LOGAN: Membership Inference Attacks Against Generative Models

Jamie Hayes; Luca Melis; George Danezis; Emiliano De Cristofaro

doi:10.2478/popets-2019-0008

LOGAN: Membership Inference Attacks Against Generative Models

Proceedings on Privacy Enhancing Technologies ◽

10.2478/popets-2019-0008 ◽

2019 ◽

Vol 2019 (1) ◽

pp. 133-152 ◽

Cited By ~ 26

Author(s):

Jamie Hayes ◽

Luca Melis ◽

George Danezis ◽

Emiliano De Cristofaro

Keyword(s):

Diabetic Retinopathy ◽

State Of The Art ◽

Generative Models ◽

Black Box ◽

Mitigation Strategies ◽

Generative Adversarial Networks ◽

Underlying Distribution ◽

Target Model ◽

Adversarial Networks ◽

Inference Attacks

Abstract Generative models estimate the underlying distribution of a dataset to generate realistic samples according to that distribution. In this paper, we present the first membership inference attacks against generative models: given a data point, the adversary determines whether or not it was used to train the model. Our attacks leverage Generative Adversarial Networks (GANs), which combine a discriminative and a generative model, to detect overfitting and recognize inputs that were part of training datasets, using the discriminator’s capacity to learn statistical differences in distributions. We present attacks based on both white-box and black-box access to the target model, against several state-of-the-art generative models, over datasets of complex representations of faces (LFW), objects (CIFAR-10), and medical images (Diabetic Retinopathy). We also discuss the sensitivity of the attacks to different training parameters, and their robustness against mitigation strategies, finding that defenses are either ineffective or lead to significantly worse performances of the generative models in terms of training stability and/or sample quality.

Get full-text (via PubEx)

Generating Adversarial Examples with Adversarial Networks

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2018/543 ◽

2018 ◽

Cited By ~ 65

Author(s):

Chaowei Xiao ◽

Bo Li ◽

Jun-yan Zhu ◽

Warren He ◽

Mingyan Liu ◽

...

Keyword(s):

Deep Neural Networks ◽

State Of The Art ◽

Black Box ◽

Generative Adversarial Networks ◽

Perceptual Quality ◽

Small Magnitude ◽

Adversarial Networks ◽

Original Target ◽

Adversarial Examples ◽

Adversarial Training

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Get full-text (via PubEx)

Black-Box Diagnosis and Calibration on GAN Intra-Mode Collapse: A Pilot Study

ACM Transactions on Multimedia Computing Communications and Applications ◽

10.1145/3472768 ◽

2021 ◽

Vol 17 (3s) ◽

pp. 1-18

Author(s):

Zhenyu Wu ◽

Zhaowen Wang ◽

Ye Yuan ◽

Jianming Zhang ◽

Zhangyang Wang ◽

...

Keyword(s):

State Of The Art ◽

Black Box ◽

Training Data ◽

Generative Adversarial Networks ◽

Small Scale ◽

Model Parameters ◽

Original Training ◽

Image Generation ◽

Adversarial Networks ◽

Calibration Techniques

Generative adversarial networks (GANs) nowadays are capable of producing images of incredible realism. Two concerns raised are whether the state-of-the-art GAN’s learned distribution still suffers from mode collapse and what to do if so. Existing diversity tests of samples from GANs are usually conducted qualitatively on a small scale and/or depend on the access to original training data as well as the trained model parameters. This article explores GAN intra-mode collapse and calibrates that in a novel black-box setting: access to neither training data nor the trained model parameters is assumed. The new setting is practically demanded yet rarely explored and significantly more challenging. As a first stab, we devise a set of statistical tools based on sampling that can visualize, quantify, and rectify intra-mode collapse . We demonstrate the effectiveness of our proposed diagnosis and calibration techniques, via extensive simulations and experiments, on unconditional GAN image generation (e.g., face and vehicle). Our study reveals that the intra-mode collapse is still a prevailing problem in state-of-the-art GANs and the mode collapse is diagnosable and calibratable in black-box settings. Our codes are available at https://github.com/VITA-Group/BlackBoxGANCollapse .

Get full-text (via PubEx)

A Deep Generative Model for Code Switched Text

Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2019/719 ◽

2019 ◽

Cited By ~ 1

Author(s):

Bidisha Samanta ◽

Sharmila Reddy ◽

Hussain Jagirdar ◽

Niloy Ganguly ◽

Soumen Chakrabarti

Keyword(s):

State Of The Art ◽

Generative Models ◽

Code Switching ◽

Language Models ◽

Generative Adversarial Networks ◽

Data Intensive ◽

Adversarial Networks ◽

Latent Space ◽

Variational Autoencoder ◽

Multilingual Societies

Code-switching, the interleaving of two or more languages within a sentence or discourse is pervasive in multilingual societies. Accurate language models for code-switched text are critical for NLP tasks. State-of-the-art data-intensive neural language models are difficult to train well from scarce language-labeled code-switched text. A potential solution is to use deep generative models to synthesize large volumes of realistic code-switched text. Although generative adversarial networks and variational autoencoders can synthesize plausible monolingual text from continuous latent space, they cannot adequately address code-switched text, owing to their informal style and complex interplay between the constituent languages. We introduce VACS, a novel variational autoencoder architecture specifically tailored to code-switching phenomena. VACS encodes to and decodes from a two-level hierarchical representation, which models syntactic contextual signals in the lower level, and language switching signals in the upper layer. Sampling representations from the prior and decoding them produced well-formed, diverse code-switched sentences. Extensive experiments show that using synthetic code-switched text with natural monolingual data results in significant (33.06\%) drop in perplexity.

Get full-text (via PubEx)

Generative Adversarial Networks (GANs)

ACM Computing Surveys ◽

10.1145/3446374 ◽

2021 ◽

Vol 54 (3) ◽

pp. 1-42

Author(s):

Divya Saxena ◽

Jiannong Cao

Keyword(s):

Optimization Technique ◽

Generative Models ◽

Generative Adversarial Networks ◽

Network Architectures ◽

Research Directions ◽

Research Issues ◽

Design And Optimization ◽

Adversarial Networks ◽

Comprehensive Survey ◽

Selection Of

Generative Adversarial Networks (GANs) is a novel class of deep generative models that has recently gained significant attention. GANs learn complex and high-dimensional distributions implicitly over images, audio, and data. However, there exist major challenges in training of GANs, i.e., mode collapse, non-convergence, and instability, due to inappropriate design of network architectre, use of objective function, and selection of optimization algorithm. Recently, to address these challenges, several solutions for better design and optimization of GANs have been investigated based on techniques of re-engineered network architectures, new objective functions, and alternative optimization algorithms. To the best of our knowledge, there is no existing survey that has particularly focused on the broad and systematic developments of these solutions. In this study, we perform a comprehensive survey of the advancements in GANs design and optimization solutions proposed to handle GANs challenges. We first identify key research issues within each design and optimization technique and then propose a new taxonomy to structure solutions by key research issues. In accordance with the taxonomy, we provide a detailed discussion on different GANs variants proposed within each solution and their relationships. Finally, based on the insights gained, we present promising research directions in this rapidly growing field.

Get full-text (via PubEx)

Improving Skin Lesion Analysis with Generative Adversarial Networks

10.5753/sibgrapi.est.2020.12986 ◽

2020 ◽

Author(s):

Alceu Bissoto ◽

Sandra Avila

Keyword(s):

Skin Lesion ◽

State Of The Art ◽

Synthetic Data ◽

Clinical Information ◽

Analysis Data ◽

Training Dataset ◽

Generative Adversarial Networks ◽

Classification Models ◽

Adversarial Networks ◽

Lesion Analysis

Melanoma is the most lethal type of skin cancer. Early diagnosis is crucial to increase the survival rate of those patients due to the possibility of metastasis. Automated skin lesion analysis can play an essential role by reaching people that do not have access to a specialist. However, since deep learning became the state-of-the-art for skin lesion analysis, data became a decisive factor in pushing the solutions further. The core objective of this M.Sc. dissertation is to tackle the problems that arise by having limited datasets. In the first part, we use generative adversarial networks to generate synthetic data to augment our classification model’s training datasets to boost performance. Our method generates high-resolution clinically-meaningful skin lesion images, that when compound our classification model’s training dataset, consistently improved the performance in different scenarios, for distinct datasets. We also investigate how our classification models perceived the synthetic samples and how they can aid the model’s generalization. Finally, we investigate a problem that usually arises by having few, relatively small datasets that are thoroughly re-used in the literature: bias. For this, we designed experiments to study how our models’ use data, verifying how it exploits correct (based on medical algorithms), and spurious (based on artifacts introduced during image acquisition) correlations. Disturbingly, even in the absence of any clinical information regarding the lesion being diagnosed, our classification models presented much better performance than chance (even competing with specialists benchmarks), highly suggesting inflated performances.

Get full-text (via PubEx)

Conditional Wasserstein Generative Adversarial Networks for Fast Detector Simulation

EPJ Web of Conferences ◽

10.1051/epjconf/202125103055 ◽

2021 ◽

Vol 251 ◽

pp. 03055

Author(s):

John Blue ◽

Braden Kronheim ◽

Michelle Kuchera ◽

Raghuram Ramanujan

Keyword(s):

High Energy Physics ◽

High Energy ◽

Generative Models ◽

Generative Adversarial Networks ◽

Detector Response ◽

Event Simulation ◽

Simulation Process ◽

Adversarial Networks ◽

Wide Range ◽

Detector Simulation

Detector simulation in high energy physics experiments is a key yet computationally expensive step in the event simulation process. There has been much recent interest in using deep generative models as a faster alternative to the full Monte Carlo simulation process in situations in which the utmost accuracy is not necessary. In this work we investigate the use of conditional Wasserstein Generative Adversarial Networks to simulate both hadronization and the detector response to jets. Our model takes the 4-momenta of jets formed from partons post-showering and pre-hadronization as inputs and predicts the 4-momenta of the corresponding reconstructed jet. Our model is trained on fully simulated tt events using the publicly available GEANT-based simulation of the CMS Collaboration. We demonstrate that the model produces accurate conditional reconstructed jet transverse momentum (pT) distributions over a wide range of pT for the input parton jet. Our model takes only a fraction of the time necessary for conventional detector simulation methods, running on a CPU in less than a millisecond per event.

Get full-text (via PubEx)

Multi-Turn Chatbot Based on Query-Context Attentions and Dual Wasserstein Generative Adversarial Networks

Applied Sciences ◽

10.3390/app9183908 ◽

2019 ◽

Vol 9 (18) ◽

pp. 3908 ◽

Cited By ~ 3

Author(s):

Jintae Kim ◽

Shinhyeok Oh ◽

Oh-Woog Kwon ◽

Harksoo Kim

Keyword(s):

Performance Measures ◽

State Of The Art ◽

Attention Mechanism ◽

Generative Adversarial Networks ◽

Training Method ◽

Adversarial Networks ◽

Proposed Model ◽

Previous State ◽

Vector Representations

To generate proper responses to user queries, multi-turn chatbot models should selectively consider dialogue histories. However, previous chatbot models have simply concatenated or averaged vector representations of all previous utterances without considering contextual importance. To mitigate this problem, we propose a multi-turn chatbot model in which previous utterances participate in response generation using different weights. The proposed model calculates the contextual importance of previous utterances by using an attention mechanism. In addition, we propose a training method that uses two types of Wasserstein generative adversarial networks to improve the quality of responses. In experiments with the DailyDialog dataset, the proposed model outperformed the previous state-of-the-art models based on various performance measures.

Get full-text (via PubEx)

InvNet: Encoding Geometric and Statistical Invariances in Deep Generative Models

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i04.5863 ◽

2020 ◽

Vol 34 (04) ◽

pp. 4377-4384

Author(s):

Ameya Joshi ◽

Minsu Cho ◽

Viraj Shah ◽

Balaji Pokuri ◽

Soumik Sarkar ◽

...

Keyword(s):

Image Data ◽

Generative Models ◽

Generative Adversarial Networks ◽

Complex Data ◽

Challenging Problem ◽

Two Phase ◽

Adversarial Networks ◽

Generative Modeling ◽

Lack Of Control ◽

Real World Problems

Generative Adversarial Networks (GANs), while widely successful in modeling complex data distributions, have not yet been sufficiently leveraged in scientific computing and design. Reasons for this include the lack of flexibility of GANs to represent discrete-valued image data, as well as the lack of control over physical properties of generated samples. We propose a new conditional generative modeling approach (InvNet) that efficiently enables modeling discrete-valued images, while allowing control over their parameterized geometric and statistical properties. We evaluate our approach on several synthetic and real world problems: navigating manifolds of geometric shapes with desired sizes; generation of binary two-phase materials; and the (challenging) problem of generating multi-orientation polycrystalline microstructures.

Get full-text (via PubEx)

Learning Generative Adversarial Networks from Multiple Data Sources

Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2019/391 ◽

2019 ◽

Cited By ~ 2

Author(s):

Trung Le ◽

Quan Hoang ◽

Hung Vu ◽

Tu Dinh Nguyen ◽

Hung Bui ◽

...

Keyword(s):

Generative Models ◽

Data Sources ◽

Black Hair ◽

Primary Data ◽

Generative Adversarial Networks ◽

Auxiliary Data ◽

Adversarial Networks ◽

Multiple Data ◽

Data Source ◽

Push And Pull

Generative Adversarial Networks (GANs) are a powerful class of deep generative models. In this paper, we extend GAN to the problem of generating data that are not only close to a primary data source but also required to be different from auxiliary data sources. For this problem, we enrich both GANs' formulations and applications by introducing pushing forces that thrust generated samples away from given auxiliary data sources. We term our method Push-and-Pull GAN (P2GAN). We conduct extensive experiments to demonstrate the merit of P2GAN in two applications: generating data with constraints and addressing the mode collapsing problem. We use CIFAR-10, STL-10, and ImageNet datasets and compute Fréchet Inception Distance to evaluate P2GAN's effectiveness in addressing the mode collapsing problem. The results show that P2GAN outperforms the state-of-the-art baselines. For the problem of generating data with constraints, we show that P2GAN can successfully avoid generating specific features such as black hair.

Get full-text (via PubEx)

CAGAN: Consistent Adversarial Training Enhanced GANs

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2018/359 ◽

2018 ◽

Cited By ~ 1

Author(s):

Yao Ni ◽

Dandan Song ◽

Xi Zhang ◽

Hao Wu ◽

Lejian Liao

Keyword(s):

Neural Network ◽

Parameter Space ◽

Supervised Classification ◽

State Of The Art ◽

Generative Adversarial Networks ◽

Image Generation ◽

Real Samples ◽

Adversarial Networks ◽

Novel Approach ◽

Adversarial Training

Generative adversarial networks (GANs) have shown impressive results, however, the generator and the discriminator are optimized in finite parameter space which means their performance still need to be improved. In this paper, we propose a novel approach of adversarial training between one generator and an exponential number of critics which are sampled from the original discriminative neural network via dropout. As discrepancy between outputs of different sub-networks of a same sample can measure the consistency of these critics, we encourage the critics to be consistent to real samples and inconsistent to generated samples during training, while the generator is trained to generate consistent samples for different critics. Experimental results demonstrate that our method can obtain state-of-the-art Inception scores of 9.17 and 10.02 on supervised CIFAR-10 and unsupervised STL-10 image generation tasks, respectively, as well as achieve competitive semi-supervised classification results on several benchmarks. Importantly, we demonstrate that our method can maintain stability in training and alleviate mode collapse.

Get full-text (via PubEx)