R. Shokri, M. Stronato, C. Song and V.Shamatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (SP), pages 1–16. 2017.
 I. Goodfellow, J.Pougget-Abadie, M. Mirza, B.Xu, D. Warde-Farely, S. Ozair, A. Courvalle and Y. Bongio. Generative Adversarial Nets. In 27th International Conference on Neural Information Processing Systems, pages 2672-2680. 2014.
 D. Chen, N. Yu, Y. Zhang and M. Fritz. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. In the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 343-362. 2020.
 A. Salem, Y. Zhang, M. Humbert, M. Fritz, and M. Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In 26th Annual Network and Distributed System Security Symposium, pages 1-16. 2019.
 Y. Long, V. Bindschaedler, L. Wang, D. Bu, X. Wang, H. Tang, C. A. Gunter and K. Chen. Understanding Membership Inference in Well-Generalized Learning Models. arXiv:1802.04889. 2018.
 S. Yeom, I. Giacomelli, M. Fredrikson and S.Jha. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In 2018 IEEE 31st Computer Security Foundations Symposium,pages 268-282. 2018.
 Y. Kaya, S. Hong, and T. Dumitras. On the Effectiveness of Regularization against Membership Inference Attacks. arXiv preprint arXiv:2006.05336. 2020.
 A. Sablayrolles, M. Douze, C. Schmid, Y. Ollivier and H. Jegou. White-box vs Black-box: Bayes Optimal Strategies for Membership Inference. In Proceedings of the 36th International Conference on Machine Learning, pages 1–11. 2019.
 Z. Li and Y. Zhang. Membership Leakage in Label-Only Exposures. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 880–895. 2021.
 C. A Choquette-Choo, F. Tramer, N. Carlini and N. Papernot. Label-only Membership Inference Attacks. In International Conference on Machine Learning, pages 1964–1974. 2021.
 Y. Long, L. Wang, D. Bu, V. Bindschaedler, X.Wang, H. Tang, C. A. Gunter, and K. Chen. A Pragmatic Approach to Membership Inferences on Machine Learning Models. In 2020 IEEE European Symposium on Security and Privacy, pages 521–534. 2020.
 S. Rezaei and X. Liu. On the Difficulty of Membership Inference Attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 7892–7900. 2021.
 B. Hui, Y. Yang, H. Yuan, P. Burlina, N. Zhenqiang Gong, and Y. Cao. Practical Blind Membership Inference Attack via Differential Comparisons. In Network and Distributed Systems Security Symposium, pages 1–17. 2021.
 M. Nasr, R. Shokri and A. Houmansadr. Comprehensive Privacy Analysis of Deep Learning Stand-alone and Federated Learning under Passive and Active White-box Inference Attacks. In IEEE Symposium on Security and Privacy, pages 739–853. 2019.
 S. Kumar Murakonda, Reza Shokri. ML Privacy Meter: Aiding Regulatory Compliance by Quantifying the Privacy Risks of Machine Learning. In https://arxiv.org/abs/2007.09339. 2020.
 K. Leino and M. Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-box Membership Inference. In 29th USENIX Security Symposium (USENIX Security 20), pages 1605–1622. 2021.
 J. Hayes, L. Melis, G. Denerzis and E. De Cristofaro. Stolen Memories: LOGAN: Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies,vol. 2019, no. 1, pages 133–152. 2019.
 B. Hilprecht, M. Harterich, and D. Bernau. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies,vol. 4, pages 232–249. 2019.
 K. S. Liu, C. Xiao, B. Li, and J. Gao. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies, vol. 4, pages 232–249. 2019.
 K. S. Liu, C. Xiao, B. Li, and J. Gao. Membership Inference Attacks against GANs by Leveraging Over representation Regions. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2387–2389. 2021.
 X. Liu, Y. Xu, S. Mukherjee, J. L. Ferres. MACE: A Flexible Framework for Membership Privacy Estimation in Generative Models. arXiv:2009.05683. 2020.
 R. Webster, J. Rabin, L. Simon, and F. Jurie. This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces. arXiv preprint arXiv:2107.06018. 2021.
 J. Zhou, Y. Chen, C. Shen, and Y. Zhang. Property Inference Attacks againts GANs. arXiv preprint arXiv:2111.07608. 2021.
 R. Torkzadehmahani, P. Kairouz, and B. Paten. DP-CGAN: Differentially private synthetic data and label generation. In IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW),pages1–8. 2021.
 L. Xie, K. Lin, S. Wang, F. Wang, and J. Zhou.Differentially private generative adversarial network. arXiv preprint arXiv:1802.06739. 2018.
 C. Xu, J. Ren, D. Zhang, Y. Zhang, Z. Qin, and K. Ren. GANobfuscator: Mitigating information leakage under GAN via differential privacy. IEEE Transactions on Information Forensics and Security, vol. 14, no. 9, 2019, pages 2358–2371. 2019.
 X. Zhang, S. Ji, T. Wang. Differentially private releasing via deep generative model. arXiv preprint arXiv:1801.01594. 2018.
 M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security,pages 308-318. 2016.
 J. Jordon, J. Yoon, and M. Schaar. PATE-GAN: Generative synthetic data with differential privacy guarantees. In Seventh International Conference on Learning Representations,pages 1–21. 2019.
 N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar. Semi-supervised knowledge transfer for deep learning from private aggregator. In Proceedings of the International Conference on Learning Representations (ICLR),pages 1–17. 2017.
 Y. Long, S. Lin, Z. Yang, C. A. Gunter, and B. Li. Scalable differentially private generative student model via PATE. In arXiv preprint arXiv:1906.09338. 2019.
 B. Wang, F. Wu, Y. Long, L. Rimanic, C. Zhang, and B. Li. DataLens: Scalable privacy preserving training via gradient compression and aggregation. arXiv preprint arXiv: arXiv:2103.11109. 2021.
 D. Chen, T. Orekondy, and M. Fritz. GS-WGAN: A gradient-sanitized approach for learning differentially private generators. In 34th Conference on Neural Information Processing Systems, NeurIPS,pages 1–12. 2020.
 C. Han, and R. Xue. Differentially private GANs by adding noise to discriminator’s loss. Computer and Security, vol. 107, pages 1–14. 2021.
 M. Nasr, R. Shokri, and A. Houmansad. Machine learning with membership privacy using adversarial regularization. In the ACM SIGSAC Conference on Computer and Communications Security, pages 634–646. 2018.
 S. Mukherjee, Y. Xu, A. Trivedi, and J. Ferres. PrivGan: protecting GANs from membership inference attack at low cost. In Proceedings on Privacy Enhancing Technologies, pages 142–163. 2021.
 W. Hui Wang, H. Gao, and X. Shi. PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 127–137. 2021.
 M. Arjovsky, S. Chintala, and L. Bottou. Wasserstein Generative Adversarial Networks. In International Conference on Machine Learning, pages 214–223. 2017.
 I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin, and Aaron C. Courville. Improved Training of Wasserstein GANs. In Annual Conference on Neural Information Processing Systems(NIPS), pages 5767–5777. 2017.
 N. Kodali, J. Hays, J. Abernethy, Z. Kira. On Convergence and Stability of GANs. In ICLR 2018 Conference Blind Submission, pages 1–18. 2018.
 X. Mao, Q. Li, H. Xie, R. Y.K. Lau, Z. Wang, and S. P. Smolley. Least Squares Generative Adversarial Networks. In 2017 IEEE International Conference on Computer Vision, pages 1–17. 2017.
 A. Radford, L. Metz, and S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. In preprint arXiv:1511.06434. 2015.
 M. Heusel, H. Ramsauer, T. Unterthiner, B.Nessler, and S. Hochreiter. GANs Trained by a Two Time-Scale Update Rule Converge to a Local Nash Equilibrium. In Annual Conference on Neural Information Processing Systems (NIPS),pages 6626–6637. 2017.