1. bookVolume 2021 (2021): Issue 3 (July 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

privGAN: Protecting GANs from membership inference attacks at low cost to utility

Published Online: 27 Apr 2021
Page range: 142 - 163
Received: 30 Nov 2020
Accepted: 16 Mar 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Generative Adversarial Networks (GANs) have made releasing of synthetic images a viable approach to share data without releasing the original dataset. It has been shown that such synthetic data can be used for a variety of downstream tasks such as training classifiers that would otherwise require the original dataset to be shared. However, recent work has shown that the GAN models and their synthetically generated data can be used to infer the training set membership by an adversary who has access to the entire dataset and some auxiliary information. Current approaches to mitigate this problem (such as DPGAN [1]) lead to dramatically poorer generated sample quality than the original non–private GANs. Here we develop a new GAN architecture (privGAN), where the generator is trained not only to cheat the discriminator but also to defend membership inference attacks. The new mechanism is shown to empirically provide protection against this mode of attack while leading to negligible loss in downstream performances. In addition, our algorithm has been shown to explicitly prevent memorization of the training set, which explains why our protection is so effective. The main contributions of this paper are: i) we propose a novel GAN architecture that can generate synthetic data in a privacy preserving manner with minimal hyperparameter tuning and architecture selection, ii) we provide a theoretical understanding of the optimal solution of the privGAN loss function, iii) we empirically demonstrate the effectiveness of our model against several white and black–box attacks on several benchmark datasets, iv) we empirically demonstrate on three common benchmark datasets that synthetic images generated by privGAN lead to negligible loss in downstream performance when compared against non– private GANs. While we have focused on benchmarking privGAN exclusively on image datasets, the architecture of privGAN is not exclusive to image datasets and can be easily extended to other types of datasets. Repository link: https://github.com/microsoft/privGAN.

Keywords

[1] L. Xie, K. Lin, S. Wang, F. Wang, and J. Zhou, “Differentially private generative adversarial network,” arXiv preprint arXiv:1802.06739, 2018.Search in Google Scholar

[2] H. A. Piwowar and T. J. Vision, “Data reuse and the open data citation advantage,” PeerJ, vol. 1, p. e175, 2013.Search in Google Scholar

[3] R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” in 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18, IEEE, 2017.Search in Google Scholar

[4] Y. Long, V. Bindschaedler, L. Wang, D. Bu, X. Wang, H. Tang, C. A. Gunter, and K. Chen, “Understanding membership inferences on well-generalized learning models,” arXiv preprint arXiv:1802.04889, 2018.Search in Google Scholar

[5] L. Song, R. Shokri, and P. Mittal, “Membership inference attacks against adversarially robust deep learning models,” in 2019 IEEE Security and Privacy Workshops (SPW), pp. 50–56, IEEE, 2019.Search in Google Scholar

[6] S. Truex, L. Liu, M. E. Gursoy, L. Yu, and W. Wei, “Demystifying membership inference attacks in machine learning as a service,” IEEE Transactions on Services Computing, 2019.Search in Google Scholar

[7] S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy risk in machine learning: Analyzing the connection to over-fitting,” in 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268–282, IEEE, 2018.Search in Google Scholar

[8] M. Nasr, R. Shokri, and A. Houmansadr, “Machine learning with membership privacy using adversarial regularization,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 634–646, 2018.Search in Google Scholar

[9] J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong, “Memguard: Defending against black-box membership inference attacks via adversarial examples,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 259–274, 2019.Search in Google Scholar

[10] J. Li, N. Li, and B. Ribeiro, “Membership inference attacks and defenses in supervised learning via generalization gap,” arXiv preprint arXiv:2002.12062, 2020.Search in Google Scholar

[11] A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, “Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models,” arXiv preprint arXiv:1806.01246, 2018.Search in Google Scholar

[12] C. Han, H. Hayashi, L. Rundo, R. Araki, W. Shimoda, S. Muramatsu, Y. Furukawa, G. Mauri, and H. Nakayama, “Gan-based synthetic brain mr image generation,” in 2018 IEEE 15th International Symposium on Biomedical Imaging (ISBI 2018), pp. 734–738, IEEE, 2018.Search in Google Scholar

[13] X. Yi, E. Walia, and P. Babyn, “Generative adversarial network in medical imaging: A review,” Medical image analysis, p. 101552, 2019.Search in Google Scholar

[14] R. Zheng, L. Liu, S. Zhang, C. Zheng, F. Bunyak, R. Xu, B. Li, and M. Sun, “Detection of exudates in fundus photographs with imbalanced learning using conditional generative adversarial network,” Biomedical optics express, vol. 9, no. 10, pp. 4863–4878, 2018.Search in Google Scholar

[15] K. S. Liu, B. Li, and J. Gao, “Generative model: Membership attack, generalization and diversity,” CoRR, abs/1805.09898, 2018.Search in Google Scholar

[16] J. Hayes, L. Melis, G. Danezis, and E. De Cristofaro, “Logan: Membership inference attacks against generative models,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 1, pp. 133–152, 2019.Search in Google Scholar

[17] D. Chen, N. Yu, Y. Zhang, and M. Fritz, “Gan-leaks: A taxonomy of membership inference attacks against gans,” arXiv preprint arXiv:1909.03935, 2019.Search in Google Scholar

[18] B. Hilprecht, M. Härterich, and D. Bernau, “Monte carlo and reconstruction membership inference attacks against generative models,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 232–249, 2019.Search in Google Scholar

[19] B. Jayaraman, L. Wang, D. Evans, and Q. Gu, “Revisiting membership inference under realistic assumptions,” arXiv preprint arXiv:2005.10881, 2020.Search in Google Scholar

[20] C. Dwork, A. Roth, et al., “The algorithmic foundations of differential privacy,” Foundations and Trends® in Theoretical Computer Science, vol. 9, no. 3–4, pp. 211–407, 2014.Search in Google Scholar

[21] J. Jordon, J. Yoon, and M. van der Schaar, “Pate-gan: Generating synthetic data with differential privacy guarantees,” 2018.Search in Google Scholar

[22] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318, ACM, 2016.Search in Google Scholar

[23] R. Torkzadehmahani, P. Kairouz, and B. Paten, “Dp-cgan: Differentially private synthetic data and label generation,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pp. 0–0, 2019.Search in Google Scholar

[24] M. Mirza and S. Osindero, “Conditional generative adversarial nets,” arXiv preprint arXiv:1411.1784, 2014.Search in Google Scholar

[25] L. Fan, “A survey of differentially private generative adversarial networks,” in The AAAI Workshop on Privacy-Preserving Artificial Intelligence, 2020.Search in Google Scholar

[26] W. Mou, Y. Zhou, J. Gao, and L. Wang, “Dropout training, data-dependent regularization, and generalization bounds,” in International Conference on Machine Learning, pp. 3645–3653, 2018.Search in Google Scholar

[27] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein gan,” arXiv preprint arXiv:1701.07875, 2017.Search in Google Scholar

[28] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” in Advances in neural information processing systems, pp. 2672–2680, 2014.Search in Google Scholar

[29] R. M. Dudley, “Distances of probability measures and random variables,” in Selected Works of RM Dudley, pp. 28–37, Springer, 2010.Search in Google Scholar

[30] D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” arXiv preprint arXiv:1412.6980, 2014.Search in Google Scholar

[31] S. M. Bellovin, P. K. Dutta, and N. Reitinger, “Privacy and synthetic datasets,” Stan. Tech. L. Rev., vol. 22, p. 1, 2019.Search in Google Scholar

[32] X. Liu, Y. Xu, S. Mukherjee, and J. L. Ferres, “Mace: A flexible framework for membership privacy estimation in generative models,” arXiv preprint arXiv:2009.05683, 2020.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo