Membership Inference Attacks Against Fine-tuned Diffusion Language Models

Diffusion Language Models (DLMs) represent a promising alternative to autoregressive language models, using bidirectional masked token prediction. Yet their susceptibility to privacy leakage via Membership Inference Attacks (MIA) remains critically underexplored. This paper presents the first systematic investigation of MIA vulnerabilities in DLMs. Unlike the autoregressive models’ single fixed prediction pattern, DLMs’ multiple maskable configurations exponentially increase attack opportunities. This ability to probe many independent masks dramatically improves detection chances. To exploit this, we introduce SAMA (Subset-Aggregated Membership Attack), which addresses the sparse signal challenge through robust aggregation. SAMA samples masked subsets across progressive densities and applies sign-based statistics that remain effective despite heavy-tailed noise. Through inverse-weighted aggregation prioritizing sparse masks’ cleaner signals, SAMA transforms sparse memorization detection into a robust voting mechanism. Experiments on nine datasets show SAMA achieves 30% relative AUC improvement over the best baseline, with up to 8 times improvement at low false positive rates. These findings reveal significant, previously unknown vulnerabilities in DLMs, necessitating the development of tailored privacy defenses.

💡 Research Summary

This paper delivers the first systematic study of membership inference attacks (MIAs) against diffusion language models (DLMs), focusing on the fine‑tuning stage where privacy risks are typically amplified. Unlike autoregressive models (ARMs) that generate a single left‑to‑right loss signal, DLMs predict masked tokens conditioned on arbitrary subsets of the input, yielding a loss difference Δ_DF(x; S) that depends on the chosen mask set S. The authors observe that this mask‑dependent signal is highly sparse: the variance caused by changing S (σ≈0.10) exceeds the average margin between members and non‑members (δ≈0.06). Consequently, a naïve Monte‑Carlo average of loss differences across random masks (Δ_avg) is ineffective because most masks produce noise that drowns out the rare memorization cues.

To exploit the abundance of independent probing opportunities while coping with signal sparsity, the authors propose SAMA (Subset‑Aggregated Membership Attack). SAMA consists of three key components:

1. Progressive Masking – The attack samples masks at several density levels (e.g., 10 % to 70 % of tokens). Sparse masks provide strong per‑token signals but few aggregation points; dense masks give many points but weaker individual signals. By sweeping densities the attacker gathers evidence at multiple scales.

2. Subset Aggregation with Sign Statistics – For each density level, multiple token subsets are sampled. Instead of averaging raw loss differences, the method records only the sign of each subset’s loss difference (sign(Δ_DF)). This binary vote is robust to outliers and heavy‑tailed noise, turning the problem into a majority‑vote test rather than a signal‑averaging one.

3. Inverse‑Weighted Aggregation – The final membership score is a weighted sum of the per‑density vote fractions, where the weight is inversely proportional to mask density. This gives higher influence to the cleaner, sparser masks that are more likely to reveal memorization.

The threat model assumes gray‑box access: the adversary can query the target DLM with arbitrary masked inputs and obtain token‑level probability distributions or logits. A reference model, ideally the pre‑trained base model from which the target was fine‑tuned, is also available for comparative loss computation. This mirrors real‑world scenarios where fine‑tuned weights are released alongside the original model.

Experiments are conducted on two state‑of‑the‑art DLMs—LLaDA‑8B‑Base and Dream‑v0‑Base‑7B—across nine datasets (six domain splits from MIMIR, WikiText‑103, AG News, XSum). Baselines include a wide range of existing MIA techniques: loss‑based, confidence‑based, reference‑based, and recent ARM‑specific attacks. Evaluation metrics focus on AUC and true‑positive rates at low false‑positive rates (e.g., TPR@FPR = 0.1 %). Results show that SAMA achieves an average AUC improvement of 30 % over the best baseline, with up to an 8‑fold increase in TPR at stringent FPR thresholds. Ablation studies confirm that both the sign‑based subset aggregation and the inverse‑density weighting are essential contributors to performance gains. When the ideal reference model is unavailable, using a surrogate reference (e.g., another fine‑tuned model with the same architecture) degrades performance only modestly, indicating the attack’s practicality.

The paper also discusses limitations. The attack relies on the ability to supply custom masked inputs; services that forbid such queries would reduce effectiveness. The multi‑mask sampling incurs non‑trivial computational overhead, which may be prohibitive for real‑time attacks without optimization. Finally, the work does not propose concrete defenses; it suggests that differential privacy, model smoothing, or mask‑noise injection could be promising directions for future research.

In conclusion, the authors demonstrate that diffusion language models expose a previously unrecognized privacy vulnerability: the combinatorial explosion of mask configurations creates many independent probes, and when aggregated intelligently, these probes reveal memorized training examples far more effectively than attacks on autoregressive models. This finding urges the community to reconsider privacy‑preserving training and deployment practices for DLMs, and it opens a new line of inquiry into defenses tailored to the bidirectional, mask‑based nature of diffusion language modeling.