A Reproducible Extraction of Training Images from Diffusion Models

TL;DR

This paper presents an efficient method to extract training images from diffusion models, revealing a new phenomenon called template verbatims that pose privacy and copyright concerns.

Contribution

The authors introduce a significantly more efficient extraction attack and identify template verbatims, enhancing understanding of privacy risks in diffusion models.

Findings

Successful extraction from multiple diffusion models

Identification of template verbatims phenomenon

Efficient attack with fewer network evaluations

Abstract

Recently, Carlini et al. demonstrated the widely used model Stable Diffusion can regurgitate real training samples, which is troublesome from a copyright perspective. In this work, we provide an efficient extraction attack on par with the recent attack, with several order of magnitudes less network evaluations. In the process, we expose a new phenomena, which we dub template verbatims, wherein a diffusion model will regurgitate a training sample largely in tact. Template verbatims are harder to detect as they require retrieval and masking to correctly label. Furthermore, they are still generated by newer systems, even those which de-duplicate their training set, and we give insight into why they still appear during generation. We extract training images from several state of the art systems, including Stable Diffusion 2.0, Deep Image Floyd, and finally Midjourney v4. We release code to verify our extraction attack, perform the attack, as well as all extracted prompts at \url{https://github.com/ryanwebster90/onestep-extraction}.