search
HomeTechnology peripheralsAIUsing small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.

Denoising diffusion models are an emerging class of generative neural networks that generate images from a training distribution through an iterative denoising process. This type of diffusion model produces higher quality samples and is easier to scale and control than previous methods such as GANs and VAEs. As a result, after rapid development, they can already produce high-resolution images, and there is great public interest in large models such as the DALL-E 2.

The beauty of generative diffusion models lies in their ability to synthesize new images that are, superficially, unlike anything in the training set. In fact, large-scale training efforts in the past have not found that overfitting will be a problem. Researchers in privacy-sensitive fields have even suggested that diffusion models can be used to protect privacy by generating synthetic examples to generate real images. This series of work is conducted under the assumption that the diffusion model does not memorize and regenerate training data. Doing so would violate all privacy guarantees and breed many problems with model generalization and digital forgery.

In this article, researchers from Google, DeepMind and other institutions have proven that the SOTA diffusion model can indeed remember and regenerate a single training example.

Using small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.

## Paper address: https://arxiv.org/pdf/2301.13188v1.pdf

First, the research proposes and implements a new definition of memory in image models. Then, the study designed a two-stage data extraction attack, using standard methods to generate images and label some images. The study applied the method to Stable Diffusion and Imagen, resulting in the extraction of more than 100 nearly identical copies of training images, which ranged from personally identifiable photos to trademarked logos (Figure 1).

Using small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.

In order to better understand how memory works and why, researchers trained hundreds of people on CIFAR10 Diffusion model to analyze the impact of model accuracy, hyperparameters, augmentation, and deduplication on privacy. Diffusion models are the least private form of image models evaluated in the study, leaking twice as much training data as GANs. Worse, research also finds that existing privacy-enhancing technologies fail to provide acceptable privacy-utility trade-offs. Overall, this paper highlights the tension that exists between increasingly powerful generative models and data privacy, and raises questions about how diffusion models work and how they can be deployed appropriately.

Why do you want to do this research?

There are two motivations behind understanding how diffusion models remember and regenerate training data.

The first is to understand the privacy risks. Regenerating diffusion models that scrape data from the Internet may pose similar privacy and copyright risks as language models. For example, it has been pointed out that memorizing and regenerating copyrighted text and source code present potential indicators of infringement. Likewise, copying an image created by a professional artist is called digital forgery, and there is a debate in the art world.

The second is to understand generalization. In addition to data privacy, understanding how and why diffusion models remember training data helps understand their ability to generalize. For example, a common question with large-scale generative models is whether their impressive results result from true generation or are the result of directly copying and remixing the training data. By studying memory, it is possible to provide a concrete empirical description of the rate at which generative models perform such data replication.

Extract data from SOTA diffusion model

Extract data from Stable Diffusion

Now Extract training data from Stable Diffusion, the largest and most popular open source diffusion model.

This extraction applies the method of previous work to the image, including two steps:

1. Diffusion model using standard sampling method And generate multiple examples using the known prompts from the previous section.

2. Perform inference to separate the new generation model from the memorized training model.

To evaluate the effectiveness of the intrusion, the study selected 350,000 most repeated examples from the training dataset and generated 500 candidate images for each prompt (generating 175 million in total image).

First, the study sorts all these generated images to determine which ones are generated by memorizing the training data. Each of these generated images is then compared to the training images under Definition 1 in the paper, and each image is annotated as extracted or not extracted. The study found that 94 images were extracted. To ensure that these images did not just fit some arbitrary definition, the study also manually annotated the first 1,000 generated images through visual analysis, either with or without memory. And another 13 (total 109 images) were found to be almost copies of the training examples, even though they did not meet the study L_2 norm definition. Figure 3 shows a subset of the extracted images, which are reproduced with near-perfect pixel accuracy.

Using small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.

The experiment also gives the calculation curve given an annotated ordered image set, Evaluate the number of extracted images versus the false positive rate of the intrusion. The intrusion is exceptionally accurate: out of 175 million generated images, 50 memory images with 0 false positives could be identified, and all memory images could be extracted with over 50% accuracy. Figure 4 contains precision-recall curves for both definitions of memory.

Using small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.

Extract data from image

Although Stable Diffusion is currently the best choice among publicly available diffusion models, some non-public models have achieved stronger performance using larger models and datasets. Previous research has found that larger models are more likely to remember training data, so this study looked at Imagen, a 2 billion parameter text-to-image diffusion model.

Surprisingly, research has found that hacking non-distributed images in Imagen is more effective than in Stable Diffusion. On Imagen, the study tried to extract 500 images with the highest out-of-distribution (OOD) score. Imagen memorizes and copies 3 of the images (which are unique in the training data set). In contrast, when the study applied the same method to Stable Diffusion, it failed to identify any memories even after trying to extract the 10,000 most outlier samples. Therefore, Imagen is less private than Stable Diffusion on both copied and non-copied images. This may be due to the fact that Imagen uses a larger model than Stable Diffusion and therefore remembers more images. Additionally, Imagen trains with more iterations on smaller datasets, which can also help improve memory levels.

The above is the detailed content of Using small tricks to excavate the diffusion model, the generated images are almost replicas of the original training data, and privacy is about to be exposed.. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:51CTO.COM. If there is any infringement, please contact admin@php.cn delete
从VAE到扩散模型:一文解读以文生图新范式从VAE到扩散模型:一文解读以文生图新范式Apr 08, 2023 pm 08:41 PM

1 前言在发布DALL·E的15个月后,OpenAI在今年春天带了续作DALL·E 2,以其更加惊艳的效果和丰富的可玩性迅速占领了各大AI社区的头条。近年来,随着生成对抗网络(GAN)、变分自编码器(VAE)、扩散模型(Diffusion models)的出现,深度学习已向世人展现其强大的图像生成能力;加上GPT-3、BERT等NLP模型的成功,人类正逐步打破文本和图像的信息界限。在DALL·E 2中,只需输入简单的文本(prompt),它就可以生成多张1024*1024的高清图像。这些图像甚至

普林斯顿陈丹琦:如何让「大模型」变小普林斯顿陈丹琦:如何让「大模型」变小Apr 08, 2023 pm 04:01 PM

“Making large models smaller”这是很多语言模型研究人员的学术追求,针对大模型昂贵的环境和训练成本,陈丹琦在智源大会青源学术年会上做了题为“Making large models smaller”的特邀报告。报告中重点提及了基于记忆增强的TRIME算法和基于粗细粒度联合剪枝和逐层蒸馏的CofiPruning算法。前者能够在不改变模型结构的基础上兼顾语言模型困惑度和检索速度方面的优势;而后者可以在保证下游任务准确度的同时实现更快的处理速度,具有更小的模型结构。陈丹琦 普

找不到中文语音预训练模型?中文版 Wav2vec 2.0和HuBERT来了找不到中文语音预训练模型?中文版 Wav2vec 2.0和HuBERT来了Apr 08, 2023 pm 06:21 PM

Wav2vec 2.0 [1],HuBERT [2] 和 WavLM [3] 等语音预训练模型,通过在多达上万小时的无标注语音数据(如 Libri-light )上的自监督学习,显著提升了自动语音识别(Automatic Speech Recognition, ASR),语音合成(Text-to-speech, TTS)和语音转换(Voice Conversation,VC)等语音下游任务的性能。然而这些模型都没有公开的中文版本,不便于应用在中文语音研究场景。 WenetSpeech [4] 是

解锁CNN和Transformer正确结合方法,字节跳动提出有效的下一代视觉Transformer解锁CNN和Transformer正确结合方法,字节跳动提出有效的下一代视觉TransformerApr 09, 2023 pm 02:01 PM

由于复杂的注意力机制和模型设计,大多数现有的视觉 Transformer(ViT)在现实的工业部署场景中不能像卷积神经网络(CNN)那样高效地执行。这就带来了一个问题:视觉神经网络能否像 CNN 一样快速推断并像 ViT 一样强大?近期一些工作试图设计 CNN-Transformer 混合架构来解决这个问题,但这些工作的整体性能远不能令人满意。基于此,来自字节跳动的研究者提出了一种能在现实工业场景中有效部署的下一代视觉 Transformer——Next-ViT。从延迟 / 准确性权衡的角度看,

Stable Diffusion XL 现已推出—有什么新功能,你知道吗?Stable Diffusion XL 现已推出—有什么新功能,你知道吗?Apr 07, 2023 pm 11:21 PM

3月27号,Stability AI的创始人兼首席执行官Emad Mostaque在一条推文中宣布,Stable Diffusion XL 现已可用于公开测试。以下是一些事项:“XL”不是这个新的AI模型的官方名称。一旦发布稳定性AI公司的官方公告,名称将会更改。与先前版本相比,图像质量有所提高与先前版本相比,图像生成速度大大加快。示例图像让我们看看新旧AI模型在结果上的差异。Prompt: Luxury sports car with aerodynamic curves, shot in a

五年后AI所需算力超100万倍!十二家机构联合发表88页长文:「智能计算」是解药五年后AI所需算力超100万倍!十二家机构联合发表88页长文:「智能计算」是解药Apr 09, 2023 pm 07:01 PM

人工智能就是一个「拼财力」的行业,如果没有高性能计算设备,别说开发基础模型,就连微调模型都做不到。但如果只靠拼硬件,单靠当前计算性能的发展速度,迟早有一天无法满足日益膨胀的需求,所以还需要配套的软件来协调统筹计算能力,这时候就需要用到「智能计算」技术。最近,来自之江实验室、中国工程院、国防科技大学、浙江大学等多达十二个国内外研究机构共同发表了一篇论文,首次对智能计算领域进行了全面的调研,涵盖了理论基础、智能与计算的技术融合、重要应用、挑战和未来前景。论文链接:​https://spj.scien

​什么是Transformer机器学习模型?​什么是Transformer机器学习模型?Apr 08, 2023 pm 06:31 PM

译者 | 李睿审校 | 孙淑娟​近年来, Transformer 机器学习模型已经成为深度学习和深度神经网络技术进步的主要亮点之一。它主要用于自然语言处理中的高级应用。谷歌正在使用它来增强其搜索引擎结果。OpenAI 使用 Transformer 创建了著名的 GPT-2和 GPT-3模型。自从2017年首次亮相以来,Transformer 架构不断发展并扩展到多种不同的变体,从语言任务扩展到其他领域。它们已被用于时间序列预测。它们是 DeepMind 的蛋白质结构预测模型 AlphaFold

AI模型告诉你,为啥巴西最可能在今年夺冠!曾精准预测前两届冠军AI模型告诉你,为啥巴西最可能在今年夺冠!曾精准预测前两届冠军Apr 09, 2023 pm 01:51 PM

说起2010年南非世界杯的最大网红,一定非「章鱼保罗」莫属!这只位于德国海洋生物中心的神奇章鱼,不仅成功预测了德国队全部七场比赛的结果,还顺利地选出了最终的总冠军西班牙队。不幸的是,保罗已经永远地离开了我们,但它的「遗产」却在人们预测足球比赛结果的尝试中持续存在。在艾伦图灵研究所(The Alan Turing Institute),随着2022年卡塔尔世界杯的持续进行,三位研究员Nick Barlow、Jack Roberts和Ryan Chan决定用一种AI算法预测今年的冠军归属。预测模型图

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools