Image AutoRegressive generation has emerged as a new powerful paradigm. Specifically, image autoregressive models (IARs) surpass state-of-the-art diffusion models (DMs) in both image quality (FID: 1.48 vs. 1.58) and generation speed. However, the privacy risks associated with IARs remain unexplored, raising concerns regarding their responsible deployment. To address this gap, we conduct a comprehensive privacy analysis of IARs with respect to DMs, which serve as reference points. We develop a novel membership inference attack (MIA) that achieves an exceptionally high success rate in detecting training images (with a TPR@FPR=1% of 94.57% vs. 6.38% for DMs). We leverage our novel MIA to provide dataset inference (DI) for IARs, which requires as few as 4 samples to detect dataset membership (compared to 200 for DI in DMs). Finally, we reconstruct hundreds of training data points from an IAR (e.g., 698 from VAR-d30). Our results demonstrate a fundamental privacy-utility trade-off: while IARs excel in image generation quality and speed, they are also significantly more vulnerable to privacy attacks compared to DMs. This trend suggests that utilizing techniques from DMs within IARs, such as modeling the per-token probability distribution using a diffusion procedure, can potentially help to mitigate the vulnerability of IARs to privacy attacks.
A suitable conda environment named iars_priv can be created and activated with:
conda env create -f environment.yaml conda activate iars_priv git clone https://github.com/FoundationVision/VAR git clone https://github.com/LTH14/mar git clone https://github.com/bytedance/1d-tokenizer mv 1d-tokenizer rar Also, change from models.diffloss import DiffLoss to from mar.models.diffloss import DiffLoss in mar/models/mar.py.
In case of GBLICXX import error run export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:[YOUR_PATH_TO_CONDA]/envs/iars_priv/lib (based on this)
The scripts will download the models by themselves.
- ImageNet: Download train and validation ImageNet LSVRC 2012 splits.
For each model, run python3 -u main.py +attack=$attack +model=$model +dataset=imagenet +dataset.split=$split Substitute $split with train and val. For attacking VAR and RAR set attack=llm_mia_cfg, and for MAR: llm_mia_loss.
Then, run analysis/mia_performance.py to obtain TPR@FPR=1% for all IARs. The results will be in the analysis/plots/mia_performance folder.
Run analysis/di.py. Make sure to limit the cpu usage, e.g., by using taskset -c 0-10 python3 analysis/di.py to use only 10 cores, if you work in a shared computing ecosystem. This script will output results of DI on IARs to analysis/plots/di/di_results.csv
for model in var_30 rar_xxl do for idx in {0..8} do python3 -u main.py +attack=mem_info +model=$model +dataset=imagenet +dataset.split=train cfg.run_id=1M_${idx} cfg.n_samples_eval=140000 +dataset.gpu_cnt=8 +dataset.gpu_idx=$idx done done for model in mar_h do for idx in {0..8} do python3 -u main.py +attack=mem_info_mar +model=$model +dataset=imagenet +dataset.split=train cfg.run_id=1M_${idx} cfg.n_samples_eval=140000 +dataset.gpu_cnt=8 +dataset.gpu_idx=$idx done done We suggest running these in a disributed GPU environment. The scripts are paralelizable.
for model in var_30 rar_xxl mar_h do python3 -u main.py +attack=gen_memorized +model=$model +dataset=imagenet +dataset.split=train done for model in var_30 rar_xxl mar_h do python3 -u main.py +attack=find_memorized +model=$model +dataset=imagenet +dataset.split=train done Finally, a {model}_memorized_train.csv will be obtained in analysis/plots/memorization. To find the memorized samples, do
df = pd.read_csv(f"analysis/plots/memorization/{model}_memorized_train.csv") print(df.loc[df.cosine_30>0.75].shape[0], "samples extracted from", model) # for VAR and RAR print(df.loc[df.cosine_5>0.75].shape[0], "samples extracted from", model) # for MAR If you found our work helpful, please cite us using the following BiBTex:
@InProceedings{kowalczuk2025privacy, title = {Privacy Attacks on Image {A}uto{R}egressive Models}, author = {Kowalczuk, Antoni and Dubi\'{n}ski, Jan and Boenisch, Franziska and Dziedzic, Adam}, booktitle = {Proceedings of the 42nd International Conference on Machine Learning}, pages = {31667--31695}, year = {2025}, volume = {267}, series = {Proceedings of Machine Learning Research}, month = {13--19 Jul}, publisher = {PMLR}, pdf = {https://raw.githubusercontent.com/mlresearch/v267/main/assets/kowalczuk25a/kowalczuk25a.pdf}, url = {https://proceedings.mlr.press/v267/kowalczuk25a.html}, } We would like to thank Bihe Zhao for identifying a configuration issue in our VAR experiments.