Researchers Identify High-Frequency Bias in Membership Inference Attacks on Diffusion Models

Global: Researchers Identify High-Frequency Bias in Membership Inference Attacks on Diffusion Models

Scientists have uncovered a systematic bias that affects the accuracy of membership inference attacks (MIAs) targeting diffusion‑based image generators. The bias stems from the way these models handle high‑frequency image components, leading to misclassification of training data as non‑members and vice‑versa. The discovery was reported in a recent arXiv preprint that formalizes existing attacks within a unified framework.

Unified Attack Paradigm

The authors first reorganized current MIA techniques into a single general paradigm that computes a membership score for each query image. By expressing disparate methods under a common mathematical structure, the study enables direct comparison of their strengths and weaknesses.

High‑Frequency Deficiency

Empirical analysis revealed that diffusion models exhibit a pronounced deficiency in processing high‑frequency information. As a result, images containing richer high‑frequency content are more likely to be labeled as hold‑out samples, while smoother images tend to be flagged as members of the training set.

Theoretical Insight

Through a formal proof, the researchers demonstrated that this high‑frequency shortfall reduces the statistical advantage that attacks rely on to differentiate members from non‑members. The theory explains why existing attacks underperform when confronted with the identified bias.

Proposed Mitigation

To address the issue, the paper introduces a plug‑and‑play high‑frequency filter that can be inserted into any attack operating under the unified paradigm. The module requires no additional computational overhead and works by attenuating the problematic frequency components before the membership score is calculated.

Experimental Validation

Extensive experiments across multiple datasets and diffusion architectures showed that incorporating the filter consistently improves attack performance. Baseline methods that previously struggled to exceed random guessing achieved notable gains in true positive rates after the filter’s integration.

Broader Impact

The findings highlight a previously overlooked privacy vulnerability in popular generative models and suggest a straightforward avenue for strengthening attack evaluations. By improving the reliability of MIAs, the work may inform future guidelines for responsible model deployment and data protection.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.