Cheng Zhuo,Di Gao,Liangwei Liu

DOI: https://doi.org/10.1109/tbdata.2022.3216566

2024-01-01

IEEE Transactions on Big Data

Abstract:The deployment of deep learning applications has to address the increasing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information from either model parameters or accesses to the inference model. Recently, differential privacy (DP) has been proposed to offer provable privacy guarantees by randomizing the training process of neural networks. However, many approaches tend to provide the worst case privacy protection for model publishing, inevitably impairing the accuracy of the trained models. Thus, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but the student models can be released with privacy guarantees. In this paper, a three-player (teacher-student-discriminator) learning framework, Private Knowledge Distillation with Generative Adversarial Networks (PKDGAN), is proposed, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. Moreover, a cooperative learning strategy is also suggested to support the collective training of multiple students against the discriminator when each student is with insufficient unlabelled training data. To enforce rigorous privacy guarantees, PKDGAN applies a Rényi differential privacy mechanism throughout the training process, and use it with a moment accountant technique to track the privacy cost. PKDGAN allows students to be trained with unlabelled public data and very few epochs, which avoids the exposure of training data while ensuring model performance. In the experiments, PKDGAN is found to have consistently good performance on various datasets (MNIST, SVHN, CIFAR-10, and Market-1501). When compared to prior works [1], [2], PKDGAN exhibits 5-82% accuracy loss improvement without compromising any privacy guarantee.

Bingzhe Wu,Shiwan Zhao,ChaoChao Chen,Haoyang Xu,Li Wang,Xiaolu Zhang,Guangyu Sun,Jun Zhou

DOI: https://doi.org/10.48550/arxiv.1908.07882

2019-01-01

Abstract:In this paper, we aim to understand the generalization properties of generative adversarial networks (GANs) from a new perspective of privacy protection. Theoretically, we prove that a differentially private learning algorithm used for training the GAN does not overfit to a certain degree, i.e., the generalization gap can be bounded. Moreover, some recent works, such as the Bayesian GAN, can be re-interpreted based on our theoretical insight from privacy protection. Quantitatively, to evaluate the information leakage of well-trained GAN models, we perform various membership attacks on these models. The results show that previous Lipschitz regularization techniques are effective in not only reducing the generalization gap but also alleviating the information leakage of the training dataset.

Ke Pan,Maoguo Gong,Yuan Gao

DOI: https://doi.org/10.1016/j.knosys.2023.110576

IF: 8.139

2023-07-01

Knowledge-Based Systems

Abstract:Generative adversarial networks (GANs) have become hugely popular by virtue of their impressive ability to generate realistic samples. Although GANs alleviate the arduous data-collection problem, they are prone to memorize training samples as a result of their complex model structure. Thus, GANs may not provide sufficient privacy guarantees, and there is a considerable chance of inadvertently divulging data privacy. To alleviate this issue, we design a privacy-enhanced GAN based on differential privacy. We first integrate truncated concentrated differential privacy technique into GAN for mitigating privacy leakage with tighter privacy bound. Then, according to different privacy demands of users in real-world scenarios, we design two adaptive noise allocation strategies, which enable us to dynamically inject noise into gradients at each iteration. Different strategies provide us with an intuitive handle to adopt a suitable strategy and achieve an elegant compromise between privacy and utility in distinct scenarios. Furthermore, we offer rigorous illustrations from the perspective of privacy preservation and privacy defense to demonstrate that our algorithm can fulfill differential privacy guarantees. Extensive experiments on real-world datasets manifest that our algorithm can generate high-quality samples while achieving an excellent trade-off between model performance and privacy guarantees.

computer science, artificial intelligence

Kaixiang Lin,Jiayu Zhou,Shu Wang,Liyang Xie,Fei Wang

2018-02-19

Abstract:Generative Adversarial Network (GAN) and its variants have recently attracted intensive research interests due to their elegant theoretical foundation and excellent empirical performance as generative models. These tools provide a promising direction in the studies where data availability is limited. One common issue in GANs is that the density of the learned generative distribution could concentrate on the training data points, meaning that they can easily remember training samples due to the high model complexity of deep networks. This becomes a major concern when GANs are applied to private or sensitive data such as patient medical records, and the concentration of distribution may divulge critical patient information. To address this issue, in this paper we propose a differentially private GAN (DPGAN) model, in which we achieve differential privacy in GANs by adding carefully designed noise to gradients during the learning procedure. We provide rigorous proof for the privacy guarantee, as well as comprehensive empirical evidence to support our analysis, where we demonstrate that our method can generate high quality data points at a reasonable privacy level.

Medicine,Mathematics,Computer Science

Xuebin Ma,Ren Yang,Maobo Zheng

DOI: https://doi.org/10.1109/msn57253.2022.00060

2022-01-01

Abstract:In recent years, artificial intelligence technology based on image data has been widely used in various industries. Rational analysis and mining of image data can not only promote the development of the technology field but also become a new engine to drive economic development. However, the privacy leakage problem has become more and more serious. To solve the privacy leakage problem of image data, this paper proposes the RDP-WGAN privacy protection framework, which deploys the Rényi differential privacy (RDP) protection techniques in the training process of generative adversarial networks to obtain a generative model with differential privacy. This generative model is used to generate an unlimited number of synthetic datasets to complete various data analysis tasks instead of sensitive datasets. Experimental results demonstrate that the RDP-WGAN privacy protection framework provides privacy protection for sensitive image datasets while ensuring the usefulness of the synthetic datasets.

Xinyue Zhang,Jiahao Ding,Sai Mounika Errapotu,Xiaoxia Huang,Pan Li,Miao Pan

DOI: https://doi.org/10.1109/globecom38437.2019.9014134

2019-01-01

Abstract:In recent years, generative adversarial network (GAN) has attracted great attention due to its impressive performance and potential numerous applications, such as data augmentation, real-like image synthesis, image compression improvement, etc. The generator in GAN learns the density of the distribution from real data in order to generate high fidelity fake samples from latent space and deceive the discriminator. Despite its advantages, GAN can easily memorize training samples because of the high model complexity of deep neural networks. Thus, training a GAN with sensitive or private data samples may compromise the privacy of training data. To address this privacy issue, we propose a novel \textit{Privacy Preserving Generative Adversarial Network} (PPGAN) that perturbs the objective function of discriminator by injecting Laplace noises based on functional mechanism to guarantee the differential privacy of training data. Since generator training is considered as a post-processing step while guaranteeing differential privacy of discriminator, the trained generator should be differentially private to effectively protect data samples. Through detailed privacy analysis, we theoretically prove that PPGAN can provide such strict differential privacy guarantee. With extensive simulation study on the benchmark dataset MNIST, we show the efficacy of the proposed PPGAN under practical privacy budgets.

Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Chugui Xu,Ju Ren,Deyu Zhang,Yaoxue Zhang,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tifs.2019.2897874

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:By learning generative models of semantic-rich data distributions from samples, generative adversarial network (GAN) has recently attracted intensive research interests due to its excellent empirical performance as a generative model. The model is used to estimate the underlying distribution of a dataset and randomly generate realistic samples according to their estimated distribution. However, GANs can easily remember training samples due to the high model complexity of deep networks. When GANs are applied to private or sensitive data, the concentration of distribution may divulge some critical information. It consequently requires new technological advances to mitigate the information leakage under GANs. To address this issue, we propose GANobfuscator, a differentially private GAN, which can achieve differential privacy under GANs by adding carefully designed noise to gradients during the learning procedure. With GANobfuscator, analysts are able to generate an unlimited amount of synthetic data for arbitrary analysis tasks without disclosing the privacy of training data. Moreover, we theoretically prove that GANobfuscator can provide strict privacy guarantee with differential privacy. In addition, we develop a gradient-pruning strategy for GANobfuscator to improve the scalability and stability of data training. Through extensive experimental evaluation on benchmark datasets, we demonstrate that GANobfuscator can produce high-quality generated data and retain desirable utility under practical privacy budgets.

Yi Liu,Jialiang Peng,James J.Q Yu,Yi Wu

DOI: https://doi.org/10.1109/ICPADS47876.2019.00150

2019-10-05

Abstract:Generative Adversarial Network (GAN) and its variants serve as a perfect representation of the data generation model, providing researchers with a large amount of high-quality generated data. They illustrate a promising direction for research with limited data availability. When GAN learns the semantic-rich data distribution from a dataset, the density of the generated distribution tends to concentrate on the training data. Due to the gradient parameters of the deep neural network contain the data distribution of the training samples, they can easily remember the training samples. When GAN is applied to private or sensitive data, for instance, patient medical records, as private information may be leakage. To address this issue, we propose a Privacy-preserving Generative Adversarial Network (PPGAN) model, in which we achieve differential privacy in GANs by adding well-designed noise to the gradient during the model learning procedure. Besides, we introduced the Moments Accountant strategy in the PPGAN training process to improve the stability and compatibility of the model by controlling privacy loss. We also give a mathematical proof of the differential privacy discriminator. Through extensive case studies of the benchmark datasets, we demonstrate that PPGAN can generate high-quality synthetic data while retaining the required data available under a reasonable privacy budget.

Machine Learning

Ren Yang,Xuebin Ma,Xiangyu Bai,Xiangdong Su

DOI: https://doi.org/10.1109/trustcom50675.2020.00232

2020-01-01

Abstract:In recent years, as image data are widely used in data analysis tasks, the problem of privacy disclosure is becoming more and more serious. However, the privacy protection technology of image data is still immature. In this paper, we propose a privacy protection framework named dp-WGAN for image data. This framework uses differential privacy and generative adversarial network to train a generative model with privacy protection function. Using this generative model, synthetic data with similar characteristics to sensitive data can be obtained, and synthetic data is published instead sensitive data to complete all kinds of data analysis tasks. Through extensive empirical evaluation on benchmark datasets, we demonstrate that dp-WGAN can provide strong privacy protection for sensitive data and produce high-quality synthetic data.

Haoran Sun,Jinchuan Tang,Shuping Dang,Gaojie Chen

DOI: https://doi.org/10.1016/j.eswa.2024.125181

IF: 8.5

2024-09-01

Expert Systems with Applications

Abstract:Differential privacy (DP) generative adversarial networks (GANs) can generate protected synthetic samples from downstream analysis. However, training on unbalanced datasets can bias the network towards majority classes, leading minority undertrained. Meanwhile, gradient perturbation in DP has no guarantee for perfect protection on the data point. Due to noisy gradients, the training can converge to a suboptimum, or offer no protection when encountering a noise equilibrium. To address the above issues, this work proposes a balanced Two-Stage DP-GAN (TS-DPGAN) framework. In Stage I, we use a data balancing algorithm with sampling techniques to reduce the bias and learn features from previously undertrained classes. Compared to a sampling strategy with fixed reference, a reference interval is introduced to reduce duplication in oversampling and information loss in undersampling. Then, the framework directly perturbs the balanced samples rather than gradients to achieve data-wise DP and improve sample diversity. Since data balancing uniformizes distribution, a feature-holding strategy was used in Stage II to keep important features from Stage I while restoring the original data distribution. Simulations show our framework outperforms other when compared with the SOTA algorithms on image quality, distribution maintaining, and convergence.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xinyang Zhang,Shouling Ji,Ting Wang

DOI: https://doi.org/10.48550/arxiv.1801.01594

2018-01-01

Abstract:Privacy-preserving releasing of complex data (e.g., image, text, audio) represents a long-standing challenge for the data mining research community. Due to rich semantics of the data and lack of a priori knowledge about the analysis task, excessive sanitization is often necessary to ensure privacy, leading to significant loss of the data utility. In this paper, we present dp-GAN, a general private releasing framework for semantic-rich data. Instead of sanitizing and then releasing the data, the data curator publishes a deep generative model which is trained using the original data in a differentially private manner; with the generative model, the analyst is able to produce an unlimited amount of synthetic data for arbitrary analysis tasks. In contrast of alternative solutions, dp-GAN highlights a set of key features: (i) it provides theoretical privacy guarantee via enforcing the differential privacy principle; (ii) it retains desirable utility in the released model, enabling a variety of otherwise impossible analyses; and (iii) most importantly, it achieves practical training scalability and stability by employing multi-fold optimization strategies. Through extensive empirical evaluation on benchmark datasets and analyses, we validate the efficacy of dp-GAN.

Lihe Hou,Weiwei Ni,Sen Zhang,Nan Fu,Dongyue Zhang

DOI: https://doi.org/10.1109/tnsm.2023.3280916

2023-01-01

Abstract:Many real-world networks can be represented as weighted graphs, where weights represent the closeness or importance of relationships between node pairs. Sharing these graphs is beneficial for many applications while potentially leading to privacy breaches. Variants of deep learning approaches have been developed for synthetic graph publishing, but privacy-preserving graph (especially weighted graph) publishing has not been fully addressed. To bridge this gap, we propose WDP-GAN, a generative adversarial network (GAN) based privacy-preserving weighted graph generation approach, which can generate unlimited synthetic graphs of a given weighted graph while ensuring individual privacy. To do this, we devise a new node sequence sampling method to generate the training set while preserving both the edge weight and topological structure of the original graph. Moreover, we apply the bi-directional long-short term memory (Bi-LSTM) network to capture the interdependence of node pairs. WDP-GAN then approximates the edge weight information using the frequencies of edges produced by the generator. Furthermore, we propose an adaptive gradient perturbation algorithm to improve the speed and stability of the training process while ensuring individual privacy. Theoretical analysis and experiments on real-world network datasets show that WDP-GAN can generate graphs that effectively preserve structural utility while satisfying differential privacy.

Jiacheng Zhao,Xiuming Zhao,Zhihua Gan,Xiuli Chai,Tianfeng Ma,Zhen Chen

DOI: https://doi.org/10.1007/s00530-024-01425-6

IF: 3.9

2024-01-01

Multimedia Systems

Abstract:The rise of online sharing platforms has provided people with diverse and convenient ways to share images. However, a substantial amount of sensitive user information is contained within these images, which can be easily captured by malicious neural networks. To ensure the secure utilization of authorized protected data, reversible adversarial attack techniques have emerged. Existing algorithms for generating adversarial examples do not strike a good balance between visibility and attack capability. Additionally, the network oscillations generated during the training process affect the quality of the final examples. To address these shortcomings, we propose a novel reversible adversarial network based on generative adversarial networks (RA-RevGAN). In this paper, the generator is used for noise generation to map features into perturbations of the image, while the region selection module confines these perturbations to specific areas that significantly affect classification. Furthermore, a robust attack mechanism is integrated into the discriminator to stabilize the network’s training by optimizing convergence speed and minimizing time cost. Extensive experiments have demonstrated that the proposed method ensures a high image generation rate, excellent attack capability, and superior visual quality while maintaining high classification accuracy in image restoration.

Dongjie Chen,Sen-ching Samson Cheung,Chen-Nee Chuah,Sally Ozonoff

DOI: https://doi.org/10.1109/WIFS53200.2021.9648378

2022-10-27

Abstract:To protect sensitive data in training a Generative Adversarial Network (GAN), the standard approach is to use differentially private (DP) stochastic gradient descent method in which controlled noise is added to the gradients. The quality of the output synthetic samples can be adversely affected and the training of the network may not even converge in the presence of these noises. We propose Differentially Private Model Inversion (DPMI) method where the private data is first mapped to the latent space via a public generator, followed by a lower-dimensional DP-GAN with better convergent properties. Experimental results on standard datasets CIFAR10 and SVHN as well as on a facial landmark dataset for Autism screening show that our approach outperforms the standard DP-GAN method based on Inception Score, Fréchet Inception Distance, and classification accuracy under the same privacy guarantee.

Machine Learning,Cryptography and Security

Sen Zhang,Weiwei Ni,Nan Fu

DOI: https://doi.org/10.1016/j.cose.2021.102285

2021-07-01

Abstract:<p>The goal of privacy-preserving graph publishing is to protect individual privacy in released graph data while preserving data utility. Degree distribution, serving as fundamental operations for many graph analysis tasks, is a crucial data utility. Yet, existing methods using differential privacy (DP) cannot well preserve degree distribution, since they distill a graph into a set of structural statistics (e.g. <span class="math"><math>dK</math></span>-series, etc.) that only captures local degree correlations, and require massive noise added to mask the change of a single edge. Recently Generative Adversarial Network for graphs (NetGAN) plays a key role in machine learning, due to its ability to capture the local and global degree distribution of the graph via biased random walks. Further, it allows us to move the burden of privacy-preserving to the learning procedure of its discriminator, rather than the extracted structure features. Inspired by this, we propose Priv-GAN, a private publishing model based on NetGAN. Instead of distilling and then publishing graphs, we publish the Priv-GAN model that is trained using the original data in a DP manner. With Priv-GAN, data holders are able to produce synthetic graph data with degree distribution preservation. Compared to alternative solutions, ours highlights that (i) a private Langevin with gradient estimate is designed as an optimizer for discriminator, which provides a theoretical gradient upper bound and achieves DP by adding noise to the gradients; and (ii) importantly, the error bound of the noisy Langevin method is theoretically analyzed, which demonstrates that with appropriate parameter settings, Priv-GAN is able to maintain high utility guarantees. Experimental results confirm our theoretical findings and the efficacy of Priv-GAN.</p>

computer science, information systems

Alex Bie,Gautam Kamath,Guojun Zhang

2023-10-05

Abstract:We show that the canonical approach for training differentially private GANs -- updating the discriminator with differentially private stochastic gradient descent (DPSGD) -- can yield significantly improved results after modifications to training. Specifically, we propose that existing instantiations of this approach neglect to consider how adding noise only to discriminator updates inhibits discriminator training, disrupting the balance between the generator and discriminator necessary for successful GAN training. We show that a simple fix -- taking more discriminator steps between generator steps -- restores parity between the generator and discriminator and improves results. Additionally, with the goal of restoring parity, we experiment with other modifications -- namely, large batch sizes and adaptive discriminator update frequency -- to improve discriminator training and see further improvements in generation quality. Our results demonstrate that on standard image synthesis benchmarks, DPSGD outperforms all alternative GAN privatization schemes. Code: <a class="link-external link-https" href="https://github.com/alexbie98/dpgan-revisit" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Jiaqi Huang,Qiushi Huang,Gaoyang Mou,Chenye Wu

DOI: https://doi.org/10.1109/tsg.2022.3230671

IF: 10.275

2023-01-01

IEEE Transactions on Smart Grid

Abstract:Smart meters have collected massive amounts of fine-grained load data from users, enabling various load profile analyses that can help improve the efficiency of smart grids. However, the smart meter data may leak private information, raising public concerns. To address this issue, current approaches typically employ data perturbation mechanisms or data generation mechanisms to ensure privacy when analyzing load profiles, but these approaches are either inflexible or not guaranteed to mitigate the leakage issue. To this end, we propose a differentially private Wasserstein Generative Adversarial Networks (DPWGAN) approach in this study. This approach can privately convert a real-world dataset into a high-quality synthetic load dataset so that studies and analyses conducted on the synthetic dataset can automatically satisfy user-level differential privacy guarantees. The extensive numerical studies highlight that our approach acts as an excellent substitute for the original dataset in real-world load profiling tasks.

Gregor Schram,Rui Wang,Kaitai Liang

DOI: https://doi.org/10.48550/arXiv.2206.12270

2022-06-24

Abstract:Machine learning has been applied to almost all fields of computer science over the past decades. The introduction of GANs allowed for new possibilities in fields of medical research and text prediction. However, these new fields work with ever more privacy-sensitive data. In order to maintain user privacy, a combination of federated learning, differential privacy and GANs can be used to work with private data without giving away a users' privacy. Recently, two implementations of such combinations have been published: DP-Fed-Avg GAN and GS-WGAN. This paper compares their performance and introduces an alternative version of DP-Fed-Avg GAN that makes use of denoising techniques to combat the loss in accuracy that generally occurs when applying differential privacy and federated learning to GANs. We also compare the novel adaptation of denoised DP-Fed-Avg GAN to the state-of-the-art implementations in this field.

Machine Learning,Cryptography and Security

Maryam Azadmanesh,Behrouz Shahgholi Ghahfarokhi,Maede Ashouri Talouki

DOI: https://doi.org/10.1016/j.eswa.2024.125646

IF: 8.5

2024-11-08

Expert Systems with Applications

Abstract:Generative Adversarial Networks (GANs) do not ensure the privacy of the training datasets and may memorize sensitive details. To maintain privacy of data during inference, various privacy-preserving GAN mechanisms have been proposed. Despite the different approaches and their characteristics, advantages, and disadvantages, there is a lack of a systematic review on them. This paper first presents a comprehensive survey on privacy-preserving mechanisms and offers a taxonomy based on their characteristics. The survey reveals that many of these mechanisms modify the GAN learning algorithm to enhance privacy, highlighting the need for theoretical and empirical analysis of the impact of these modifications on GAN convergence. Among the surveyed methods, ADAM-DPGAN is a promising approach that ensures differential privacy in GANs for both the discriminator and the generator networks when using the ADAM optimizer, by introducing appropriate noise based on the global sensitivity of discriminator parameters. Therefore, this paper conducts a theoretical and empirical analysis of the convergence of ADAM-DPGAN. In the presented theoretical analysis, assuming that simultaneous/alternating gradient descent method with ADAM optimizer converges locally to a fixed point and its operator is L-Lipschitz with L < 1, the effect of ADAM-DPGAN-based noise disturbance on local convergence is investigated and an upper bound for the convergence rate is provided. The analysis highlights the significant impact of differential privacy parameters, the number of training iterations, the discriminator's learning rate, and the ADAM hyper-parameters on the convergence rate. The theoretical analysis is further validated through empirical analysis. Both theoretical and empirical analyses reveal that a stronger privacy guarantee leads to a slower convergence, highlighting the trade-off between privacy and performance. The findings also indicate that there exists an optimal value for the number of training iterations regarding the privacy needs. The optimal settings for each parameter are calculated and outlined in the paper.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science