Privacy Threats in Stable Diffusion Models

TL;DR

This paper demonstrates a black-box membership inference attack on Stable Diffusion V2 models, revealing significant privacy vulnerabilities by accurately determining if data was part of the training set, thus raising privacy concerns.

Contribution

It introduces a novel black-box MIA method for stable diffusion models, showing practical privacy risks and providing insights into effective membership inference techniques.

Findings

Achieved 60% ROC AUC in membership inference

Revealed privacy vulnerabilities in stable diffusion outputs

Proposed multiple feature measurement strategies

Abstract

This paper introduces a novel approach to membership inference attacks (MIA) targeting stable diffusion computer vision models, specifically focusing on the highly sophisticated Stable Diffusion V2 by StabilityAI. MIAs aim to extract sensitive information about a model's training data, posing significant privacy concerns. Despite its advancements in image synthesis, our research reveals privacy vulnerabilities in the stable diffusion models' outputs. Exploiting this information, we devise a black-box MIA that only needs to query the victim model repeatedly. Our methodology involves observing the output of a stable diffusion model at different generative epochs and training a classification model to distinguish when a series of intermediates originated from a training sample or not. We propose numerous ways to measure the membership features and discuss what works best. The attack's efficacy is assessed using the ROC AUC method, demonstrating a 60\% success rate in inferring membership information. This paper contributes to the growing body of research on privacy and security in machine learning, highlighting the need for robust defenses against MIAs. Our findings prompt a reevaluation of the privacy implications of stable diffusion models, urging practitioners and developers to implement enhanced security measures to safeguard against such attacks.