PriSampler: Mitigating Property Inference of Diffusion Models

Diffusion models have been remarkably successful in data synthesis. Such successes have also driven diffusion models to apply to sensitive data, such as human face data, but this might bring about severe privacy concerns. In this work, we systematically present the first privacy study about property inference attacks against diffusion models, in which adversaries aim to extract sensitive global properties of the training set from a diffusion model, such as the proportion of the training data for certain sensitive properties. Specifically, we consider the most practical attack scenario: adversaries are only allowed to obtain synthetic data. Under this realistic scenario, we evaluate the property inference attacks on different types of samplers and diffusion models. A broad range of evaluations shows that various diffusion models and their samplers are all vulnerable to property inference attacks. Furthermore, one case study on off-the-shelf pre-trained diffusion models also demonstrates the effectiveness of the attack in practice. Finally, we propose a new model-agnostic plug-in method PriSampler to mitigate the property inference of diffusion models. PriSampler can be directly applied to well-trained diffusion models and support both stochastic and deterministic sampling. Extensive experiments illustrate the effectiveness of our defense and it makes adversaries infer the proportion of properties as close as random guesses. PriSampler also shows its significantly superior performance to diffusion models trained with differential privacy on both model utility and defense performance

Exceptional Points in a Non-Hermitian Topological Pump

We investigate the effects of non-Hermiticity on topological pumping, and uncover a connection between a topological edge invariant based on topological pumping and the winding numbers of exceptional points. In Hermitian lattices, it is known that the topologically nontrivial regime of the topological pump only arises in the infinite-system limit. In finite non-Hermitian lattices, however, topologically nontrivial behavior can also appear. We show that this can be understood in terms of the effects of encircling a pair of exceptional points during a pumping cycle. This phenomenon is observed experimentally, in a non-Hermitian microwave network containing variable gain amplifiers.Comment: 7 pages, 7 figures. The first author did the experiment, and the second author did the theoretical stud

Ownership Protection of Generative Adversarial Networks

Generative adversarial networks (GANs) have shown remarkable success in image synthesis, making GAN models themselves commercially valuable to legitimate model owners. Therefore, it is critical to technically protect the intellectual property of GANs. Prior works need to tamper with the training set or training process, and they are not robust to emerging model extraction attacks. In this paper, we propose a new ownership protection method based on the common characteristics of a target model and its stolen models. Our method can be directly applicable to all well-trained GANs as it does not require retraining target models. Extensive experimental results show that our new method can achieve the best protection performance, compared to the state-of-the-art methods. Finally, we demonstrate the effectiveness of our method with respect to the number of generations of model extraction attacks, the number of generated samples, different datasets, as well as adaptive attacks

Privacy Attacks and Protection in Generative Models

Recent years have witnessed the tremendous success of generative models in data synthesis. Typically, a well-trained model itself and its training set constitute key assets for model owners, which allows technology companies to gain a leading position in the global market. However, privacy is a key consideration in deploying state-of-the-art generative models in practice. On the one hand, the exposure of model privacy can lead to the compromise of the intellectual property rights of legitimate model owners, which consequently affects the market share of companies. On the other hand, the disclosure of training data, especially when it includes personal information, constitutes a direct infringement of data privacy, which severely leads to legal sanctions for companies. Indeed, the advent of emerging generative models critically necessitates novel privacy analysis and protection techniques to ensure the confidentiality of cutting-edge models and their training data. To solve these challenges, this dissertation investigates several new privacy attacks and protection methods for generative models from the perspective of model privacy and data privacy. In addition, this dissertation also explores a new mode that leverages existing pre-trained generative models to study the security vulnerabilities of discriminative models, which provides a fresh angle to apply generative models to the risk analysis of discriminative models. This dissertation is organized into three parts. In the first part, i.e. model privacy in generative models, I develop new model extraction attacks to steal generative adversarial networks (GANs). The evaluations show that preventing model extraction attacks against GANs is difficult but protecting GANs through verifying the ownership can be a deterrence against malicious adversaries. Thus, I further propose an ownership protection method to safeguard GANs, which can effectively recognize these stolen models constructed from physical stealing and model extraction. In the second part, i.e. data privacy in generative models, I develop two types of membership inference attacks against diffusion models, and the proposed loss-based method reveals the relationship between membership inference risks and the generative mechanism of diffusion models. I also investigate property inference risks in diffusion models and propose the first property aware sampling method to mitigate this attack, which bears the benefits of being plug-in and model-agnostic. In the third part, i.e. applications of generative models, I propose a new type of out-of-distribution (OOD) attack by leveraging off-the-shelf pre-trained GANs, which demonstrates that GANs can be utilized to directly construct samples to fool classification models and evade OOD detection. Taken together, this dissertation primarily provides new privacy attacks and protection methods for generative models and can contribute to a deeper and more comprehensive understanding of the privacy of generative artificial intelligence.Privacy Attacks And Protection In Machine Learning As A Servic

Loss and Likelihood Based Membership Inference of Diffusion Models

peer reviewe

Gold on graphene as a substrate for surface enhanced Raman scattering study

In this paper, we report our study on gold (Au) films with different thicknesses deposited on single layer graphene (SLG) as surface enhanced Raman scattering (SERS) substrates for the characterization of rhodamine (R6G) molecules. We find that an Au film with a thickness of ~7 nm deposited on SLG is an ideal substrate for SERS, giving the strongest Raman signals for the molecules and the weakest photoluminescence (PL) background. While Au films effectively enhance both the Raman and PL signals of molecules, SLG effectively quenches the PL signals from the Au film and molecules. The former is due to the electromagnetic mechanism involved while the latter is due to the strong resonance energy transfer from Au to SLG. Hence, the combination of Au films and SLG can be widely used in the characterization of low concentration molecules with relatively weak Raman signals.Comment: 11 pages, 4 figure

System dynamics of oxyfuel power plants with liquid oxygen energy storage

Traditional energy storage systems have a common feature: the generating of secondary energy (e.g. electricity) and regenerating of stored energy (e.g. gravitational potential, and mechanical energy) are separate rather than deeply integrated. Such systems have to tolerate the energy loss caused by the second conversion from primary energy to secondary energy. This paper is concerned with the system dynamics of oxyfuel power plants with liquid oxygen energy storage, which integrates the generation of secondary energy (electricity) and regeneration of stored energy into one process and therefore avoids the energy loss caused by the independent process of regeneration of stored energy. The liquid oxygen storage and the power load of the air separation unit are self-adaptively controlled based on current-day power demand, day-ahead electricity price and real-time oxygen storage information. Such an oxyfuel power plant cannot only bid in the day-ahead market with base load power but also has potential to provide peak load power through reducing the load of the air separation unit in peak time. By introducing reasoning rules with fuzzy control, the oxygen storage system has potential to be further extended by integrating renewable energy resources into the system to create a cryogenic energy storage hub