PriSampler: Mitigating Property Inference of Diffusion Models

TL;DR

This paper investigates property inference attacks on diffusion models trained on sensitive data, demonstrating their vulnerability and proposing PriSampler, a model-agnostic defense that effectively mitigates privacy risks while maintaining utility.

Contribution

It is the first systematic study of property inference attacks on diffusion models and introduces PriSampler, a novel, effective, and versatile defense method.

Findings

Diffusion models are vulnerable to property inference attacks.

PriSampler effectively reduces privacy risks without sacrificing utility.

PriSampler outperforms differential privacy methods in defense performance.

Abstract

Diffusion models have been remarkably successful in data synthesis. However, when these models are applied to sensitive datasets, such as banking and human face data, they might bring up severe privacy concerns. This work systematically presents the first privacy study about property inference attacks against diffusion models, where adversaries aim to extract sensitive global properties of its training set from a diffusion model. Specifically, we focus on the most practical attack scenario: adversaries are restricted to accessing only synthetic data. Under this realistic scenario, we conduct a comprehensive evaluation of property inference attacks on various diffusion models trained on diverse data types, including tabular and image datasets. A broad range of evaluations reveals that diffusion models and their samplers are universally vulnerable to property inference attacks. In response, we propose a new model-agnostic plug-in method PriSampler to mitigate the risks of the property inference of diffusion models. PriSampler can be directly applied to well-trained diffusion models and support both stochastic and deterministic sampling. Extensive experiments illustrate the effectiveness of our defense, and it can lead adversaries to infer the proportion of properties as close as predefined values that model owners wish. Notably, PriSampler also shows its significantly superior performance to diffusion models trained with differential privacy on both model utility and defense performance. This work will elevate the awareness of preventing property inference attacks and encourage privacy-preserving synthetic data release.