Privacy Attacks on Image AutoRegressive Models

Download PDF

Antoni Kowalczuk, Jan Dubiński, Franziska Boenisch, Adam Dziedzic

Published: 01 May 2025, Last Modified: 18 Jun 2025ICML 2025 posterEveryoneRevisionsBibTeXCC BY 4.0
TL;DR: We design new methods to assess the privacy leakage from the image autoregressive models and show that they provide better performance, however, also leak more private information than diffusion models.
Abstract: Image AutoRegressive generation has emerged as a new powerful paradigm with image autoregressive models (IARs) matching state-of-the-art diffusion models (DMs) in image quality (FID: 1.48 vs. 1.58) while allowing for a higher generation speed. However, the privacy risks associated with IARs remain unexplored, raising concerns regarding their responsible deployment. To address this gap, we conduct a comprehensive privacy analysis of IARs, comparing their privacy risks to the ones of DMs as reference points. Concretely, we develop a novel membership inference attack (MIA) that achieves a remarkably high success rate in detecting training images (with a True Positive Rate at False Positive Rate = 1% of 86.38% vs. 6.38% for DMs with comparable attacks). We leverage our novel MIA to provide dataset inference (DI) for IARs, and show that it requires as few as 6 samples to detect dataset membership (compared to 200 for DI in DMs), confirming a higher information leakage in IARs. Finally, we are able to extract hundreds of training data points from an IAR (e.g., 698 from VAR-*d*30). Our results suggest a fundamental privacy-utility trade-off: while IARs excel in image generation quality and speed, they are *empirically* significantly more vulnerable to privacy attacks compared to DMs that achieve similar performance. We release the code at https://github.com/sprintml/privacy_attacks_against_iars for reproducibility.
Lay Summary: People constantly try to find better ways of generating images using AI models. Recently, a new class of image generative models was introduced. These novel models generate images in the same way chatbots like ChatGPT generate text, treating images like sequences of words. Previously, it was common for models to generate images by iteratively removing noise, which was slow. In our work we compare these two classes of models from the perspective of data privacy. It often happens that these models, trained on vast amounts of data, leak private information. They might replicate images from their training data, or leak other types of sensitive information, for example, if they were trained on medical data. Although the new models are faster, scale better, and generate high quality images, we show that they leak significantly more information than their predecessors. In some cases they tend to leak orders of magnitude more private data, sometimes replicating hundreds of images from their training sets.
Link To Code: https://github.com/sprintml/privacy_attacks_against_iars
Primary Area: Deep Learning->Generative Models and Autoencoders
Keywords: image autoregressive models, diffusion models, dataset inference, membership inference, data extraction
Submission Number: 2590