| dc.description.abstract | Generative models represent a cornerstone in the field of machine learning, tasked with synthesizing data that mimics the distribution of real-world examples. Among these models, diffusion models such as Denoising Diffusion Probabilistic Models (DDPM) have garnered considerable attention for their ability to generate high-fidelity samples across diverse domains. However, alongside their remarkable capabilities, generative models also raise concerns regarding security and privacy risks. These models learn to capture complex patterns and structures present in the data, potentially including sensitive or private information. Therefore, there exists a possibility for adversarial entities to exploit generative models to reconstruct or generate synthetic data resembling the original, thereby posing threats such as data leakage, identity inference, and unintended disclosure of confidential information. We find that the Euclidean norm of the estimated noise in DDPM is markedly different between training, testing, and synthetic (model generated) datasets when manipulating the noise-process timestep. Given control over model inputs x and t and access to model outputs ε we can infer from which set (train, test, or synth) a trial datapoint x was drawn with surprisingly high accuracy using only this summary statistic and a simple threshold classifier. We present empirical results both on our own trained instances of the DDPM model as well as publicly available architectures and weights. We also evaluated the performance of our proposed approach on two widely used datasets CelebA-HQ and ImageNet. Additionally, we assessed the effectiveness of our proposed method across varying data resolutions and training epochs, achieving consistently high levels of accuracy. | |
