1. bookVolume 2019 (2019): Issue 1 (January 2019)
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year
access type Open Access

LOGAN: Membership Inference Attacks Against Generative Models

Published Online: 24 Dec 2018
Volume & Issue: Volume 2019 (2019) - Issue 1 (January 2019)
Page range: 133 - 152
Received: 31 May 2018
Accepted: 16 Sep 2018
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year

Generative models estimate the underlying distribution of a dataset to generate realistic samples according to that distribution. In this paper, we present the first membership inference attacks against generative models: given a data point, the adversary determines whether or not it was used to train the model. Our attacks leverage Generative Adversarial Networks (GANs), which combine a discriminative and a generative model, to detect overfitting and recognize inputs that were part of training datasets, using the discriminator’s capacity to learn statistical differences in distributions. We present attacks based on both white-box and black-box access to the target model, against several state-of-the-art generative models, over datasets of complex representations of faces (LFW), objects (CIFAR-10), and medical images (Diabetic Retinopathy). We also discuss the sensitivity of the attacks to different training parameters, and their robustness against mitigation strategies, finding that defenses are either ineffective or lead to significantly worse performances of the generative models in terms of training stability and/or sample quality.


[1] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang. Deep learning with differential privacy. In CCS, 2016.10.1145/2976749.2978318Search in Google Scholar

[2] Y. Aono, T. Hayashi, L. Wang, S. Moriai, et al. Privacy-preserving deep learning: Revisited and Enhanced. In ATIS, 2017.Search in Google Scholar

[3] M. Arjovsky, S. Chintala, and L. Bottou. Wasserstein GAN. arXiv 1701.07875, 2017.Search in Google Scholar

[4] G. Ateniese, L. V. Mancini, A. Spognardi, A. Villani, D. Vitali, and G. Felici. Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers. International Journal of Security and Networks, 2015.10.1504/IJSN.2015.071829Search in Google Scholar

[5] M. Backes, P. Berrang, M. Humbert, and P. Manoharan. Membership Privacy in MicroRNA-based Studies. In CCS, 2016.10.1145/2976749.2978355Search in Google Scholar

[6] B. K. Beaulieu-Jones, Z. S. Wu, C. Williams, and C. S. Greene. Privacy-preserving generative deep neural networks support clinical data sharing. bioRxiv, 2017.10.1101/159756Search in Google Scholar

[7] Y. Bengio, L. Yao, G. Alain, and P. Vincent. Generalized denoising auto-encoders as generative models. In NIPS, 2013.Search in Google Scholar

[8] D. Berthelot, T. Schumm, and L. Metz. BEGAN: Boundary Equilibrium Generative Adversarial Networks. arXiv 1703.10717, 2017.Search in Google Scholar

[9] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth. Practical secure aggregation for privacy preserving machine learning. In CCS, 2017.10.1145/3133956.3133982Search in Google Scholar

[10] J. A. Calandrino, A. Kilzer, A. Narayanan, E. W. Felten, and V. Shmatikov. “You Might Also Like:” Privacy Risks of Collaborative Filtering. In IEEE Security and Privacy, 2011.10.1109/SP.2011.40Search in Google Scholar

[11] N. Carlini, C. Liu, J. Kos, Ú. Erlingsson, and D. Song. The Secret Sharer: Measuring Unintended Neural Network Memorization & Extracting Secrets. arXiv:1802.08232, 2018.Search in Google Scholar

[12] S. Chintala, E. Denton, M. Arjovsky, and M. Mathieu. How to Train a GAN? Tips and tricks to make GANs work. https://github.com/soumith/ganhacks, Year.Search in Google Scholar

[13] E. Choi, S. Biswal, B. Malin, J. Duke, W. F. Stewart, and J. Sun. Generating Multi-label Discrete Electronic Health Records using Generative Adversarial Networks. In Machine Learning for Healthcare, 2017.Search in Google Scholar

[14] N. Dowlin, R. Gilad-Bachrach, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In ICML, 2016.Search in Google Scholar

[15] W. Du, Y. S. Han, and S. Chen. Privacy-preserving multivariate statistical analysis: Linear regression and classification. In ICDM, 2004.10.1137/1.9781611972740.21Search in Google Scholar

[16] C. Dwork. Differential privacy: A survey of results. In Theory and Applications of Models of Computation, 2008.Search in Google Scholar

[17] C. Dwork, V. Feldman, M. Hardt, T. Pitassi, O. Reingold, and A. Roth. Generalization in adaptive data analysis and holdout reuse. In NIPS, 2015.Search in Google Scholar

[18] M. Fredrikson, S. Jha, and T. Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In CCS, 2015.10.1145/2810103.2813677Search in Google Scholar

[19] M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In USENIX Security, 2014.Search in Google Scholar

[20] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio. Generative adversarial nets. In NIPS, 2014.Search in Google Scholar

[21] I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin, and A. Courville. Improved training of Wasserstein GANs. In ICLR (Posters), 2018.Search in Google Scholar

[22] G. Hinton, O. Vinyals, and J. Dean. Distilling the knowledge in a neural network. arXiv 1503.02531, 2015.Search in Google Scholar

[23] B. Hitaj, G. Ateniese, and F. Perez-Cruz. Deep Models Under the GAN: Information Leakage from Collaborative Deep Learning. In CCS, 2017.10.1145/3133956.3134012Search in Google Scholar

[24] N. Homer, S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genet, 2008.10.1371/journal.pgen.1000167251619918769715Search in Google Scholar

[25] G. B. Huang, M. Ramesh, T. Berg, and E. Learned-Miller. Labeled Faces in the Wild: A Database for Studying Face Recognition in Unconstrained Environments. Technical report, University of Massachusetts, Amherst, 2007. http://vis-www.cs.umass.edu/lfw/lfw.pdf.Search in Google Scholar

[26] S. Ioffe and C. Szegedy. Batch normalization: Accelerating deep network training by reducing internal covariate shift. In International Conference on Machine Learning, 2015.Search in Google Scholar

[27] S. Ji, W. Li, N. Z. Gong, P. Mittal, and R. A. Beyah. On your social network de-anonymizablity: Quantification and large scale evaluation with seed knowledge. In NDSS, 2015.10.14722/ndss.2015.23096Search in Google Scholar

[28] J. Jia and N. Z. Gong. Attriguard: A practical defense against attribute inference attacks via adversarial machine learning. In USENIX Security, 2018.Search in Google Scholar

[29] Kaggle.com. Diabetic Retinopathy Detection. https://www.kaggle.com/c/diabetic-retinopathy-detection#references, 2015.Search in Google Scholar

[30] A. Karpathy, P. Abbeel, G. Brockman, P. Chen, V. Cheung, R. Duan, I. Goodfellow, D. Kingma, J. Ho, R. Houthooft, T. Salimans, J. Schulman, I. Sutskever, and W. Zaremba. Generative Models. https://blog.openai.com/generative-models/, 2017.Search in Google Scholar

[31] D. P. Kingma and M. Welling. Auto-Encoding Variational Bayes. In ICLR, 2013.Search in Google Scholar

[32] A. Krizhevsky and G. Hinton. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009. https://www.cs.toronto.edu/fflkriz/learning-features-2009-TR.pdf.Search in Google Scholar

[33] M. J. Kusner, J. R. Gardner, R. Garnett, and K. Q. Weinberger. Differentially Private Bayesian Optimization. In ICML, 2015.Search in Google Scholar

[34] A. B. L. Larsen, S. K. Sønderby, H. Larochelle, and O. Winther. Autoencoding beyond pixels using a learned similarity metric. In ICLM, 2016.Search in Google Scholar

[35] C. Ledig, L. Theis, F. Huszár, J. Caballero, A. Cunningham, A. Acosta, A. Aitken, A. Tejani, J. Totz, Z. Wang, et al. Photo-realistic single image super-resolution using a generative adversarial network. arXiv 1609.04802, 2016.Search in Google Scholar

[36] Y. Lindell and B. Pinkas. Privacy preserving data mining. In CRYPTO, 2000.10.1007/3-540-44598-6_3Search in Google Scholar

[37] Y. Long, V. Bindschaedler, L. Wang, D. Bu, X. Wang, H. Tang, C. A. Gunter, and K. Chen. Understanding Membership Inferences on Well-Generalized Learning Models. arXiv:1802.04889, 2018.Search in Google Scholar

[38] M. Lucic, K. Kurach, M. Michalski, S. Gelly, and O. Bousquet. Are GANs Created Equal? A Large-Scale Study. ArXiv 1711.10337, 2017.Search in Google Scholar

[39] H. B. McMahan, E. Moore, D. Ramage, S. Hampson, et al. Communication-efficient learning of deep networks from decentralized data. In AISTATS, 2017.Search in Google Scholar

[40] F. McSherry. Statistical inference considered harmful. https://github.com/frankmcsherry/blog/blob/master/posts/2016-06-14.md, 2016.Search in Google Scholar

[41] L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov. Inference Attacks Against Collaborative Learning. arXiv:1805.04049, 2018.Search in Google Scholar

[42] A. Narayanan and V. Shmatikov. De-anonymizing social networks. In IEEE Security and Privacy, 2009.10.1109/SP.2009.22Search in Google Scholar

[43] M. Nasr, R. Shokri, and A. Houmansadr. Machine Learning with Membership Privacy using Adversarial Regularization. In ACM CCS, 2018.10.1145/3243734.3243855Search in Google Scholar

[44] D. Nie, R. Trullo, C. Petitjean, S. Ruan, and D. Shen. Medical Image Synthesis with Context-Aware Generative Adversarial Networks. In MICCAI, 2017.10.1007/978-3-319-66179-7_48604445930009283Search in Google Scholar

[45] otoro.net. Generating Large Images from Latent Vectors. http://blog.otoro.net/2016/04/01/generating-large-images-from-latent-vectors/, 2016.Search in Google Scholar

[46] N. Papernot, M. Abadi, Ú. Erlingsson, I. Goodfellow, and K. Talwar. Semi-supervised knowledge transfer for deep learning from private training data. In ICLR, 2017.Search in Google Scholar

[47] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE Security and Privacy, 2016.10.1109/SP.2016.41Search in Google Scholar

[48] N. Papernot, S. Song, I. Mironov, A. Raghunathan, K. Talwar, and Ú. Erlingsson. Scalable Private Learning with PATE. In ICLR, 2018.Search in Google Scholar

[49] A. Pyrgelis, C. Troncoso, and E. De Cristofaro. What Does The Crowd Say About You? Evaluating Aggregation-based Location Privacy. In PETS, 2017.10.1515/popets-2017-0043Search in Google Scholar

[50] A. Pyrgelis, C. Troncoso, and E. De Cristofaro. Knock Knock, Who’s There? Membership Inference on Aggregate Location Data. In NDSS, 2018.10.14722/ndss.2018.23183Search in Google Scholar

[51] J. Qian, X.-Y. Li, C. Zhang, and L. Chen. De-anonymizing social networks and inferring private attributes using knowledge graphs. In INFOCOM, 2016.10.1109/INFOCOM.2016.7524578Search in Google Scholar

[52] A. Radford, L. Metz, and S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv 1511.06434, 2015.Search in Google Scholar

[53] M. A. Rahman, T. Rahman, R. Laganiere, N. Mohammed, and Y. Wang. Membership Inference Attack against Differentially Private Deep Learning Model. Transactions on Data Privacy, 2018.Search in Google Scholar

[54] T. Salimans, I. Goodfellow, W. Zaremba, V. Cheung, A. Rad-ford, X. Chen, and X. Chen. Improved Techniques for Training GANs. In NIPS, 2016.Search in Google Scholar

[55] T. Salimans and D. P. Kingma. Weight normalization: A simple reparameterization to accelerate training of deep neural networks. In NIPS, 2016.Search in Google Scholar

[56] R. Shokri and V. Shmatikov. Privacy-preserving deep learning. In CCS, 2015.10.1145/2810103.2813687Search in Google Scholar

[57] R. Shokri, M. Stronati, C. Song, and V. Shmatikov. Membership inference attacks against machine learning models. In IEEE Security and Privacy, 2017.10.1109/SP.2017.41Search in Google Scholar

[58] C. Song, T. Ristenpart, and V. Shmatikov. Machine learning models that remember too much. In ACM CCS, 2017.10.1145/3133956.3134077Search in Google Scholar

[59] N. Srivastava, G. E. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov. Dropout: a simple way to prevent neural networks from overfitting. Journal of machine learning research, 2014.Search in Google Scholar

[60] L. Theis, W. Shi, A. Cunningham, and F. Huszár. Lossy image compression with compressive autoencoders. In ICLR, 2017.Search in Google Scholar

[61] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Stealing machine learning models via prediction apis. In USENIX Security, 2016.Search in Google Scholar

[62] A. Triastcyn and B. Faltings. Generating differentially private datasets using gans. arXiv preprint arXiv:1803.03148, 2018.Search in Google Scholar

[63] S. Truex, L. Liu, M. E. Gursoy, L. Yu, and W. Wei. Towards Demystifying Membership Inference Attacks. arXiv:1807.09173, 2018.Search in Google Scholar

[64] J. Vincent. https://www.theverge.com/2016/7/5/12095830/google-deepmind-nhs-eye-disease-detection, 2016.Search in Google Scholar

[65] M. J. Wainwright, M. I. Jordan, and J. C. Duchi. Privacy aware learning. In Advances in Neural Information Processing Systems, 2012.Search in Google Scholar

[66] X. Wu, M. Fredrikson, W. Wu, S. Jha, and J. F. Naughton. Revisiting differentially private regression: Lessons from learning theory and their consequences. arXiv 1512.06388, 2015.Search in Google Scholar

[67] X. Wu and X. Zhang. Automated Inference on Criminality using Face Images. arXiv 1611.04135, 2016.Search in Google Scholar

[68] Y. Wu, Y. Burda, R. Salakhutdinov, and R. Grosse. On the Quantitative Analysis of Decoder-Based Generative Models. In ICLR (Poster), 2017.Search in Google Scholar

[69] R. Yeh, C. Chen, T. Y. Lim, M. Hasegawa-Johnson, and M. N. Do. Semantic Image Inpainting with Perceptual and Contextual Losses. arXiv 1607.07539, 2016.Search in Google Scholar

[70] S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha. Privacy risk in machine learning: Analyzing the connection to overfitting. In IEEE CSF, 2018.10.1109/CSF.2018.00027Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo