Copyright Infringement Detection
in Text-to-Image Diffusion Models
via Differential Privacy

Problem Settings

Detection of copyright infringement faces several practical challenges, such as scalability, inaccessibility of training data, conditional input unavailability, and insufficient theoretical guarantees. In light of these issues, our work operates under a realistic and challenging set of assumptions:

 (1) white-box access to a pretrained model.
 (2) absence of corresponding input prompt.
 (3) inaccessibility of training data.

Privacy Vulnerabilities

Differential privacy (DP) is a formal notion of algorithmic privacy, which aims to prevent the release of private information. Algorithms with DP guarantee that the model’s output does not reveal whether any single individual’s data is used.

However, Previous researches (e.g., membership inference, data extraction) have revealed significant privacy vulnerabilities in the outputs of diffusion models. So we hypothesize that diffusion models exhibit almost no conditional differential privacy, but with much more publicity.

Formalization of Copyright (Non-)Infringement

We reinterprete the detection of copyright infringement as the compliance with or violation of conditional differential publicity. Specifically, when a particular concept, such as the neighborhood images of a target image, is present or absent in the training data, it can significantly alter the model’s output in response to prompts associated with that concept. In other words:

Differential Privacy = Copyright Non-Infringement (Datapoint not in the Training Dataset)
Violation of Differential Privacy = Copyright Infringement (Datapoint in the Training Dataset)

Copyright infringement can be defined as:

Definition 1 (Copyright Infringement). Let $x_{c}\in D_{C}$ denote a copyrighted data point or concept, and $p$ be an input (e.g., a text prompt) semantically aligned with $x_{c}$. We say that model $G$ trained on $D$ infringes upon $x_{c}$ if there exists a measurable subset $S\subseteq\{G(p_{i})\mid p_{i}\in U(p)\}$ such that:

$$\Pr[G(\theta_{D},p)\in S]\gg\Pr[G(\theta_{D^{\prime}},p)\in S],$$

where $D^{\prime}=D\setminus\{x_{c}\}$ is a neighboring dataset.

Definition 2 (Copyright Non-Infringement). Let $x$ be a non-infringed data point or concept such that $x\notin D$ for all training datasets considered. We say that model $G$ does not infringe upon $x$ if for any input $p$ and for all measurable subsets $S\subseteq\{G(p_{i})\mid p_{i}\in U(p)\}$ such that:

$$\Pr[G(\theta_{D},p)\in S]=\Pr[G(\theta_{D^{\prime}},p)\in S].$$

To allow for a relaxed setting, we say that $G$ satisfies approximate non-infringement if the following $(\epsilon,\delta)$-differential privacy holds:

$$\Pr[G(\theta_{D},p)\in S]\leq e^{\epsilon}\cdot\Pr[G(\theta_{D^{\prime}},p)\in S]+\delta,$$

where $D$ and $D^{\prime}$ are any neighboring training datasets, and $\theta_{D}$, $\theta_{D^{\prime}}$ denote the model parameters trained on $D$ and $D^{\prime}$ respectively.

Measurement of Copyright Infringement

We introduce a new metric, conditional sensitivity, a principal metric for quantifying the extent of publicity and standardizing the confidence score of copyright infringement:

$$CS(M,\hat{x}_{i})=\max_{D,D^{\prime}:D\triangle D^{\prime}\leq\{\hat{x}_{i}\}}\left|M(D)-M(D^{\prime})\right|$$

where $D$ and $D^{\prime}$ are neighboring datasets that differ by the inclusion or exclusion of the conditional datapoint $\hat{x}_{i}$, and the function $M(D)$ denotes the output of a query function when trained on dataset $D$. In DPM framework, we use CLIP image encoder as a query function to capture the semantics similarity between two outputs.

Since the presence or absence of the target data point in the training dataset is unknown, the inclusion or exclusion of the conditional datapoint could be simulated by fine-tuning a model in two opposing directions: learning to include (D+) and unlearning to exclude (D-).

We visualize the discrepancy in conditional sensitivity in Fig.1, where the larger change observed in infringed samples compared to non-infringed ones validates its use as a reliable measurement.

Step1: Prepare a target image to be detected. Pay attention that images without specific charateristic may not be considered to infringe copyright on law and cannot be detected (e.g., landscape photos).

Step2: Extract and filter a core concept. It aims to exclude content not protected by copyright law, ensuring the accuracy of the detection results. And we will collect photos associated with ONLY this concept in the next step.

Step3: Construct image-prompt pair. As fine-tuning model needs several images related to the concept, we construct a neighborhood of the target concept as our training dataset, consisting of similar semantics to be detected, and then specify a general prompt (format as: a photo of [V] [class]) with identifier (e.g., “[V]”, “sks”).

Step4: D-Plus-Minus detection framework (Branch Training & Assessment). We fine-tune the model into two branches (learning and unlearning) with the constructed image-prompt pair. To assess the effect of the concept on the model’s generation behavior, we compare the outputs between a fine-tuned model and the original model under the same relevant text prompt via conditional sensitivity metric (cosine similarity of CLIP encoder embeddings).

Step5: Statistical analysis. We construct a reference distribution by generating orthogonal images, clarifying the global parameter shifts. Since this step is time-consuming, we can omit this step, and the detection result is still accurate.

Output: Confidence score of copyright infringement. By merging the two branches together, we can get the D-Plus-Minus score ranging in [0,1].

Quantitative Detection Metrics

Models are run separately on the classes of CIDD dataset in different models. Merged Total means that the ΔCS(·) are normalized altogether, while others are normalized within the class.

Class	SD1.4		SDXL-1.0		SANA-0.6B		FLUX.1
	AUC ↑	SoftAcc ↑	AUC ↑	SoftAcc ↑	AUC ↑	SoftAcc ↑	AUC ↑	SoftAcc ↑
Human Face	0.9011	0.8058	0.7011	0.6289	0.8062	0.7285	0.7531	0.6419
Architecture	0.8021	0.7106	0.9256	0.8488	0.9043	0.8224	0.9500	0.8606
Arts Painting	0.8555	0.7604	0.8881	0.8550	0.8140	0.7204	0.7326	0.6935
Weighted Average	0.8584	0.7644	0.8170	0.7523	0.8398	0.7571	0.8122	0.7247
Merged Total	0.8071	0.6726	0.7800	0.7234	0.7914	0.6855	0.8257	0.7039

Qualitative visualization of two branches across different timesteps

As the figure shows, models tend to learn and unlearn faster with infringed samples, while slower on non-infringed ones, and cannot learn exact elements in the target images.

To comprehensively categorize copyright infringement in generative models, we propose a hierarchical taxonomy containing four levels of content resemblance:

Level	Categories	Examples
Level 1	Technics	—
Level 2	Content	Human Face*
Level 3-1	Structure	Architecture*
Level 3-2	Style	Arts Painting*
Level 4	Semantics	Plots & Themes

Table: Hierarchical Categories of Copyright Infringement. It is ordered from low-level perceptual features to high-level conceptual constructs. “*” means the used classes in CIDD dataset.

Copyright Infringement Detection Dataset (CIDD) contains several classes of orthogonal prompts and three image classes that are most likely to be infringed, mapping to Level 2&3: human face, architecture, and arts painting.

Crucially, CIDD includes both infringed and non-infringed concepts, each of which is annotated with a binary infringement label based on its source and content provenance, and is paired with 3 to 6 neighbourhood images, enabling robust learning and evaluation under weak and probabilistic assumptions.

You can download the CIDD dataset here.