The ISC International Journal of Information Security

A Fine-Grained Hybrid Inversion-Based Membership Inference Attack Against GANs

Document Type : Research Article

Author

Maryam Azadmanesh

Faculty of Electrical and Computer Engineering, University of Birjand, Birjand, Iran

https://doi.org/10.22042/isecure.2025.216445
Abstract
Generative Adversarial Networks (GANs) are commonly used in various applications. Different membership inference attacks have been carried out against GANs. However, the accuracy of these attacks decreases with a large number of training samples, and there have been no attacks conducted against privacy-preserving GAN models with dependent or independent datasets. Therefore, this paper proposes a fine-grained inversion-based attack. In this proposed attack, fine-grained reconstruction error is utilized to infer the membership or non-membership of given samples. To calculate the
reconstruction error, an inversion-based encoder is trained, and the latent code obtained from the encoder is refined using a Genetic Algorithm. The membership status of the candidate target sample is determined using the reconstruction error of the segmentations of the target sample. The proposed attack can be executed by accessing the generator network in both black and white-box settings. The accuracy of the proposed attack is compared with other relevant studies, demonstrating its superior performance. Furthermore, the results indicate that privacy-preserving mechanisms do not ensure that dependent data does not disclose information about individual samples.

Keywords

Membership Inference Attack
Generative Adversarial Network
Privacy
Inversion Methods
[1] I. Goodfellow, J.Pougget-Abadie, M. Mirza, B. Xu, D. Warde-Farely, S. Ozair, A. Courvalle and Y. Bongio. Generative Adversarial Nets. In 27th International Conference on Neural Information Processing Systems, pages 2672-2680. 2014.
[2] A. Salem, G. Cherubin, D. Evans, and B. Kopf. SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning. In 2023 IEEE Symposium on Security and Privacy (SP), pages 1–20. 2023.
[3] J. Hayes, L. Melis, G. Denerzis and E. De Cristofaro. Stolen Memories: LOGAN: Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 1, pages 133–152. 2019.
[4] H. Hu and J. Pang. Membership Inference Attacks against GANs by Leveraging Over-representation Regions. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2387–2389. 2021.
[5] B. V. Breugel, H. Sun, H., Z. Qian, and M. Schaar. Membership inference attacks against synthetic data through overfitting detection. arXiv preprint arXiv:2302.12580. 2023.
[6] B. Hilprecht, M. Harterich, and D. Bernau. Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. In Proceedings on Privacy Enhancing Technologies, vol. 4, pages 232–249. 2019.
[7] K. S. Liu, C. Xiao, B. Li, and J. Gao. Performing co-membership attacks against deep generative models. In 2019 IEEE International Conference on Data Mining (ICDM), pages 459–467. 2019.
[8] D. Chen, N. Yu, Y. Zhang and M. Fritz. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. In the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 343-362. 2020.
[9] M. Azadmanesh, B. Shahgholi Ghahfarokhi and M. Ashouri Talouki. A white-box generator membership inference attack against generative models. In 18th International ISC Conference on Information Security and Cryptology, pages 13–17. 2021.
[10] M. Azadmanesh, B. Shahgholi Ghahfarokhi and M. Ashouri Talouki. An Auto-Encoder based Membership Inference Attack Against Generative Adversarial Network. The ISC International Journal of Information security, vol. 15, no. 2, pages
240–253. 2023.
[11] Z. Zhang, C. Yan and A. M. Bradley. Membership inference attacks against synthetic health data. Journal of Biomedical Informatics, vol. 125, pages 1-12. 2022.
[12] H. Sun, T. Zhu, J. Li, S. Ji and W. Zhou. Attribute-Based Membership Inference Attacks and Defenses on GANs. IEEE Transactions on Dependable and Secure Computing, vol. 99, pages 1–18. 2023.
[13] T. Humphries, S. Oya, L. Tulloch, M. Rafuse, I.Goldberg, U. Hengartner, and F. Kerschbaum. Investigating Membership Inference Attacks under Data Dependencies. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF), pages
194–209. 2023.
[14] T. Karras, S. Laine, and T. Aila. A style-based generator architecture for generative adversarial networks. In IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2019, Computer Vision Foundation, pages 4401-4410. 2019.
[15] V. Nagarajan and J. Z. Kolter. Gradient descent GAN optimization is locally stable. In 18th International ISC Conference on Information Security and Cryptology, pages 5591–5600. 2017.
[16] M. Arjovsky, S. Chintala and L. Bottou. Wasserstein generative adversarial networks. In International Conference on Machine Learning, pages 214–223. 2017.
[17] M. Mirza and S. Osindero. Conditional generative adversarial nets. arXiv preprint arXiv:1411.1784 2014.
[18] A. Odena, C. Olah and J. Shlens. Conditional image synthesis with auxiliary classifier GANs. In Proceedings of the 34th International Conference on Machine Learning, pages 2642-2651. 2017.
[19] T. Karras, T. Aila, S. Laine, and J. Lehtinen. Progressive growing of GANs for improved quality, stability, and variation. In Progressive growing of GANs for improved quality, stability, and variation, pages 1-26. 2018.
[20] I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin and C. Aaron. Improved training of Wasserstein GANs. In Annual Conference on Neural Information Processing Systems (NIPS), pages 5767-5777. 2017.
[21] X. Mao, Q. Li, H. Xie, R. Lau, Z. Wang, and S.Smolley S. Least Squares Generative Adversarial Networks. In In 2017 IEEE International Conference on Computer Vision, pages 1-17. 2017.
[22] J Zhu, T. Park, P. Isola, and A. Efros. Unpaired image-to-image translation using cycle-consistent adversarial networks. In Proceedings of the IEEE international conference on computer vision, pages 2223-2232. 2017.
[23] C. Hardy, E. Le Merrer, and B. Sericola. MD-GAN: Multi-discriminator generative adversarial networks for distributed datasets. In Proceedings IEEE International Parallel and Distributed Processing Symposium (IPDPS), pages 866-877. 2019.
[24] W. Xia, Y. Zhang, Y. Yang, J. Xue, B. Zhou, and M. Yang. GAN Inversion: A Survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 3, pages 3123-3138. 2023.
[25] Q. Feng, C. Guo, F. Benitez-Quiroz, and A. M.Martinez. When do gans replicate? on the choice of dataset size. In 2021 IEEE/CVF International Conference on Computer Vision, pages 6681–6690. 2021.
[26] Y. Yazici, C. Foo, S. Winkler, K. Yap, and V. Chandrasekhar. Empirical analysis of overfitting and mode drop in GAN training. In IEEE International Conference on Image Processing, pages 1651–1655. 2021.
[27] A. Radford, L. Metz, and S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. In preprint arXiv:1511.06434. 2015.
[28] C. Xu, J. Ren, D. Zhang, Y. Zhang, Z. Qin, and K. Ren. GANobfuscator: Mitigating information leakage under GAN via differential privacy. IEEE Transactions on Information Forensics and Security, vol. 14, no. 9, 2019, pages 2358–2371. 2019.
The ISC International Journal of Information Security
Volume 17, Issue 2
July 2025
Pages 189-198

Home

AI Policies

Guide for Authors

Submit Manuscript

Contact Us