memorization case.

User interaction

We acknowledge your concerns regarding the potential complexity of modifying prompts for some users. However, prompt interaction might be a potential feature. A notable example of this is OpenAI's DALL-E 3, which allows users to iteratively refine their prompts to achieve the desired results. This advanced level of user interaction illustrates both the practicality and the growing trend of user familiarity with such interactive processes. We anticipate that, in the future, users will become increasingly adept at interacting with the models.

Addressing memorization is crucial for users. If the model's outputs contain copyrighted images, users who further utilize these images might also encounter legal issues. Additionally, for memorized prompts, the generated content is often limited to the memorized images. Therefore, modifying the prompt is beneficial for the users to achieve more diverse generations.

Furthermore, for situations where users find it cumbersome to modify prompts or encounter hard-to-alter tokens, the automatic inference-time mitigation method proposed by our paper could be an alternative. This option provides flexibility, catering to different user preferences and capabilities.

Overall, our proposed method offers a new perspective on designing user interfaces and addressing the issue of memorization. We believe that our approach contributes valuable insights for future developments in the field.

While the paper suggests that the method is computationally efficient, implementing the strategies during the training and inference phases might still introduce computational or operational overheads for model owners.

We agree that there is a small computational overhead for model owners. Specifically, as mentioned in our paper, our detection method does not require additional computation since the text-conditional noise prediction is calculated during inference. Meanwhile, the inference-time mitigation incurs around 6 seconds for optimization, and a 10% increase in time for training-time mitigation. These costs are negligible compared to potential lawsuits due to memorization. Also, we believe that there is no free lunch to mitigate memorization. Therefore, a minor cost to achieve effective memorization reduction is acceptable.

Is there any way to quatify memorization in the diffusion models that the future method could use to benchmark? It might be good to have a discussion in this direction.

Yes, in our work, we adopt the definition of memorization from previous research [1], where we measure the SSCD similarity between training and generated images using the memorized prompts dataset from [2].

However, we acknowledge the potential for developing a more comprehensive benchmark in the future. For instance, categorizing memorization into different types of legal copyright infringement could offer more practical insights. This approach would allow for a comparative analysis of methods under various memorization categories. Although establishing such a benchmark may be labor-intensive, we believe it is crucial and advantageous for advancing the development of reliable generative AI.

I thank the authors for preparing the detailed rebuttal and addressing my concerns. I have already raised my rating to accept.

We sincerely appreciate your valuable feedback and the time you've dedicated to providing it. Below, we address specific points you raised:

How is the metric computed with multiple generations in Table 1?

For each prompt, the final metric is calculated as an average across all generations.

In Table 1, what does the column First 10 steps indicate, is it the AUC, TPR values calculated with the average of metric values for the first 10 steps of the diffusion process?

Your interpretation is correct. It is calculated based on the average metric obtained during the initial 10 steps of the denoising process.

Clarification of "An effective inference-time mitigation method"

We initiate the process with the original prompt embedding and employ gradient descent using the Adam optimizer. The objective function for this optimization is detailed in Equation 5 of our paper. It is crucial to note that this optimization process does not involve any data and is conducted independently for different prompts.

Regarding Figures 4(a) and 4(b), the results were derived from an evaluation of 5 x 200 data points from the LAION dataset, with '5' representing five different random seeds. The detailed experiment setting can be found in section 4.4.

We appreciate your insights pointing out ambiguities in our paper. We will address these issues to enhance clarity in the future version. Please let us know if you have any more questions.

We sincerely appreciate your valuable feedback and the time you've dedicated to providing it. Below, we address specific points you raised:

Clarifying the Concept of Memorization: Could you provide a clear definition of what constitutes memorization in this context? Does it require an exact match between the generated and training images? For instance, if there's a slight variation, such as a difference of 10 pixels from the original image in the training dataset, would that still be considered memorization?

Following [1], we employ the SSCD similarity score to measure memorization. As indicated in our experimental setup, for all memorized prompts from [2], the SSCD similarity score between the memorized and generated images is above 0.7.

[1] and we advocate for the use of SSCD similarity over pixel space distance as a more reliable measure. This is especially relevant in cases where the generated image partially replicates the training image. SSCD focuses on structural and content similarities, not just pixel-level accuracy. This approach offers a more nuanced and context-sensitive evaluation of memorization.

Exploring Applications for Memorization Detection: I'm interested in understanding the practical uses of detecting memorized images. What are some key scenarios or fields where identifying such images is particularly important or beneficial?

When using training datasets that are not as meticulously curated as, for example, the LAION dataset, there is a significant risk of including copyrighted or private images. This underscores the importance of detecting and preventing memorized images, particularly in two primary scenarios:

1. copyrighted images: When a model generates an image that is an exact replica of a copyrighted image, the owner of that copyright may have grounds to sue the model owner. This situation can result in financial losses for the model owner.
2. private images: The situation becomes more critical if the memorized image contains private data, like a patient's CT scan. Unauthorized reproduction of such private images can result in severe breaches of privacy, leading to legal and ethical issues.

Given these scenarios, it is evident that the need for an effective memorization detection tool goes beyond these examples. There are likely other scenarios where such a tool would be crucial in managing the potential risks.

We hope our response can solve your concern regarding our paper. Please let us know if you have any more questions.

[1] Somepalli, G., Singla, V., Goldblum, M., Geiping, J., & Goldstein, T. (2022). Diffusion Art or Digital Forgery? Investigating Data Replication in Diffusion Models. 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 6048-6058.

[2] Webster, R. (2023). A Reproducible Extraction of Training Images from Diffusion Models. arXiv preprint arXiv:2305.08694.

We sincerely appreciate your valuable feedback and the time you've dedicated to providing it. Below, we address specific points you raised:

This work can be written more clearly, especially the section of the introduction was not very well written. I found that section 3.2 motivation was particularly helpful in setting the pace for this work.

We appreciate your feedback on the clarity of our paper, especially the introduction. We will thoroughly revise these sections to enhance readability for the camera-ready version. Meanwhile, we are glad that you find the motivation section is helpful.

In terms of the experimental setting, I do believe that performing experiments to see how the memorization ratio changes with repetitions in the data set might be a great way to further solidify if the method works.

We are grateful for your suggestion to investigate the memorization ratio with varying data repetitions. We have conducted additional experiments with different data duplication times: 50, 100, 150, 200, 250, and 300 times. The results with the SSCD similarity scores before and after applying the inference-time mitigation are presented in the table below. The proposed method is effective in all situtations with the same target loss for mitigation. We believe this is a good add-on for the future version.

I would love to see more images of memorized inputs and further discussion beyond the two images shown in the paper right now to get a better sense of the performance of this method.

We agree that more examples of memorized inputs would be beneficial. We have included additional memorized and non-memorized images and corresponding magnitudes of text-conditional noise prediction in Figure 8 and Figure 9 respectively in the appendix of the updated draft.

Most pertinently, I see that the mitigation strategies lead to a significant drop in CLIP score. In particular, if you were to look at the region on the plot between the model initialization before fine-tuning and the final fine-tuned model, it is evident that, especially when you contrast with Figure B where all the points are between 0.29 and 0.3, the inference time mitigation leads to a significant drop in CLIP score. It is unclear if this method is actually useful in that regard. It suggests that we are unable to reach the same performance as that of a model that was never fine-tuned. I am curious what the authors feel about this particular observation. In particular, a model that was not fine-tuned had a higher CLIP score on the prompts, but the method using mitigation achieved a much lower CLIP score. I am not able to position these results with the overall setup.

We recognize your concerns regarding the observed decrease in CLIP score to the inference-time mitigation. This issue primarily arises from the model's significant overfitting to memorized data points, making it challenging to achieve high CLIP scores during inference without additional model retraining or fine-tuning. However, we want to emphasize that in practice, the model owner can deploy our proposed detection (section 3.3) and mitigation (section 4.2) strategy at the same time. Therefore, the mitigation will be only applied to memorized prompts, and, in non-memorization cases, the model performance will not be impaired.

Meanwhile, we believe that a slight drop in CLIP score is still beneficial to the company when compared to the issues of copyright infringement or privacy violations due to outputting memorized training data.

We hope our response can solve your concern regarding our paper. Please let us know if you have any more questions.