← Back to Library

How Diffusion Models Memorize

Authors: Juyeop Kim, Songkuk Kim, Jong-Seok Lee

Published: 2025-09-30

arXiv ID: 2509.25705v1

Added to Library: 2025-12-08 18:01 UTC

📄 Abstract

Despite their success in image generation, diffusion models can memorize training data, raising serious privacy and copyright concerns. Although prior work has sought to characterize, detect, and mitigate memorization, the fundamental question of why and how it occurs remains unresolved. In this paper, we revisit the diffusion and denoising process and analyze latent space dynamics to address the question: "How do diffusion models memorize?" We show that memorization is driven by the overestimation of training samples during early denoising, which reduces diversity, collapses denoising trajectories, and accelerates convergence toward the memorized image. Specifically: (i) memorization cannot be explained by overfitting alone, as training loss is larger under memorization due to classifier-free guidance amplifying predictions and inducing overestimation; (ii) memorized prompts inject training images into noise predictions, forcing latent trajectories to converge and steering denoising toward their paired samples; and (iii) a decomposition of intermediate latents reveals how initial randomness is quickly suppressed and replaced by memorized content, with deviations from the theoretical denoising schedule correlating almost perfectly with memorization severity. Together, these results identify early overestimation as the central underlying mechanism of memorization in diffusion models.

🔍 Key Points

  • FocusAgent introduces an innovative method for observation pruning in web agents, utilizing a lightweight Large Language Model (LLM) retriever to selectively extract relevant lines from accessibility tree (AxTree) observations, thereby significantly reducing computational costs and improving efficiency in processing extensive web page data.
  • The proposed method allows for more effective reasoning by removing irrelevant context, which also decreases the risk of security vulnerabilities, such as prompt injection attacks, by filtering out potentially harmful content before processing.
  • Experimental results demonstrate that FocusAgent maintains performance levels comparable to traditional approaches while achieving over 50% reduction in observation size, indicating its practical applicability in real-world scenarios.
  • FocusAgent's capability to effectively mitigate the success rates of prompt-injection attacks shows its dual role in enhancing both operational performance and security, paving the way for safer web agent deployment.
  • The release of open-source code for FocusAgent provides a tool for further research and development in observation pruning techniques for web agents and enhances community engagement in improving agent performance and safety.

💡 Why This Paper Matters

This paper is significant as it addresses critical challenges in web agent development, specifically the need for efficient and secure processing of large amounts of contextual data. By introducing FocusAgent, it presents a novel pruning mechanism that not only improves performance but also bolsters security against emerging threats such as prompt injections. These dual benefits are crucial for advancing the robustness of AI agents in both research and real-world applications.

🎯 Why It's Interesting for AI Security Researchers

For AI security researchers, this paper is of particular interest as it tackles the pressing issue of security vulnerabilities in web agents, especially those arising from prompt injection attacks. The focus on integrating security measures within the agent's operational framework—rather than as an afterthought—demonstrates a proactive approach to building resilient AI systems. Additionally, the insights gained from the FocusAgent method could inspire further exploration of LLMs in enhancing the safety and reliability of AI applications across various domains.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF