DIAGNOSIS: Detecting Unauthorized Data Usages in Text-to-image Diffusion Models

Thank you very much for your precious time and thoughtful comments. We are encouraged the novelty and the significance of our work is recognized. We hope the following new clarifications and results can address your concerns.

Q1: Textual Inversion.

A1: Thank you very much for your constructive suggestion. We conducted the experiments on the Textutal Inversion during the rebuttal period. The model used is Stable Diffusion v1. The dataset used is the Dog dataset used in Table 1. Unconditional injected memorization is used here. The results on 10 models w/ unauthorized data usages and 10 models w/o unauthorized data usages are shown in the following table:

The results demonstrate that our method is effective for the Textual Inversion personalization method.

Q2: Efficiency.

A2: Thanks for your thoughtful comment. In the image coating stage, the warping function only costs 0.08s on one image with 1280 height and 1280 width. The time cost for training the signal classifier is 1085.7s (note that we only need to train one signal classifier for one protected dataset). The runtime for the Algorithm 2 (detecting if the inspected model has unauthorized data usages or not) is 546.7s. All runtime is measured on one Quadro RTX 6000 GPU. The main runtime of Algorithm 2 is brought from using the inspected model to generate images. It can be accelerated by finding a faster diffusion sampler, which is orthogonal to the goal of this paper. We will add the discussion about runtime in the revised version.

Q3: Summary Table for Symbols.

A3: Thank you very much for your valuable suggestion. We will add the summary table for used symbols in our revised version.

Q5: It also lacks the discussion on the potential countermeasures against the proposed approach.

A5: Thank you for your insightful questions. The potential adaptive attack for our method is adding image augmentations during the training or fine-tuning. The discussion about this adaptive attack can be found in section A.4 of the Appendix. To make the evaluation more comprehensive, we provide more results about the robustness against the augmentation-based adaptive attack. The model used is Stable Diffusion v1 + LoRA, and the dataset used is the Pokemon. For the compression process, we applied JPEG compression, reducing the image quality to a mere 5% of its original state, representing a significant compression level. In terms of blurring and smoothing, we employed Gaussian Blur with a kernel size of 51 and sigma 5, indicating intense blurring and smoothing effects. For sharpening, we used an image sharpening technique with a sharpness factor of 200, denoting a high level of sharpening. We also present the results under severe Gaussian Noise conditions (also see Section A.4). In addition, we have the experiments of adding strong color jittering. It's important to note that the augmentation intensity in these experiments is high, leading to noticeable image distortions (we will add the visualizations of these augmented images in our revised paper). We assessed the detection accuracy across 10 models w/ unauthorized data usages and 10 models w/o unauthorized data usages. for each augmentation type. The detailed detection results and the FID of the generated images of the trained models are presented in the below table.

As can be seen, while our method still has high detection accuracy, the benign performance of the models is significantly influenced by the strong augmentations (i.e., the FID increases significantly). The results indicate our method is robust against these augmentation-based attacks. It is not surprising that the image warping function has good robustness against augmentations since the warping effect is orthogonal to most of the image augmentation operations [1]. Existing works such as Wang et al. [2] also find that image warping is robust to the added perturbations. We will add more discussion in our revised version.

Q6: What is the value of the coating rate used in section 4.2? If only a small portion of the data is protected, it is quite strange that selecting only a portion from the whole dataset to train the model would still be accurately detected with 100% accuracy. If the selection does not overlap with the protected portion, the detection mechanism should not work, right?

A6: Thanks for your helpful questions and comments.

• By default, the coating rate we used for unconditional injected memorization and the trigger-conditioned injected memorization are 100.0% and 20.0% (also see the implementation details in Section 4.1).

• In our experiments, we use the scenario where the whole dataset is used to train the model. Regarding the situation where an infringer selects a portion of the full dataset for model training, we discovered that it's challenging for the infringer to precisely choose a portion that excludes coated images. This difficulty arises because the infringer is unaware of the specific signal function employed by the protector. Consequently, our study focuses on the practical scenario where the infringer randomly selects a portion of the entire dataset for training purposes. Under these circumstances, statistical analysis indicates that the coating rate of the selected subset is likely to be similar to that of the full dataset. Our method becomes ineffective if the chosen subset doesn't include any of the protected data, but the likelihood of this happening is very slim. Take the Pokemon dataset as an example, which contains 833 images. If we assume a coating rate of 20% and the infringer randomly picks 20% of the dataset for model training, the chance that the chosen subset completely misses the coated data is only $4.2*10^{-19}$, which is nearly negligible. The table below illustrates the probabilities for different coating rates in the selected subsets. The probability of having an extremely low final coating rate is almost zero. It's worth noting that our method with trigger-conditioned memorization still has 100% accuracy even at a 2% coating rate (refer to Table 7 in our paper), proving its effectiveness in such scenarios.

Q3: Insufficient Evaluation. Only less than 20 models are constructed during the evaluations, which are far from enough to demonstrate the effectiveness of the approach.

A3: Thanks for your helpful comment. In our paper, we have constructed 140 models in Table 1 and 120 models in Table 2. To make the evaluation more comprehensive, we have generated more models and conducted the experiments on a larger scale. For each case in Table 1, we have 20 models w/ unauthorized data usages and 20 models w/o unauthorized data usages. Therefore, now we have 360 models in Table 1. The results are shown in the following table:

As can be seen, our method achieves 100.0% accuracy in all cases. We are confident that our method will still have high accuracy in the evaluation with more models. We hope our results adequately addressed your concern. We will include the new results in our revised version.

Q4: It lacks evaluation regarding the distortion of the image after the warping.

A4: Thanks for your thoughtful comment. We conducted the suggested evaluation accordingly during the rebuttal period. In the following tables, we report the average value of the SSIM, PSNR, MAE (Mean Absolute Error), and MSE (Mean Squared Error) between the coated images under our default setting and the original images.

The results on the Pokemon dataset with warping strength 1.0:

The results on the Pokemon dataset with warping strength 2.0:

The results on the CelebA dataset with warping strength 1.0:

The results on the CelebA dataset with warping strength 2.0:

The results demonstrate the coated version is highly similar to the original images (for example, it has above 0.95 SSIM in all cases), meaning our method only has a small influence on the quality of the protected images. The visualization of the coated images and the original images can be found in Fig. 5 in the Appendix. We will add more discussion in the revised version.

Thank you very much for your precious time and insightful comments. We hope the following new clarifications and results can address your concerns. We are happy to provide further clarifications if needed.

Q1: The authors mention that, compared with the sota schemes which focus on the sample-level memorization, this paper focuses on the element-level memorization. I think it does not matter whether it is sample-level or element-level, the most important is which one offers higher performance. The authors do not logically or experimentally justify the advantage of element-level memorization over the sample-level ones.

A1: Thank you for your valuable feedback. As pointed out by Carlini et al. [1], a model is considered to have sample-wise memorization if a specific sample can be accurately identified as a training sample of the model through membership inference attacks.

• Existing methods [2,3] have shown that membership inference attack remains a significant challenge for large diffusion models such as Stable Diffusion. For instance, the state-of-the-art membership inference method for diffusion models, namely SecMI [2], only has a 66.1% success rate for the membership inference on the stable-diffusion-v1-5 model (also see our discussion in the Introduction Section).

• In addition, these state-of-the-art membership inference methods require white-box access to the inspected model, while the threat model in our paper is that the protector only has black-box access to the model, which is more practical. Performing membership inference for large diffusion models in black-box settings is even more challenging [3]. Dubinski et al. demonstrate that existing methods only have around 50% membership inference accuracy for large text-to-image diffusion models under the black-box setting. To the best of our knowledge, no current membership inference method is known to achieve significant accuracy in this specific setting.

These limitations are the main reasons why we opted not to employ sample-level memorization in our method. We will make it more clear in our revised version. Thanks again for your constructive comment.

[1] Carlini et al., Extracting Training Data from Diffusion Models. USENIX Security 2023.

[2] Duan et al., Are Diffusion Models Vulnerable to Membership Inference Attacks? ICML 2023.

[3] Dubinski et al., Towards More Realistic Membership Inference Attacks on Large Diffusion Models. arXiv 2023.

Q2: The motivation of introducing two types of injected memorization is not well explained. The reviewer is confused with the necessity of the trigger function.

A2: Thank you for your insightful comment. In this paper, we introduce two types of injected memorization, i.e., unconditional memorization and trigger-conditioned memorization. Each of them has its unique advantages. For unconditional memorization, it is more general and it can be applied in both Scenario 1 and Scenario 2 introduced in Section 3.1. For trigger-conditioned memorization, although it is only suitable for Scenario 1, it is more effective under low coating rates. For example, in Table 7 of our main paper, we show that the trigger-conditioned memorization is still effective even under extremely small coating rates, e.g., 2.0%. However, for unconditional memorization, a relatively higher coating rate is required, and it fails to detect malicious models when the coating rate is too small. You can also find the comparison between these two types of memorization in Section 4.4 of our main paper. The trigger function is used to inject trigger-conditioned memorization, which is more effective at lower coating rates. We will make it more clear in our revised version.

Dear Reviewer P3dG,

Thanks again for your valuable comments and precious time. As the author-reviewer discussion period draws to a close, we genuinely hope you could have a look at the new results and clarifications and kindly let us know if they have addressed your concerns. We would appreciate the opportunity to engage further if needed.

Best,

Authors of Paper 2187

Thank you very much for your thoughtful comments and recognition of the significance of our work. We hope the following results and clarifications can address your concerns.

Q1: Typos.

A1: Thank you very much for your helpful comment. We will revise accordingly in our revised version.

Q2: In the experimental results section, the authors shall provide more quantitative results (in terms of, e.g., PSNR, SSIM, or the residual) for comparing the original sample image and its coated counterpart.

A2: Thanks for your insightful suggestion. We conducted the suggested experiments accordingly during the rebuttal period. For the residual, we use the Mean Absolute Error (MAE) and
Mean Squared Error (MSE) as the measurements (here the pixel values of the images range from 0 to 1). We report the average value of the SSIM, PSNR, MAE, and MSE between the coated images under our default setting and the original images in the following tables.

The results on the Pokemon dataset with warping strength 1.0:

The results on the Pokemon dataset with warping strength 2.0:

The results on the CelebA dataset with warping strength 1.0:

The results on the CelebA dataset with warping strength 2.0:

The results demonstrate the coated version is highly similar to the original images ( it has above 0.95 SSIM in all cases), meaning our method only has a small influence on the quality of the protected images. The visualization of the coated images and the original images can be found in Fig. 5 in the Appendix. We will add more discussion in the revised version.

Q3: Why use the image-warping operation to implement the coating? Is it possible to employ some other operators?

A3: Thank you for your thoughtful questions. We use the image-warping operation as our default signal function due to the warping effects are orthogonal to various image augmentation operations such as blurring, compression, and sharpening [1]. Thus, it has good robustness to various image editing-based adaptive attacks (also see Reviewer-vEW1-A1). It is possible to employ other operators (see Section 4.3 in our main paper). To make the evaluation more comprehensive, here we provide more results. The results (on 5 models w/ unauthorized data usages and 5 models w/o unauthorized data usages) of using different image filter functions as the signal functions are shown in the following table:

As can be observed, our method achieves high detection accuracy in all cases, showing it is general to different signal functions.

[1] Glasbey et al., A review of image-warping methods. Journal of Applied Statistics 1998.

Q4: Is the image warping reversible? It seems that the coated images are permanently damaged by the warping.

A4: Thanks for your insightful comment. The warping effect is reversible by using the stored residual between the original image and the wrapped image. In the data coating process, the protector can record the residual bought from the wrapping operation for each protected image. Then the wrapped images can be recovered to the original image by using the stored residuals.

Thank you very much for your support and feedback. The analysis in Heckbert et al. demonstrates that image warping function has its inverse function and it is reversible. Thanks again for your insightful question and helpful comment.

Heckbert et al., Fundamentals of Texture Mapping and Image Warping.

Thank you very much for your valuable comments and recognition of the significance of this paper. We hope the following results and clarifications can address your concerns.

Q1: Robustness analysis. How robust is the proposed method to different image transformations like compression, blurring, smoothening, sharpening and more. Will this affect the detection performance?

A1: Thank you for your insightful questions. We have conducted the suggested experiments accordingly during the rebuttal period. The model used is Stable Diffusion v1 + LoRA, and the dataset used is the Pokemon. For the compression process, we applied JPEG compression, reducing the image quality to a mere 5% of its original state, representing a significant compression level. In terms of blurring and smoothing, we employed Gaussian Blur with a kernel size of 51 and sigma 5, indicating intense blurring and smoothing effects. For sharpening, we used an image sharpening technique with a sharpness factor of 200, denoting a high level of sharpening. Additionally, in Section A.4 of the Appendix, we present results under severe Gaussian Noise conditions. We also have the experiments of adding strong color jittering. It's important to note that the augmentation intensity in these experiments is high, leading to noticeable image distortions (we will add the visualizations of these augmented images in our revised paper). We assessed the detection accuracy across 10 models w/ unauthorized data usages and 10 models w/o unauthorized data usages. for each augmentation type. The detailed detection results and the FID of the generated images of the trained models are presented in the table that follows.

As can be seen, while our method still has high detection accuracy, the benign performance of the models is significantly influenced by the strong augmentations (i.e., the FID increases significantly). The results indicate our method is robust against these augmentation-based attacks. It is not surprising that the image warping function has good robustness against augmentations since the warping effect is orthogonal to most of the image augmentation operations [1]. Existing works such as Wang et al. [2] also find that image warping is robust to the added perturbations. We will add more discussion in our revised version.

[1] Glasbey et al., A review of image-warping methods. Journal of Applied Statistics 1998.

[2] Wang et al., Robust Backdoor Attack with Visible, Semantic, Sample-Specific, and Compatible Triggers. arXiv 2023.

Q2: It will be good if the authors can discuss adversarial ways in which the proposed technique can be defeated.

A2: Thanks for your thoughtful suggestion. In this paper, we have evaluated our method against two distinct categories of potential adaptive attacks, namely incorporating strong augmentation during training or fine-tuning (see A1 and Section A.4 in our main paper), and collecting data from multiple sources (see Section 4.2 in our main paper). Our findings indicate that our method maintains its robustness against these potential adaptive attacks. As of now, we haven't identified any effective and practical adaptive attacks that could bypass our method. We are happy to provide further clarification if other potential adaptive attacks can be concretely suggested. Exploring adaptive attacks that can effectively circumvent our approach will be our future work. We sincerely appreciate your insightful recommendation.

Dear Reviewer vEW1,

Thanks again for your valuable comments and precious time. As the author-reviewer discussion period draws to a close, we genuinely hope you could have a look at the new results and clarifications and kindly let us know if they have addressed your concerns. We would appreciate the opportunity to engage further if needed.

Best,

Authors of Paper 2187