Are Diffusion Models Vulnerable to Membership Inference Attacks?

Diffusion-based generative models have shown great potential for image synthesis, but there is a lack of research on the security and privacy risks they may pose. In this paper, we investigate the vulnerability of diffusion models to Membership Inference Attacks (MIAs), a common privacy concern. Our results indicate that existing MIAs designed for GANs or VAE are largely ineffective on diffusion models, either due to inapplicable scenarios (e.g., requiring the discriminator of GANs) or inappropriate assumptions (e.g., closer distances between synthetic samples and member samples). To address this gap, we propose Step-wise Error Comparing Membership Inference (SecMI), a query-based MIA that infers memberships by assessing the matching of forward process posterior estimation at each timestep. SecMI follows the common overfitting assumption in MIA where member samples normally have smaller estimation errors, compared with hold-out samples. We consider both the standard diffusion models, e.g., DDPM, and the text-to-image diffusion models, e.g., Latent Diffusion Models and Stable Diffusion. Experimental results demonstrate that our methods precisely infer the membership with high confidence on both of the two scenarios across multiple different datasets. Code is available at https://github.com/jinhaoduan/SecMI.Comment: To appear in ICML 202

Shifting Attention to Relevance: Towards the Uncertainty Estimation of Large Language Models

Although Large Language Models (LLMs) have shown great potential in Natural Language Generation, it is still challenging to characterize the uncertainty of model generations, i.e., when users could trust model outputs. Our research is derived from the heuristic facts that tokens are created unequally in reflecting the meaning of generations by auto-regressive LLMs, i.e., some tokens are more relevant (or representative) than others, yet all the tokens are equally valued when estimating uncertainty. It is because of the linguistic redundancy where mostly a few keywords are sufficient to convey the meaning of a long sentence. We name these inequalities as generative inequalities and investigate how they affect uncertainty estimation. Our results reveal that considerable tokens and sentences containing limited semantics are weighted equally or even heavily when estimating uncertainty. To tackle these biases posed by generative inequalities, we propose to jointly Shifting Attention to more Relevant (SAR) components from both the token level and the sentence level while estimating uncertainty. We conduct experiments over popular "off-the-shelf" LLMs (e.g., OPT, LLaMA) with model sizes up to 30B and powerful commercial LLMs (e.g., Davinci from OpenAI), across various free-form question-answering tasks. Experimental results and detailed demographic analysis indicate the superior performance of SAR. Code is available at https://github.com/jinhaoduan/shifting-attention-to-relevance

Semantic Adversarial Attacks via Diffusion Models

Traditional adversarial attacks concentrate on manipulating clean examples in the pixel space by adding adversarial perturbations. By contrast, semantic adversarial attacks focus on changing semantic attributes of clean examples, such as color, context, and features, which are more feasible in the real world. In this paper, we propose a framework to quickly generate a semantic adversarial attack by leveraging recent diffusion models since semantic information is included in the latent space of well-trained diffusion models. Then there are two variants of this framework: 1) the Semantic Transformation (ST) approach fine-tunes the latent space of the generated image and/or the diffusion model itself; 2) the Latent Masking (LM) approach masks the latent space with another target image and local backpropagation-based interpretation methods. Additionally, the ST approach can be applied in either white-box or black-box settings. Extensive experiments are conducted on CelebA-HQ and AFHQ datasets, and our framework demonstrates great fidelity, generalizability, and transferability compared to other baselines. Our approaches achieve approximately 100% attack success rate in multiple settings with the best FID as 36.61. Code is available at https://github.com/steven202/semantic_adv_via_dm.Comment: To appear in BMVC 202

RBFormer: Improve Adversarial Robustness of Transformer by Robust Bias

Recently, there has been a surge of interest and attention in Transformer-based structures, such as Vision Transformer (ViT) and Vision Multilayer Perceptron (VMLP). Compared with the previous convolution-based structures, the Transformer-based structure under investigation showcases a comparable or superior performance under its distinctive attention-based input token mixer strategy. Introducing adversarial examples as a robustness consideration has had a profound and detrimental impact on the performance of well-established convolution-based structures. This inherent vulnerability to adversarial attacks has also been demonstrated in Transformer-based structures. In this paper, our emphasis lies on investigating the intrinsic robustness of the structure rather than introducing novel defense measures against adversarial attacks. To address the susceptibility to robustness issues, we employ a rational structure design approach to mitigate such vulnerabilities. Specifically, we enhance the adversarial robustness of the structure by increasing the proportion of high-frequency structural robust biases. As a result, we introduce a novel structure called Robust Bias Transformer-based Structure (RBFormer) that shows robust superiority compared to several existing baseline structures. Through a series of extensive experiments, RBFormer outperforms the original structures by a significant margin, achieving an impressive improvement of +16.12% and +5.04% across different evaluation criteria on CIFAR-10 and ImageNet-1k, respectively.Comment: BMVC 202

An Efficient Membership Inference Attack for the Diffusion Model by Proximal Initialization

Recently, diffusion models have achieved remarkable success in generating tasks, including image and audio generation. However, like other generative models, diffusion models are prone to privacy issues. In this paper, we propose an efficient query-based membership inference attack (MIA), namely Proximal Initialization Attack (PIA), which utilizes groundtruth trajectory obtained by $\epsilon$ initialized in $t=0$ and predicted point to infer memberships. Experimental results indicate that the proposed method can achieve competitive performance with only two queries on both discrete-time and continuous-time diffusion models. Moreover, previous works on the privacy of diffusion models have focused on vision tasks without considering audio tasks. Therefore, we also explore the robustness of diffusion models to MIA in the text-to-speech (TTS) task, which is an audio generation task. To the best of our knowledge, this work is the first to study the robustness of diffusion models to MIA in the TTS task. Experimental results indicate that models with mel-spectrogram (image-like) output are vulnerable to MIA, while models with audio output are relatively robust to MIA. {Code is available at \url{https://github.com/kong13661/PIA}}

Unlearnable Examples for Diffusion Models: Protect Data from Unauthorized Exploitation

Diffusion models have demonstrated remarkable performance in image generation tasks, paving the way for powerful AIGC applications. However, these widely-used generative models can also raise security and privacy concerns, such as copyright infringement, and sensitive data leakage. To tackle these issues, we propose a method, Unlearnable Diffusion Perturbation, to safeguard images from unauthorized exploitation. Our approach involves designing an algorithm to generate sample-wise perturbation noise for each image to be protected. This imperceptible protective noise makes the data almost unlearnable for diffusion models, i.e., diffusion models trained or fine-tuned on the protected data cannot generate high-quality and diverse images related to the protected training data. Theoretically, we frame this as a max-min optimization problem and introduce EUDP, a noise scheduler-based method to enhance the effectiveness of the protective noise. We evaluate our methods on both Denoising Diffusion Probabilistic Model and Latent Diffusion Models, demonstrating that training diffusion models on the protected data lead to a significant reduction in the quality of the generated images. Especially, the experimental results on Stable Diffusion demonstrate that our method effectively safeguards images from being used to train Diffusion Models in various tasks, such as training specific objects and styles. This achievement holds significant importance in real-world scenarios, as it contributes to the protection of privacy and copyright against AI-generated content

Flew Over Learning Trap: Learn Unlearnable Samples by Progressive Staged Training

Unlearning techniques are proposed to prevent third parties from exploiting unauthorized data, which generate unlearnable samples by adding imperceptible perturbations to data for public publishing. These unlearnable samples effectively misguide model training to learn perturbation features but ignore image semantic features. We make the in-depth analysis and observe that models can learn both image features and perturbation features of unlearnable samples at an early stage, but rapidly go to the overfitting stage since the shallow layers tend to overfit on perturbation features and make models fall into overfitting quickly. Based on the observations, we propose Progressive Staged Training to effectively prevent models from overfitting in learning perturbation features. We evaluated our method on multiple model architectures over diverse datasets, e.g., CIFAR-10, CIFAR-100, and ImageNet-mini. Our method circumvents the unlearnability of all state-of-the-art methods in the literature and provides a reliable baseline for further evaluation of unlearnable techniques

Effects of different dietary ratio of metabolizable glucose and metabolizable protein on growth performance, rumen fermentation, blood biochemical indices and ruminal microbiota of 8 to 10-month-old dairy heifers

Objective The aim of this experiment was to evaluate the effects of different dietary ratio of metabolizable glucose (MG) to metabolizable protein (MP) on growth performance, blood metabolites, rumen fermentation parameters and the ruminal microbial community of 8 to 10-month-old heifers. Methods A total of 24 Holstein heifers weighing an average of 282.90 kg (8 month of age) were randomly assigned to four groups of six. The heifers were fed one of four diets of different dietary MG/MP (0.97, 1.07, 1.13, and 1.26). Results The results showed that the ratio of MG/MP affected the growth performance, blood metabolites, rumen fermentation parameters and the ruminal microbial community of heifers. The average daily gain of heifers was enhanced by increasing the ratio of MG/MP (p<0.05). The concentration of blood urea nitrogen, cholesterol, and low density lipoprotein cholesterol as well as the concentration of total volatile fatty acid in the rumen fluid of heifers decreased with the improvement in the ratio of dietary MG/MP (p<0.05). However, the relative amount of Ruminococcus albus and Butyrivibrio fibrisolvens in the rumen of heifers was increased significantly (p<0.05) when the dietary MG/MP increased. At the same time, with the improvement in dietary MG/MP, the amount of Fibrobacter succinogenes increased (p = 0.08). Conclusion A diet with an optimal ratio (1.13) of MG/MP was beneficial for the improvement of growth, rumen fermentation, dietary protein and energy utilization of 8 to 10-month-old dairy heifers in this experiment

Potential molecular and cellular mechanisms of the effects of cuproptosis-related genes in the cardiomyocytes of patients with diabetic heart failure: a bioinformatics analysis

BackgroundDiabetes mellitus is an independent risk factor for heart failure, and diabetes-induced heart failure severely affects patients’ health and quality of life. Cuproptosis is a newly defined type of programmed cell death that is thought to be involved in the pathogenesis and progression of cardiovascular disease, but the molecular mechanisms involved are not well understood. Therefore, we aimed to identify biomarkers associated with cuproptosis in diabetes mellitus-associated heart failure and the potential pathological mechanisms in cardiomyocytes.MaterialsCuproptosis-associated genes were identified from the previous publication. The GSE26887 dataset was downloaded from the GEO database.MethodsThe consistency clustering was performed according to the cuproptosis gene expression. Differentially expressed genes were identified using the limma package, key genes were identified using the weighted gene co-expression network analysis(WGCNA) method, and these were subjected to immune infiltration analysis, enrichment analysis, and prediction of the key associated transcription factors. Consistency clustering identified three cuproptosis clusters. The differentially expressed genes for each were identified using limma and the most critical MEantiquewhite4 module was obtained using WGCNA. We then evaluated the intersection of the MEantiquewhite4 output with the three clusters, and obtained the key genes.ResultsThere were four key genes: HSDL2, BCO2, CORIN, and SNORA80E. HSDL2, BCO2, and CORIN were negatively associated with multiple immune factors, while SNORA80E was positively associated, and T-cells accounted for a major proportion of this relationship with the immune system. Four enriched pathways were found to be associated: arachidonic acid metabolism, peroxisomes, fatty acid metabolism, and dorsoventral axis formation, which may be regulated by the transcription factor MECOM, through a change in protein structure.ConclusionHSDL2, BCO2, CORIN, and SNORA80E may regulate cardiomyocyte cuproptosis in patients with diabetes mellitus-associated heart failure through effects on the immune system. The product of the cuproptosis-associated gene LOXL2 is probably involved in myocardial fibrosis in patients with diabetes, which leads to the development of cardiac insufficiency

Discussion on the theory and technical system framework of cooperative exploration of coal and strategic metal resources in coal-bearing strata

The establishment of cooperative exploration model between coal and strategic metal resources in coal-bearing strata is the precondition for the transformation from strategic metal elements in coal-bearing strata to metal resources. The research on the basic theory and key technology of cooperative exploration of coal and strategic metal resources in coal-bearing strata is the core task of establishing cooperative exploration model. Based on the analysis of the basic characteristics of strategic metal elements in coal-bearing strata, the necessity of implementing the cooperative exploration of coal and strategic metal resources in coal-bearing strata is demonstrated. Through review on the evolution history of the concept of cooperative exploration, the relationship between comprehensive coal exploration and cooperative exploration is revealed, and considered that the cooperative exploration is the inheritance and development of comprehensive exploration, emphasizes the coordination and orderly and scientific organization in the process of comprehensive exploration of two or more mineral resources, and its core is the cooperative organization of exploration projects and cooperative implementation of key technologies. Based on the discussion on the principle of cooperative exploration of coal and strategic metal resources in coal-bearing strata, the theory and technical method system framework of cooperative exploration of coal and strategic metal resources in coal-bearing strata is put forward, which is the basis of establishing the model of cooperative exploration of coal and strategic metal resources in coal-bearing strata. The cooperative exploration of coal and strategic metal resources in coal-bearing strata should be based on the study of the enrichment and mineralization mechanism, combination types and occurrence rules of the strategic metal elements in coal-bearing strata, based on the multi-disciplinary theories of coal geology, ore deposit, geochemistry, geophysics and exploration engineering, and supported by the cooperative exploration technology system composed of key technologies such as precision drilling, fine geophysical exploration and fine geochemical exploration. Also, it should be based on the solid mineral exploration norms and other standards, follow the general principles of solid mineral resources exploration, comprehensive exploration and single mineral resource exploration, as well as the principles of research first, technical effectiveness, fine exploration, dynamic adjustment, zoning policy implementation, coordination and synchronization, and cooperate in the organization of exploration projects and implementation of key technologies, in order to achieve the balance of the best technical benefits and the best economic benefits of the cooperative exploration of coal and strategic metal resources in coal-bearing strata. On the basis of the completion of coal geological exploration tasks, it is expected to find out the geological characteristics and development geological conditions of the associated strategic metal resources, to obtain the corresponding resources or distribution characteristics of strategic metal elements, and to provide geological basis for the comprehensive development and utilization of mineral resources in coal-bearing strata. The core issues of cooperative exploration of coal and strategic metal resources in coal-bearing strata are as follows: determination of cooperative exploration objects, selection and cooperative implementation of exploration technologies, cooperative deployment of exploration projects, and scientific estimation of resources