Low Resource Reconstruction Attacks Through Benign Prompts
This work highlights a privacy vulnerability for users of generative models, showing that even uninformed users can unintentionally reconstruct sensitive data, though it is incremental by building on prior domain knowledge.
The authors tackled the problem of reconstructing training images from generative models with minimal resources and access, demonstrating that seemingly benign prompts can lead to privacy risks, such as generating a real human face from a prompt like 'blue Unisex T-Shirt'.
The recent advances in generative models such as diffusion models have raised several risks and concerns related to privacy, copyright infringements and data stewardship. To better understand and control the risks, various researchers have created techniques, experiments and attacks that reconstruct images, or part of images, from the training set. While these techniques already establish that data from the training set can be reconstructed, they often rely on high-resources, excess to the training set as well as well-engineered and designed prompts. In this work, we devise a new attack that requires low resources, assumes little to no access to the actual training set, and identifies, seemingly, benign prompts that lead to potentially-risky image reconstruction. This highlights the risk that images might even be reconstructed by an uninformed user and unintentionally. For example, we identified that, with regard to one existing model, the prompt ``blue Unisex T-Shirt'' can generate the face of a real-life human model. Our method builds on an intuition from previous works which leverages domain knowledge and identifies a fundamental vulnerability that stems from the use of scraped data from e-commerce platforms, where templated layouts and images are tied to pattern-like prompts.