Abstract:As diffusion probabilistic models (DPMs) are being employed as mainstream models for Generative Artificial Intelligence (GenAI), the study of their memorization of training data has attracted growing attention. Existing works in this direction aim to establish an understanding of whether or to what extent DPMs learn via memorization. Such an understanding is crucial for identifying potential risks of data leakage and copyright infringement in diffusion models and, more importantly, for trustworthy application of GenAI. Existing works revealed that conditional DPMs are more prone to training data memorization than unconditional DPMs, and the motivated data extraction methods are mostly for conditional DPMs. However, these understandings are primarily empirical, and extracting training data from unconditional models has been found to be extremely challenging. In this work, we provide a theoretical understanding of memorization in both conditional and unconditional DPMs under the assumption of model convergence. Our theoretical analysis indicates that extracting data from unconditional models can also be effective by constructing a proper surrogate condition. Based on this result, we propose a novel data extraction method named \textbf{Surrogate condItional Data Extraction (SIDE)} that leverages a time-dependent classifier trained on the generated data as a surrogate condition to extract training data from unconditional DPMs. Empirical results demonstrate that our SIDE can extract training data in challenging scenarios where previous methods fail, and it is, on average, over 50\% more effective across different scales of the CelebA dataset.

What problem does this paper attempt to address?

The paper attempts to address the issue of memorization in Diffusion Models (DPMs) when generating data. Specifically, the paper focuses on the following points: 1. **Understanding the Memorization Phenomenon**: Existing research mainly focuses on empirically understanding the memorization behavior of DPMs but lacks theoretical explanations. The paper aims to theoretically explain why conditional DPMs are more prone to memorizing training data than unconditional DPMs and why random labels lead to more memorization. 2. **Data Extraction Attacks**: Existing data extraction methods mainly target conditional DPMs, while extracting training data from unconditional DPMs is very difficult. The paper proposes a new data extraction method—Surrogate conditional Data Extraction (SIDE), to extract training data from unconditional DPMs. 3. **Evaluating the Method's Effectiveness**: The paper experimentally verifies the effectiveness of the SIDE method on different datasets, particularly on CIFAR-10 and various scales of the CelebA dataset, showing that the SIDE method outperforms existing methods in challenging scenarios. ### Main Contributions 1. **Proposing a New Memorization Metric**: The paper introduces a point-to-point memorization metric and proposes a theoretical framework to explain why conditional DPMs are more prone to memorizing data, why random labels lead to more memorization, and how implicit labels can serve as surrogate conditions for unconditional DPMs. 2. **Proposing the SIDE Method**: Based on theoretical understanding, the paper proposes a new data extraction method, SIDE, which uses implicit labels generated by time-dependent classifiers to extract training data from unconditional DPMs. 3. **Experimental Validation**: The paper conducts experiments on CIFAR-10 and various scales of the CelebA dataset, showing that the SIDE method improves average performance by over 50% compared to existing methods. ### Related Work 1. **Diffusion Probabilistic Models**: DPMs have shown excellent performance in image and video generation tasks, such as Stable Diffusion, DALL-E 3, etc. These models can destroy data structure through a forward diffusion process and then restore the data structure through a reverse diffusion process. 2. **Research on Memorization Phenomenon**: Early research mainly focused on the memorization phenomenon in language models, later extending to DPMs. Studies have shown that conditional DPMs are more prone to memorizing training data, and random labels exacerbate this phenomenon. Some studies have proposed methods to detect and mitigate memorization. 3. **Data Extraction Attacks**: Existing data extraction methods mainly target conditional DPMs, while extracting data from unconditional DPMs is very difficult. The paper proposes an effective method to solve this problem through theoretical analysis and experimental validation. ### Theoretical Framework 1. **Memorization Metric**: The paper defines a point-to-point memorization metric to quantify the overlap between generated data and training data. 2. **Theoretical Explanation**: The paper explains through the concept of information labels why conditional DPMs are more prone to memorizing data. Information labels can make data samples cluster more closely in latent space, reducing the variance of latent representations, thereby enhancing the model's memorization ability. 3. **Memorization in Unconditional DPMs**: The paper points out that the representations learned by unconditional DPMs can also serve as information labels. By constructing appropriate surrogate conditions, training data can be extracted from unconditional DPMs. ### Proposed Method 1. **Constructing Implicit Information Labels**: Using classifiers to generate implicit labels, which can provide guidance during the sampling process of the diffusion model. 2. **Time-Dependent Classifier**: Training a time-dependent classifier through time-dependent knowledge distillation methods to provide time-dependent guidance. 3. **SIDE Method**: Using the time-dependent classifier and the target DPM, extracting training data from the model through a conditional generation process. ### Experimental Results 1. **Datasets**: The paper conducts experiments on the CelebA-HQ-Face-Identity, CelebA-25000, and CIFAR-10 datasets. 2. **Performance Metrics**: The paper evaluates the performance of the proposed method on these datasets, showing significant improvements over existing methods.

Towards a Theoretical Understanding of Memorization in Diffusion Models

Extracting Training Data from Unconditional Diffusion Models

On Memorization in Diffusion Models

Detecting, Explaining, and Mitigating Memorization in Diffusion Models

Towards Memorization-Free Diffusion Models

An Inversion-based Measure of Memorization for Diffusion Models

Investigating Memorization in Video Diffusion Models

Unveiling and Mitigating Memorization in Text-to-image Diffusion Models through Cross Attention

Generative Modeling with Explicit Memory

Understanding (Un)Intended Memorization in Text-to-Image Generative Models

Iterative Ensemble Training with Anti-Gradient Control for Mitigating Memorization in Diffusion Models

Memorized Images in Diffusion Models share a Subspace that can be Located and Deleted

Finding NeMo: Localizing Neurons Responsible For Memorization in Diffusion Models

Memory in Plain Sight: Surveying the Uncanny Resemblances of Associative Memories and Diffusion Models

Unconditional Latent Diffusion Models Memorize Patient Imaging Data: Implications for Openly Sharing Synthetic Data

MemControl: Mitigating Memorization in Diffusion Models via Automated Parameter Selection

Uncovering Latent Memories: Assessing Data Leakage and Memorization Patterns in Frontier AI Models

Investigating Data Memorization in 3D Latent Diffusion Models for Medical Image Synthesis

A Geometric Framework for Understanding Memorization in Generative Models

Embedding Space Selection for Detecting Memorization and Fingerprinting in Generative Models