Dominik Hintersdorf

My research focuses on the privacy and security of deep learning systems. As deep learning increasingly powers real-world applications, the data used to train these models becomes ever more critical. Many of these applications require models to be both reliable and secure, particularly when sensitive data, such as medical records or personal images, is involved in the training process. In my work, I investigate potential threats to the safety and security of deep learning models and develop strategies to mitigate these risks.

I received my Masters from TU Darmstadt and I am currenctly a PhD student at TU Darmstadt and the German Research Center for AI (DFKI) under the supervision of Prof. Kristian Kersting.

news

Apr 6, 2025	Our Workshop “The Impact of Memorization on Trustworthy Foundation Models” has been accepted at ICML 2025. You can find the CFP here.
Mar 26, 2025	I sucessfully submitted my PhD thesis titled “Understanding and Mitigating Privacy Risks in Vision and Multi-Modal Models”.
Oct 10, 2024	Our paper Class Attribute Inference Attacks: Inferring Sensitive Class Information by Diffusion-Based Attribute Manipulations was accepted at the AdvML Frontiers Workshop at NeurIPS 2024!

selected publications

ECAI

Defending Our Privacy With Backdoors

Dominik Hintersdorf, Lukas Struppek, Daniel Neider, and Kristian Kersting

In Proceedings of the 27th European Conference on Artificial Intelligence , 2024

Abs PDF Code

The proliferation of large AI models trained on uncurated, often sensitive web-scraped data has raised significant privacy concerns. One of the concerns is that adversaries can extract information about the training data using privacy attacks. Unfortunately, the task of removing specific information from the models without sacrificing performance is not straightforward and has proven to be challenging. We propose a rather easy yet effective defense based on backdoor attacks to remove private information such as names and faces of individuals from vision-language models by fine-tuning them for only a few minutes instead of re-training them from scratch. Specifically, through strategic insertion of backdoors into text encoders, we align the embeddings of sensitive phrases with those of neutral terms-"a person" instead of the person’s actual name. For image encoders, we map embeddings of individuals to be removed from the model to a universal, anonymous embedding. Our empirical results demonstrate the effectiveness of our backdoor-based defense on CLIP by assessing its performance using a specialized privacy attack for zero-shot classifiers. Our approach provides not only a new "dual-use" perspective on backdoor attacks, but also presents a promising avenue to enhance the privacy of individuals within models trained on uncurated web-scraped data.
JAIR

Does CLIP Know My Face?

Dominik Hintersdorf, Lukas Struppek, Manuel Brack, Felix Friedrich, Patrick Schramowski, and 1 more author

Journal of Artificial Intelligence Research, 2024

Abs PDF Code

With the rise of deep learning in various applications, privacy concerns around the protection of training data have become a critical area of research. Whereas prior studies have focused on privacy risks in single-modal models, we introduce a novel method to assess privacy for multi-modal models, specifically vision-language models like CLIP. The proposed Identity Inference Attack (IDIA) reveals whether an individual was included in the training data by querying the model with images of the same person. Letting the model choose from a wide variety of possible text labels, the model reveals whether it recognizes the person and, therefore, was used for training. Our large-scale experiments on CLIP demonstrate that individuals used for training can be identified with very high accuracy. We confirm that the model has learned to associate names with depicted individuals, implying the existence of sensitive information that can be extracted by adversaries. Our results highlight the need for stronger privacy protection in large-scale models and suggest that IDIAs can be used to prove the unauthorized use of data for training and to enforce privacy laws.
NeurIPS

Finding NeMo: Localizing Neurons Responsible For Memorization in Diffusion Models

*Dominik Hintersdorf, *Lukas Struppek, Kristian Kersting, Adam Dziedzic, and Franziska Boenisch

In Proceedings of the 38th Conference on Neural Information Processing Systems (NeurIPS) , 2024

Abs PDF Code

Diffusion models (DMs) produce very detailed and high-quality images. Their power results from extensive training on large amounts of data — usually scraped from the internet without proper attribution or consent from content creators. Unfortunately, this practice raises privacy and intellectual property concerns, as DMs can memorize and later reproduce their potentially sensitive or copyrighted training images at inference time. Prior efforts prevent this issue by either changing the input to the diffusion process, thereby preventing the DM from generating memorized samples during inference, or removing the memorized data from training altogether. While those are viable solutions when the DM is developed and deployed in a secure and constantly monitored environment, they hold the risk of adversaries circumventing the safeguards and are not effective when the DM itself is publicly released. To solve the problem, we introduce NeMo, the first method to localize memorization of individual data samples down to the level of neurons in DMs’ cross-attention layers. Through our experiments, we make the intriguing finding that in many cases, single neurons are responsible for memorizing particular training samples. By deactivating these memorization neurons, we can avoid the replication of training data at inference time, increase the diversity in the generated outputs, and mitigate the leakage of private and copyrighted data. In this way, our NeMo contributes to a more responsible deployment of DMs.