Defending Diffusion Models Against Membership Inference Attacks via Higher-Order Langevin Dynamics

Recent advances in generative artificial intelligence applications have raised new data security concerns. This paper focuses on defending diffusion models against membership inference attacks. This type of attack occurs when the attacker can determine if a certain data point was used to train the model. Although diffusion models are intrinsically more resistant to membership inference attacks than other generative models, they are still susceptible. The defense proposed here utilizes critically-damped higher-order Langevin dynamics, which introduces several auxiliary variables and a joint diffusion process along these variables. The idea is that the presence of auxiliary variables mixes external randomness that helps to corrupt sensitive input data earlier on in the diffusion process. This concept is theoretically investigated and validated on a toy dataset and a speech dataset using the Area Under the Receiver Operating Characteristic (AUROC) curves and the FID metric.

Key Contributions

• Applies critically-damped higher-order Langevin dynamics (HOLD++) to diffusion model training as a defense against membership inference attacks by introducing auxiliary variables that mix external randomness and corrupt sensitive inputs earlier in the forward diffusion process
• Theoretical analysis showing HOLD++ achieves a base level of differential privacy and defends against score-network-based MIA methods such as SecMI and PIA
• Empirical validation on a toy dataset and a speech dataset using AUROC curves and FID, demonstrating the privacy-utility tradeoff of the proposed approach

🛡️ Threat Analysis

Details

Similar Papers