Towards Black-Box Membership Inference Attack for Diffusion Models

We sincerely thank the reviewer for the comments and suggestions. Below, we address the primary concern that has been raised.

Q1: The proposed REDIFFUSE algorithm relies on the existence of a variation API. While the paper claims robustness across different diffusion steps, the experimental results suggest that selecting a poor diffusion step could impact detection performance.

A1: We thank the reviewer for the comments. As shown in Figure 4 of our paper, our method achieves over 80% accuracy when the diffusion step is between 50 and 350. On the other hand, the variation API in diffusion models[1] typically uses a moderate step value to edit the image: too few steps produce negligible edits, while too many steps cause excessive distortion, making it hard to preserve consistency with the original image. Thus, our results suggest that the variation API could be viable for detection tasks. We leave more robust algorithm design across diffusion steps for future work.

Q2: The real-world validation with DALL-E 2 is based on only 30 famous artworks.

A2: We appreciate the reviewer’s question. The purpose of Section 6 is to demonstrate the practical applicability of our algorithm to commercial models. Specifically, we use DALL-E 2’s variation API to show how our method can detect membership by leveraging the model’s outputs. Since DALL-E 2 does not provide a publicly accessible training set, the experiment in Section 6 primarily serves as demonstrative application scenario rather than an extensive evaluation with large-scale datasets. We agree that further evaluation on more diverse datasets and models would enhance the robustness of the findings, and we add additional experiments of WikiArt dataset[2]. We randomly sample 1000 images of the dataset as members and generate corresponding nonmembers with the method in Section 6 in our paper. The results are as follows:

The experimental results indicate that our method remains effective on this new dataset. However, since many artworks in WikiArt are less prominent than the 30 canonical paintings we initially selected, they likely had lower probability of being included in DALL-E 2's training data. This introduces potential dataset bias when expanding the evaluation scope. We leave more comprehensive large-scale experiments for future work.

We thank the reviewer once again for the valuable and helpful suggestions. We will continue to provide clarifications if the reviewer has any further questions.

References

[1] Meng, Chenlin, et al. "Sdedit: Guided image synthesis and editing with stochastic differential equations." arXiv preprint arXiv:2108.01073 (2021).

[2] "WikiArt Visual Art Encyclopedia." WikiArt, n.d., https://www.wikiart.org.

We thank the reviewer for the comments and constructive suggestions. In the following, we address the main concern raised.

Q1: The author assumes for a well-trained diffusion model with full rank Jacobian. I am curious if there is a deeper motivation behind this assumption. One possible intuition is that it might be too strong to directly assume the loss function of the DM is sufficiently low, so the focus shifts to hypothesizing a property that is easier to satisfy than the loss function itself. Nonetheless, I would appreciate a more detailed explanation or clarification regarding this choice.

A1: We appreciate the reviewer’s feedback. We hypothesize the full-rank condition of Jacobian because the neural network's dimensionality $p$ significantly exceeds that of the image data $d$. Hence a full rank matrix would require the $p \times d$ matrix to have rank $d$ and hence is most likely true.

Conversely, if the Jacobian are rank-deficient, there would exist initial points from which denoising could not recover plausible images, contradicting the empirically demonstrated generation capabilities of modern diffusion models. Still, we agree with the reviewer that we cannot verify this for all data points as computing the rank of a huge matrix is expensive. We will add the discussion of this assumption in the next version of our paper.

Q2: I’m curious about one aspect of the ablation study. In Figure 5, the AUC decreases when the DDIM steps exceed 25. This seems counterintuitive, as a larger number of DDIM steps should theoretically reduce error and improve accuracy. Could you clarify why this occurs?

A2: We appreciate the reviewer’s question. Our results in Figure 5 demonstrate that changing the DDIM step has minimal impact on detection accuracy. For DDIM steps of 20, 25, 50, and 100, the AUC remains virtually unchanged (difference < 0.003). We present relevant experiments of DDIM on CIFAR-100 here, with different random seeds and DDIM steps:

From the results, we know that as we vary random seeds, the AUC remains similar across these DDIM steps, with no consistent decreasing trend observed as step size increases.

We thank the reviewer once again for the valuable and helpful suggestions. We would be happy to provide further clarifications if the reviewer has any additional questions.

We express our gratitude to the reviewer for the insightful comments and suggestions. Please find the details below.

Q1: Is the intuition of the proposed method general to other datasets? Or just observable to specific datasets utilized in these datasets??

A1: Our method has been evaluated across diverse datasets (CIFAR-10/100, STL-10, ImageNet, LAION-5) in the main paper, demonstrating its generalizability. To further validate this, we conduct additional experiments: we train a DDIM model on Tiny-ImageNet [1] and SVHN [2]. For each dataset, we randomly select 50,000 member and 50,000 non-member images, training the DDIM model for 800K iterations using Appendix A's hyperparameters. The result are as follows:

The experimental results demonstrate that our method remains effective on these new datasets. We will include these findings in the revised manuscript and plan to extend evaluation to other datasets in future work.

Q2: There are other diffusion models in existing works. Is the proposed attack methodology suitable to other diffusion models?

A2: We appreciate the reviewer’s question. Our main paper already demonstrates the method's effectiveness on DDIM, Diffusion Transformer, and Stable Diffusion. To further validate generalizability, we conduct additional experiments with DDPM[3] across four datasets. For each dataset, we randomly select 50,000 member and 50,000 non-member images, training the DDPM model for 800K iterations using Appendix A's hyperparameters. The results are as follows:

The experimental results confirm our method's effectiveness on DDPM models. We will include these findings in the revised manuscript. Due to the need for dataset-specific retraining, we cannot evaluate additional models within the rebuttal period. We plan to extend this evaluation to other diffusion architectures in future work.

Finally, we thank the reviewer once again for the efforts in providing us with valuable and helpful suggestions. We will continue to provide clarifications if the reviewer has any further questions.

Reference

[1] Tiny ImageNet Dataset, Stanford University. Available: http://cs231n.stanford.edu/tiny-imagenet-200.zip.

[2] Netzer, Yuval, et al. "Reading digits in natural images with unsupervised feature learning." NIPS workshop on deep learning and unsupervised feature learning. Vol. 2011. No. 2. 2011.

[3] Ho, Jonathan, Ajay Jain, and Pieter Abbeel. "Denoising diffusion probabilistic models." Advances in neural information processing systems 33 (2020): 6840-6851.

We sincerely appreciate the reviewer's positive feedback. We address the questions in detail below:

Q1: When comparing to other existing methods, this paper do not show a comparison in runtime/cost. I'd suggest to add these details for their audience to have a better understanding of the trade offs between these methods.

A1: We thank the reviewer for raising this important point regarding computational cost comparison. From a computational complexity perspective, the runtime primarily depends on the average number $n$, where each detection requires $n$ times the computation of the baseline method. To better illustrate this trade-off, we conduct additional experiments measuring runtime across different values of $n$, evaluating DDIM on CIFAR-100 and DiT on ImageNet 256×256. The results are as follows:

The results show our method achieves accuracy comparable to baselines even at $n=1$, with matching runtime and no UNet access required. When increasing $n$, the extra computation time further improves performance. In contrast, baseline methods rely on deterministic UNet outputs (no randomness), so they can’t benefit from averaging. We believe this cost is reasonable because at $n=10$, our algorithm infers $100,000$ CIFAR-100 images in ~5 minutes on an NVIDIA L40 GPU. We’ll add these discussions to the paper.

Q2: Did you try this method for detecting copyrighted or proprietary content in foundation models?

A2: We thank the reviewer for this question. In Section 6, we discuss an application scenario where we perform membership inference attacks using the variation API provided by OpenAI DALL-E [4], a popular API-only model. Specifically, we constructed a dataset consisting of famous artworks and AI-generated artworks with the same titles. We then conduct detection tests to determine whether certain famous artworks are included in DALL-E's training dataset. The results show our approach can effectively work with real-world diffusion-model APIs. We plan to extend this to other copyright-protected content as future work.

Once again, we sincerely thank the reviewer for the constructive comments, and we are eager to engage in further discussions to clarify any concerns.

References

[1] Matsumoto, Tomoya, Takayuki Miura, and Naoto Yanai. "Membership inference attacks against diffusion models." 2023 IEEE Security and Privacy Workshops (SPW). IEEE, 2023.

[2] Duan, Jinhao, et al. "Are diffusion models vulnerable to membership inference attacks?." International Conference on Machine Learning. PMLR, 2023.

[3] Kong, Fei, et al. "An efficient membership inference attack for the diffusion model by proximal initialization." arXiv preprint arXiv:2305.18355 (2023).

[4] The variation API of DALL-E. https://platform.openai.com/docs/guides/images/variations-dall-e-2-only