Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Privacy-Preserving Low-Rank Adaptation Against Membership Inference Attacks for Latent Diffusion Models
Authors: Zihao Luo, Xilie Xu, Feng Liu, Yun Sing Koh, Di Wang, Jingfeng Zhang
AAAI 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experimental results corroborate that SMPLo RA can indeed defend against MI attacks and generate high-quality images. To evaluate the performance of the SMP-Lo RA, we conducted adapting experiments using the Stable Diffusion v1.5 (Comp Vis 2022) on the Pokemon (Pinkney 2022) and Celeb A (Liu et al. 2015) datasets, respectively. Figure 1d shows that, although MP-Lo RA (orange square marker) lowers the ASR to near-random levels, it significantly degrades the image generation capability of Lo RA, as evidenced by a high FID score of 2.10 and the poor visual quality in Figure 1c. In contrast, the SMP-Lo RA (blue pentagon marker) effectively preserves membership privacy without sacrificing generated image quality significantly, as evidenced by its FID score of 0.32 and ASR of 51.97%. |
| Researcher Affiliation | Academia | Zihao Luo1*, Xilie Xu2*, Feng Liu3, Yun Sing Koh1, Di Wang4, Jingfeng Zhang1 4 1The University of Auckland 2The National University of Singapore 3The University of Melbourne 4King Abdullah University of Science and Technology Jingfeng Zhang <jingfeng.zhang@ auckland.ac.nz>. |
| Pseudocode | Yes | The algorithm of MP-Lo RA is shown in Algorithm 2 (Appendix A of the extended version (Luo et al. 2024)). The implementation of SMP-Lo RA is detailed in Algorithm 1. At each training step, SMP-Lo RA will first update the proxy attack model by maximizing the MI gain and then update the LDM by minimizing the training loss LSPL. Algorithm 1: Stable Membership-Privacy-preserving Lo RA Input: Training dataset Dtr for adaptation process, Auxiliary dataset Daux = Dm aux Dnm aux, a pre-trained LDM fθ, a proxy attack model hω parameterized by ω, learning rate η1 and η2 Output: a SMP-Lo RA for LDMs 1: Perform low-rank decomposition on fθ to obtain f θ+BA (B and A are trainable Lo RA modules) 2: for each epoch do 3: for each training iteration do 4: Sample batches Sm and Snm from Dm aux and Dnm aux 5: Calculate the MI gain G on Sm Snm 6: Update the parameters ω ω + η1 ωG . 7: Sample a fresh batch from Dtr 8: Calculate the training loss L = LSPL 9: Update parameters A A η2 AL and B B η2 BL , respectively 10: end for 11: end for |
| Open Source Code | Yes | Code https://github.com/William LUO0/Stable Private Lo RA |
| Open Datasets | Yes | To evaluate the performance of the SMP-Lo RA, we conducted adapting experiments using the Stable Diffusion v1.5 (Comp Vis 2022) on the Pokemon (Pinkney 2022) and Celeb A (Liu et al. 2015) datasets, respectively. In our experiment, we utilized four datasets: Pokemon (Pinkney 2022), Celeb A (Liu et al. 2015), AFHQ (Choi et al. 2020), and MS-COCO (Lin et al. 2014). |
| Dataset Splits | Yes | The model achieves this by constructing an auxiliary dataset Daux, which consists of half of the member data from Dtr, denoted as Dm aux, and an equal amount of local non-member data Dnm aux. We created several subsets from Celeb A, including Celeb A Small and Celeb A Large, both balanced with equal image contribution per individual, as well as Celeb A Gender and Celeb A Varying, which are imbalanced with a 7 : 3 gender ratio and varied image contributions per individual, respectively. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory amounts) used for running its experiments in the main text. |
| Software Dependencies | Yes | We utilized the official pretrained Stable Diffusion v1.5 (Comp Vis 2022) for LDMs to build the Lo RA module, with specific model hyperparameters detailed in Table 5 (Appendix E). |
| Experiment Setup | Yes | We utilized the official pretrained Stable Diffusion v1.5 (Comp Vis 2022) for LDMs to build the Lo RA module, with specific model hyperparameters detailed in Table 5 (Appendix E). Coefficient λ. Table 6 (Appendix F) presents the performance of SMP-Lo RA with different coefficient λ {1.00, 0.50, 0.10, 0.05, 0.01} across the Pokemon, Celeb A Small, and Celeb A Large datasets. As λ decreases from 1.00 to 0.01, the FID and KID scores gradually decrease, while ASR increases and AUC deviates further from 0.5, suggesting that a lower λ shifts the focus more towards minimizing adaptation loss rather than protecting membership privacy. Ablation studies on the important hyperparameters: the coefficient λ, the learning rate η2, and the Lo RA s rank r. |