Document Type : Research Article

Authors

Faculty of Computer Engineering, University of Isfahan, Isfahan, Iran

Abstract

Using generative models to produce unlimited synthetic samples is a popular replacement for database sharing. Generative Adversarial Network (GAN) is a popular class of generative models which generates synthetic data samples very similar to real training datasets. However, GAN models do not necessarily guarantee training privacy as these models may memorize details of training data samples. When these models are built using sensitive data, the developers should ensure that the training dataset is appropriately protected against privacy leakage. Hence, quantifying the privacy risk of these models is essential. To this end, this paper focuses on evaluating the privacy risk of publishing the generator network of GAN models. Specially, we conduct a novel generator white-box membership inference attack against GAN models that exploits accessible information about the victim model, i.e., the generator’s weights and synthetic samples, to conduct the attack. In the proposed attack, an auto-encoder is trained to determine member and non-member training records. This attack is applied to various kinds of GANs. We evaluate our attack accuracy with respect to various model types and training configurations. The results demonstrate the superior performance of the proposed attack on non-private GANs compared to previous attacks in white-box generator access. The accuracy of the proposed attack is 19% higher on average than similar work. The proposed attack, like previous attacks, has better performance for victim models that are trained with small training sets.

Keywords

[1] R. Shokri, M. Stronato, C. Song and V.Shamatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (SP), pages 1–16. 2017.
[2] I. Goodfellow, J.Pougget-Abadie, M. Mirza, B.Xu, D. Warde-Farely, S. Ozair, A. Courvalle and Y. Bongio. Generative Adversarial Nets. In 27th International Conference on Neural Information Processing Systems, pages 2672-2680. 2014.
[3] D. Chen, N. Yu, Y. Zhang and M. Fritz. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. In the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 343-362. 2020.
[4] A. Salem, Y. Zhang, M. Humbert, M. Fritz, and M. Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In 26th Annual Network and Distributed System Security Symposium, pages 1-16. 2019.
[5] Y. Long, V. Bindschaedler, L. Wang, D. Bu, X. Wang, H. Tang, C. A. Gunter and K. Chen. Understanding Membership Inference in Well-Generalized Learning Models. arXiv:1802.04889. 2018.
[6] S. Yeom, I. Giacomelli, M. Fredrikson and S.Jha. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In 2018 IEEE 31st Computer Security Foundations Symposium,pages 268-282. 2018.
[7] Y. Kaya, S. Hong, and T. Dumitras. On the Effectiveness of Regularization against Membership Inference Attacks. arXiv preprint arXiv:2006.05336. 2020.
[8] A. Sablayrolles, M. Douze, C. Schmid, Y. Ollivier and H. Jegou. White-box vs Black-box: Bayes Optimal Strategies for Membership Inference. In Proceedings of the 36th International Conference on Machine Learning, pages 1–11. 2019.
[9] Z. Li and Y. Zhang. Membership Leakage in Label-Only Exposures. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 880–895. 2021.
[10] C. A Choquette-Choo, F. Tramer, N. Carlini and N. Papernot. Label-only Membership Inference Attacks. In International Conference on Machine Learning, pages 1964–1974. 2021.
[11] Y. Long, L. Wang, D. Bu, V. Bindschaedler, X.Wang, H. Tang, C. A. Gunter, and K. Chen. A Pragmatic Approach to Membership Inferences on Machine Learning Models. In 2020 IEEE European Symposium on Security and Privacy, pages 521–534. 2020.
[12] S. Rezaei and X. Liu. On the Difficulty of Membership Inference Attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 7892–7900. 2021.
[13] B. Hui, Y. Yang, H. Yuan, P. Burlina, N. Zhenqiang Gong, and Y. Cao. Practical Blind Membership Inference Attack via Differential Comparisons. In Network and Distributed Systems Security Symposium, pages 1–17. 2021.
[14] M. Nasr, R. Shokri and A. Houmansadr. Comprehensive Privacy Analysis of Deep Learning Stand-alone and Federated Learning under Passive and Active White-box Inference Attacks. In IEEE Symposium on Security and Privacy, pages 739–853. 2019.
[15] S. Kumar Murakonda, Reza Shokri. ML Privacy Meter: Aiding Regulatory Compliance by Quantifying the Privacy Risks of Machine Learning. In https://arxiv.org/abs/2007.09339. 2020.
[16] K. Leino and M. Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-box Membership Inference. In 29th USENIX Security Symposium (USENIX Security 20), pages 1605–1622. 2021.
[17] J. Hayes, L. Melis, G. Denerzis and E. De Cristofaro. Stolen Memories: LOGAN: Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies,vol. 2019, no. 1, pages 133–152. 2019.
[18] B. Hilprecht, M. Harterich, and D. Bernau. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies,vol. 4, pages 232–249. 2019.
[19] K. S. Liu, C. Xiao, B. Li, and J. Gao. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies, vol. 4, pages 232–249. 2019.
[20] K. S. Liu, C. Xiao, B. Li, and J. Gao. Membership Inference Attacks against GANs by Leveraging Over representation Regions. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2387–2389. 2021.
[21] X. Liu, Y. Xu, S. Mukherjee, J. L. Ferres. MACE: A Flexible Framework for Membership Privacy Estimation in Generative Models. arXiv:2009.05683. 2020.
[22] R. Webster, J. Rabin, L. Simon, and F. Jurie. This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces. arXiv preprint arXiv:2107.06018. 2021.
[23] J. Zhou, Y. Chen, C. Shen, and Y. Zhang. Property Inference Attacks againts GANs. arXiv preprint arXiv:2111.07608. 2021.
[24] R. Torkzadehmahani, P. Kairouz, and B. Paten. DP-CGAN: Differentially private synthetic data and label generation. In IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW),pages1–8. 2021.
[25] L. Xie, K. Lin, S. Wang, F. Wang, and J. Zhou.Differentially private generative adversarial network. arXiv preprint arXiv:1802.06739. 2018.
[26] C. Xu, J. Ren, D. Zhang, Y. Zhang, Z. Qin, and K. Ren. GANobfuscator: Mitigating information leakage under GAN via differential privacy. IEEE Transactions on Information Forensics and Security, vol. 14, no. 9, 2019, pages 2358–2371. 2019.
[27] X. Zhang, S. Ji, T. Wang. Differentially private releasing via deep generative model. arXiv preprint arXiv:1801.01594. 2018.
[28] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security,pages 308-318. 2016.
[29] J. Jordon, J. Yoon, and M. Schaar. PATE-GAN: Generative synthetic data with differential privacy guarantees. In Seventh International Conference on Learning Representations,pages 1–21. 2019.
[30] N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar. Semi-supervised knowledge transfer for deep learning from private aggregator. In Proceedings of the International Conference on Learning Representations (ICLR),pages 1–17. 2017.
[31] Y. Long, S. Lin, Z. Yang, C. A. Gunter, and B. Li. Scalable differentially private generative student model via PATE. In arXiv preprint arXiv:1906.09338. 2019.
[32] B. Wang, F. Wu, Y. Long, L. Rimanic, C. Zhang, and B. Li. DataLens: Scalable privacy preserving training via gradient compression and aggregation. arXiv preprint arXiv: arXiv:2103.11109. 2021.
[33] D. Chen, T. Orekondy, and M. Fritz. GS-WGAN: A gradient-sanitized approach for learning differentially private generators. In 34th Conference on Neural Information Processing Systems, NeurIPS,pages 1–12. 2020.
[34] C. Han, and R. Xue. Differentially private GANs by adding noise to discriminator’s loss. Computer and Security, vol. 107, pages 1–14. 2021.
[35] M. Nasr, R. Shokri, and A. Houmansad. Machine learning with membership privacy using adversarial regularization. In the ACM SIGSAC Conference on Computer and Communications Security, pages 634–646. 2018.
[36] S. Mukherjee, Y. Xu, A. Trivedi, and J. Ferres. PrivGan: protecting GANs from membership inference attack at low cost. In Proceedings on Privacy Enhancing Technologies, pages 142–163. 2021.
[37] W. Hui Wang, H. Gao, and X. Shi. PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 127–137. 2021.
[38] M. Arjovsky, S. Chintala, and L. Bottou. Wasserstein Generative Adversarial Networks. In International Conference on Machine Learning, pages 214–223. 2017.
[39] I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin, and Aaron C. Courville. Improved Training of Wasserstein GANs. In Annual Conference on Neural Information Processing Systems(NIPS), pages 5767–5777. 2017.
[40] N. Kodali, J. Hays, J. Abernethy, Z. Kira. On Convergence and Stability of GANs. In ICLR 2018 Conference Blind Submission, pages 1–18. 2018.
[41] X. Mao, Q. Li, H. Xie, R. Y.K. Lau, Z. Wang, and S. P. Smolley. Least Squares Generative Adversarial Networks. In 2017 IEEE International Conference on Computer Vision, pages 1–17. 2017.
[42] A. Radford, L. Metz, and S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. In preprint arXiv:1511.06434. 2015.
[43] M. Heusel, H. Ramsauer, T. Unterthiner, B.Nessler, and S. Hochreiter. GANs Trained by a Two Time-Scale Update Rule Converge to a Local Nash Equilibrium. In Annual Conference on Neural Information Processing Systems (NIPS),pages 6626–6637. 2017.