Cheng Zhuo,Di Gao,Liangwei Liu

DOI: https://doi.org/10.1109/tbdata.2022.3216566

2024-01-01

IEEE Transactions on Big Data

Abstract:The deployment of deep learning applications has to address the increasing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information from either model parameters or accesses to the inference model. Recently, differential privacy (DP) has been proposed to offer provable privacy guarantees by randomizing the training process of neural networks. However, many approaches tend to provide the worst case privacy protection for model publishing, inevitably impairing the accuracy of the trained models. Thus, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but the student models can be released with privacy guarantees. In this paper, a three-player (teacher-student-discriminator) learning framework, Private Knowledge Distillation with Generative Adversarial Networks (PKDGAN), is proposed, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. Moreover, a cooperative learning strategy is also suggested to support the collective training of multiple students against the discriminator when each student is with insufficient unlabelled training data. To enforce rigorous privacy guarantees, PKDGAN applies a Rényi differential privacy mechanism throughout the training process, and use it with a moment accountant technique to track the privacy cost. PKDGAN allows students to be trained with unlabelled public data and very few epochs, which avoids the exposure of training data while ensuring model performance. In the experiments, PKDGAN is found to have consistently good performance on various datasets (MNIST, SVHN, CIFAR-10, and Market-1501). When compared to prior works [1], [2], PKDGAN exhibits 5-82% accuracy loss improvement without compromising any privacy guarantee.

Bingzhe Wu,Shiwan Zhao,ChaoChao Chen,Haoyang Xu,Li Wang,Xiaolu Zhang,Guangyu Sun,Jun Zhou

DOI: https://doi.org/10.48550/arxiv.1908.07882

2019-01-01

Abstract:In this paper, we aim to understand the generalization properties of generative adversarial networks (GANs) from a new perspective of privacy protection. Theoretically, we prove that a differentially private learning algorithm used for training the GAN does not overfit to a certain degree, i.e., the generalization gap can be bounded. Moreover, some recent works, such as the Bayesian GAN, can be re-interpreted based on our theoretical insight from privacy protection. Quantitatively, to evaluate the information leakage of well-trained GAN models, we perform various membership attacks on these models. The results show that previous Lipschitz regularization techniques are effective in not only reducing the generalization gap but also alleviating the information leakage of the training dataset.

Yi Liu,Jialiang Peng,James J.Q Yu,Yi Wu

DOI: https://doi.org/10.1109/ICPADS47876.2019.00150

2019-10-05

Abstract:Generative Adversarial Network (GAN) and its variants serve as a perfect representation of the data generation model, providing researchers with a large amount of high-quality generated data. They illustrate a promising direction for research with limited data availability. When GAN learns the semantic-rich data distribution from a dataset, the density of the generated distribution tends to concentrate on the training data. Due to the gradient parameters of the deep neural network contain the data distribution of the training samples, they can easily remember the training samples. When GAN is applied to private or sensitive data, for instance, patient medical records, as private information may be leakage. To address this issue, we propose a Privacy-preserving Generative Adversarial Network (PPGAN) model, in which we achieve differential privacy in GANs by adding well-designed noise to the gradient during the model learning procedure. Besides, we introduced the Moments Accountant strategy in the PPGAN training process to improve the stability and compatibility of the model by controlling privacy loss. We also give a mathematical proof of the differential privacy discriminator. Through extensive case studies of the benchmark datasets, we demonstrate that PPGAN can generate high-quality synthetic data while retaining the required data available under a reasonable privacy budget.

Machine Learning

Kaixiang Lin,Jiayu Zhou,Shu Wang,Liyang Xie,Fei Wang

2018-02-19

Abstract:Generative Adversarial Network (GAN) and its variants have recently attracted intensive research interests due to their elegant theoretical foundation and excellent empirical performance as generative models. These tools provide a promising direction in the studies where data availability is limited. One common issue in GANs is that the density of the learned generative distribution could concentrate on the training data points, meaning that they can easily remember training samples due to the high model complexity of deep networks. This becomes a major concern when GANs are applied to private or sensitive data such as patient medical records, and the concentration of distribution may divulge critical patient information. To address this issue, in this paper we propose a differentially private GAN (DPGAN) model, in which we achieve differential privacy in GANs by adding carefully designed noise to gradients during the learning procedure. We provide rigorous proof for the privacy guarantee, as well as comprehensive empirical evidence to support our analysis, where we demonstrate that our method can generate high quality data points at a reasonable privacy level.

Medicine,Mathematics,Computer Science

Ke Pan,Maoguo Gong,Yuan Gao

DOI: https://doi.org/10.1016/j.knosys.2023.110576

IF: 8.139

2023-07-01

Knowledge-Based Systems

Abstract:Generative adversarial networks (GANs) have become hugely popular by virtue of their impressive ability to generate realistic samples. Although GANs alleviate the arduous data-collection problem, they are prone to memorize training samples as a result of their complex model structure. Thus, GANs may not provide sufficient privacy guarantees, and there is a considerable chance of inadvertently divulging data privacy. To alleviate this issue, we design a privacy-enhanced GAN based on differential privacy. We first integrate truncated concentrated differential privacy technique into GAN for mitigating privacy leakage with tighter privacy bound. Then, according to different privacy demands of users in real-world scenarios, we design two adaptive noise allocation strategies, which enable us to dynamically inject noise into gradients at each iteration. Different strategies provide us with an intuitive handle to adopt a suitable strategy and achieve an elegant compromise between privacy and utility in distinct scenarios. Furthermore, we offer rigorous illustrations from the perspective of privacy preservation and privacy defense to demonstrate that our algorithm can fulfill differential privacy guarantees. Extensive experiments on real-world datasets manifest that our algorithm can generate high-quality samples while achieving an excellent trade-off between model performance and privacy guarantees.

computer science, artificial intelligence

Di Gao,Cheng Zhuo

DOI: https://doi.org/10.3233/FAIA200294

2020-01-01

Abstract:The deployment of deep learning applications has to address the growing privacy concerns when using private and sensitive data for training. A conventional deep learning model is prone to privacy attacks that can recover the sensitive information of individuals from either model parameters or accesses to the target model. Recently, differential privacy that offers provable privacy guarantees has been proposed to train neural networks in a privacy-preserving manner to protect training data. However, many approaches tend to provide the worst case privacy guarantees for model publishing, inevitably impairing the accuracy of the trained models. In this paper, we present a novel private knowledge transfer strategy, where the private teacher trained on sensitive data is not publicly accessible but teaches a student to be publicly released. In particular, a three-player (teacher-student-discriminator) learning framework is proposed to achieve trade-off between utility and privacy, where the student acquires the distilled knowledge from the teacher and is trained with the discriminator to generate similar outputs as the teacher. We then integrate a differential privacy protection mechanism into the learning procedure, which enables a rigorous privacy budget for the training. The framework eventually allows student to be trained with only unlabelled public data and very few epochs, and hence prevents the exposure of sensitive training data, while ensuring model utility with a modest privacy budget. The experiments on MNIST, SVHN and CIFAR-10 datasets show that our students obtain the accuracy losses w.r.t teachers of 0.89%, 2.29%, 5.16%, respectively with the privacy bounds of (1.93, 10(-5)), (5.02, 10(-6)), (8.81, 10(-6)). When compared with the existing works [15, 20], the proposed work can achieve 582% accuracy loss improvement.

Chugui Xu,Ju Ren,Deyu Zhang,Yaoxue Zhang,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tifs.2019.2897874

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:By learning generative models of semantic-rich data distributions from samples, generative adversarial network (GAN) has recently attracted intensive research interests due to its excellent empirical performance as a generative model. The model is used to estimate the underlying distribution of a dataset and randomly generate realistic samples according to their estimated distribution. However, GANs can easily remember training samples due to the high model complexity of deep networks. When GANs are applied to private or sensitive data, the concentration of distribution may divulge some critical information. It consequently requires new technological advances to mitigate the information leakage under GANs. To address this issue, we propose GANobfuscator, a differentially private GAN, which can achieve differential privacy under GANs by adding carefully designed noise to gradients during the learning procedure. With GANobfuscator, analysts are able to generate an unlimited amount of synthetic data for arbitrary analysis tasks without disclosing the privacy of training data. Moreover, we theoretically prove that GANobfuscator can provide strict privacy guarantee with differential privacy. In addition, we develop a gradient-pruning strategy for GANobfuscator to improve the scalability and stability of data training. Through extensive experimental evaluation on benchmark datasets, we demonstrate that GANobfuscator can produce high-quality generated data and retain desirable utility under practical privacy budgets.

Chuan Ma,Jun Li,Ming Ding,Bo Liu,Kang Wei,Jian Weng,H. Vincent Poor

DOI: https://doi.org/10.1109/tdsc.2022.3233580

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Generative adversarial networks (GANs) have attracted increasing attention recently owing to their impressive abilities to generate realistic samples with high privacy protection. Without directly interacting with training examples, the generative model can be used to estimate the underlying distribution of an original dataset while the discriminator can examine model quality of the generated samples by comparing the label values with training examples. In considering privacy issues in GANS, existing works focus on perturbing the parameters and analyzing the corresponding privacy protection capability, and the parameters are not directly exchanged between the generator and discriminator in GANs. Thus, in this work, we propose a Rényi-differentially private-GAN (RDP-GAN), which achieves differential privacy (DP) in a GAN by carefully adding random Gaussian noise to the value of the exchanged loss function during training. Moreover, we derive analytical results characterizing the total privacy loss under the subsampling method and cumulative iterations, which show its effectiveness for the privacy budget allocation. In addition, in order to mitigate the negative impact of injecting noises, we enhance the proposed algorithm by adding an adaptive noise tuning step, which will change the amount of added noise according to the testing accuracy. Through extensive experimental results, we verify that the proposed algorithm can achieve a better privacy level while producing high-quality samples compared with a benchmark DP-GAN scheme based on noise perturbation on training gradients.

computer science, information systems, software engineering, hardware & architecture

Zepeng Jiang,Weiwei Ni,Yifan Zhang

2024-04-19

Abstract:Conditional Generative Adversarial Networks (CGANs) exhibit significant potential in supervised learning model training by virtue of their ability to generate realistic labeled images. However, numerous studies have indicated the privacy leakage risk in CGANs models. The solution DPCGAN, incorporating the differential privacy framework, faces challenges such as heavy reliance on labeled data for model training and potential disruptions to original gradient information due to excessive gradient clipping, making it difficult to ensure model accuracy. To address these challenges, we present a privacy-preserving training framework called PATE-TripleGAN. This framework incorporates a classifier to pre-classify unlabeled data, establishing a three-party min-max game to reduce dependence on labeled data. Furthermore, we present a hybrid gradient desensitization algorithm based on the Private Aggregation of Teacher Ensembles (PATE) framework and Differential Private Stochastic Gradient Descent (DPSGD) method. This algorithm allows the model to retain gradient information more effectively while ensuring privacy protection, thereby enhancing the model's utility. Privacy analysis and extensive experiments affirm that the PATE-TripleGAN model can generate a higher quality labeled image dataset while ensuring the privacy of the training data.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Dongjie Chen,Sen-ching Samson Cheung,Chen-Nee Chuah,Sally Ozonoff

DOI: https://doi.org/10.1109/WIFS53200.2021.9648378

2022-10-27

Abstract:To protect sensitive data in training a Generative Adversarial Network (GAN), the standard approach is to use differentially private (DP) stochastic gradient descent method in which controlled noise is added to the gradients. The quality of the output synthetic samples can be adversely affected and the training of the network may not even converge in the presence of these noises. We propose Differentially Private Model Inversion (DPMI) method where the private data is first mapped to the latent space via a public generator, followed by a lower-dimensional DP-GAN with better convergent properties. Experimental results on standard datasets CIFAR10 and SVHN as well as on a facial landmark dataset for Autism screening show that our approach outperforms the standard DP-GAN method based on Inception Score, Fréchet Inception Distance, and classification accuracy under the same privacy guarantee.

Machine Learning,Cryptography and Security

Bangzhou Xin,Wei Yang,Yangyang Geng,Sheng Chen,Shaowei Wang,Liusheng Huang

DOI: https://doi.org/10.1109/icassp40776.2020.9054559

2020-01-01

Abstract:Generative Adversarial Network (GAN) has already made a big splash in the field of generating realistic "fake" data. However, when data is distributed and data-holders are reluctant to share data for privacy reasons, GAN's training is difficult. To address this issue, we propose private FL-GAN, a differential privacy generative adversarial network model based on federated learning. By strategically combining the Lipschitz limit with the differential privacy sensitivity, the model can generate high-quality synthetic data without sacrificing the privacy of the training data. We theoretically prove that private FL-GAN can provide strict privacy guarantee with differential privacy, and experimentally demonstrate our model can generate satisfactory data.

Qingrong Chen,Chong Xiang,Minhui Xue,Bo Li,Nikita Borisov,Dali Kaarfar,Haojin Zhu

DOI: https://doi.org/10.48550/arXiv.1812.02274

2018-12-06

Abstract:Deep neural networks (DNNs) have recently been widely adopted in various applications, and such success is largely due to a combination of algorithmic breakthroughs, computation resource improvements, and access to a large amount of data. However, the large-scale data collections required for deep learning often contain sensitive information, therefore raising many privacy concerns. Prior research has shown several successful attacks in inferring sensitive training data information, such as model inversion, membership inference, and generative adversarial networks (GAN) based leakage attacks against collaborative deep learning. In this paper, to enable learning efficiency as well as to generate data with privacy guarantees and high utility, we propose a differentially private autoencoder-based generative model (DP-AuGM) and a differentially private variational autoencoder-based generative model (DP-VaeGM). We evaluate the robustness of two proposed models. We show that DP-AuGM can effectively defend against the model inversion, membership inference, and GAN-based attacks. We also show that DP-VaeGM is robust against the membership inference attack. We conjecture that the key to defend against the model inversion and GAN-based attacks is not due to differential privacy but the perturbation of training data. Finally, we demonstrate that both DP-AuGM and DP-VaeGM can be easily integrated with real-world machine learning applications, such as machine learning as a service and federated learning, which are otherwise threatened by the membership inference attack and the GAN-based attack, respectively.

Cryptography and Security,Machine Learning

Bangzhou Xin,Yangyang Geng,Teng Hu,Sheng Chen,Wei Yang,Shaowei Wang,Liusheng Huang

DOI: https://doi.org/10.1016/j.neucom.2021.10.027

IF: 6

2021-01-01

Neurocomputing

Abstract:Distributed machine learning has attracted much attention in the last decade with the widespread use of the Internet of Things. As a generative model, Generative Adversarial Network (GAN) has excellent empirical performance. However, the distributed storage of data and the fact that data cannot be shared for privacy reasons in a federated learning setting bring new challenges to training GAN. To address this issue, we propose private FL-GAN, a differentially private GAN based on federated learning. By strategically combining the Lipschitz condition with differential privacy sensitivity, our model can generate high-quality synthetic data without sacrificing the training data’s privacy. When communication between clients becomes the main bottleneck for federated learning, we propose to use a serialized model-training paradigm, which significantly reduces communication costs. Considering the distributed data is often non-IID in reality, which poses challenges to modeling, we further propose universal private FL-GAN to approach this problem. We not only theoretically prove that our algorithms can provide strict privacy guarantees with differential privacy, but also experimentally demonstrate that our models can generate satisfactory data while protecting the privacy of the training data, even if the data is non-IID.

Marcel Neunhoeffer,Zhiwei Steven Wu,Cynthia Dwork

DOI: https://doi.org/10.48550/arXiv.2007.11934

IF: 5.414

2020-07-23

Machine Learning

Abstract:Differentially private GANs have proven to be a promising approach for generating realistic synthetic data without compromising the privacy of individuals. Due to the privacy-protective noise introduced in the training, the convergence of GANs becomes even more elusive, which often leads to poor utility in the output generator at the end of training. We propose Private post-GAN boosting (Private PGB), a differentially private method that combines samples produced by the sequence of generators obtained during GAN training to create a high-quality synthetic dataset. To that end, our method leverages the Private Multiplicative Weights method (Hardt and Rothblum, 2010) to reweight generated samples. We evaluate Private PGB on two dimensional toy data, MNIST images, US Census data and a standard machine learning prediction task. Our experiments show that Private PGB improves upon a standard private GAN approach across a collection of quality measures. We also provide a non-private variant of PGB that improves the data quality of standard GAN training.

Zhenyu Jiang,Changli Zhou,Hui Tian,Zikang Chen

DOI: https://doi.org/10.3390/electronics13173423

IF: 2.9

2024-09-01

Electronics

Abstract:Differential privacy techniques have shown excellent performance in protecting sensitive information during GAN model training. However, with the increasing attention to data privacy issues, ensuring high-quality output of generative models and the efficiency of federated learning while protecting privacy has become a pressing challenge. To address these issues, this paper proposes a One-shot Federated Personalized Protection–Generative Adversarial Network (OFPP-GAN). Firstly, this scheme employs dual personalized differential privacy to achieve privacy protection. It adjusts the noise scale and clipping threshold based on the gradient changes during model training in a personalized manner, thereby enhancing the performance of the generative model while protecting privacy. Additionally, the scheme adopts the one-shot federated learning paradigm, where each client uploads their local model containing private information only once throughout the training process. This approach not only reduces the risk of privacy leakage but also decreases the communication overhead of the entire system. Finally, we validate the effectiveness of the proposed method through theoretical analysis and experiments. Compared with existing methods, the generative model trained with OFPP-GAN demonstrates superior security, efficiency, and robustness.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ren Yang,Xuebin Ma,Xiangyu Bai,Xiangdong Su

DOI: https://doi.org/10.1109/trustcom50675.2020.00232

2020-01-01

Abstract:In recent years, as image data are widely used in data analysis tasks, the problem of privacy disclosure is becoming more and more serious. However, the privacy protection technology of image data is still immature. In this paper, we propose a privacy protection framework named dp-WGAN for image data. This framework uses differential privacy and generative adversarial network to train a generative model with privacy protection function. Using this generative model, synthetic data with similar characteristics to sensitive data can be obtained, and synthetic data is published instead sensitive data to complete all kinds of data analysis tasks. Through extensive empirical evaluation on benchmark datasets, we demonstrate that dp-WGAN can provide strong privacy protection for sensitive data and produce high-quality synthetic data.

Youyang Qu,Shui Yu,Wanlei Zhou,Yonghong Tian

DOI: https://doi.org/10.1109/TNSE.2020.3001061

IF: 6.6

2020-01-01

IEEE Transactions on Network Science and Engineering

Abstract:The cyber-physical social system (CPSS) enables human social interaction from cyberspace to the physical world by sharing an increasing volume of spatial-temporal data. The sensitive information in the shared data is appealing to the adversaries and various attacks. However, most existing research assumes that the privacy protection level is identical regardless of various requirements, which is not practical. Subsequently, this results in either over-protection or failing to resist the leading attacks like collusion attacks. Motivated by this, a personalized model is proposed by using generative adversarial nets (GAN) to achieve differential privacy and thereby enhancing spatial-temporal private data sharing. A Differential Privacy Identifier is added to the classic GAN with a Generator and a Discriminator. The deployment of the differentially Private GAN (P-GAN) enables the generation of the sanitized data that can perfectly approximate the spatial-temporal trajectory while providing high-level privacy protection. P-GAN optimizes the trade-off between personalized privacy protection and improved data utility while maintaining fast convergence. Simultaneously, the random noise generation guaranteed by GAN breaks the correlation of injected noises and make P-GAN attack-proof against the collusion attacks. Extensive evaluation results on real-world datasets show the superiority of P-GAN from the aspects of optimized trade-off and efficiency.

Sen Zhang,Weiwei Ni,Nan Fu

DOI: https://doi.org/10.1016/j.cose.2021.102285

2021-07-01

Abstract:<p>The goal of privacy-preserving graph publishing is to protect individual privacy in released graph data while preserving data utility. Degree distribution, serving as fundamental operations for many graph analysis tasks, is a crucial data utility. Yet, existing methods using differential privacy (DP) cannot well preserve degree distribution, since they distill a graph into a set of structural statistics (e.g. <span class="math"><math>dK</math></span>-series, etc.) that only captures local degree correlations, and require massive noise added to mask the change of a single edge. Recently Generative Adversarial Network for graphs (NetGAN) plays a key role in machine learning, due to its ability to capture the local and global degree distribution of the graph via biased random walks. Further, it allows us to move the burden of privacy-preserving to the learning procedure of its discriminator, rather than the extracted structure features. Inspired by this, we propose Priv-GAN, a private publishing model based on NetGAN. Instead of distilling and then publishing graphs, we publish the Priv-GAN model that is trained using the original data in a DP manner. With Priv-GAN, data holders are able to produce synthetic graph data with degree distribution preservation. Compared to alternative solutions, ours highlights that (i) a private Langevin with gradient estimate is designed as an optimizer for discriminator, which provides a theoretical gradient upper bound and achieves DP by adding noise to the gradients; and (ii) importantly, the error bound of the noisy Langevin method is theoretically analyzed, which demonstrates that with appropriate parameter settings, Priv-GAN is able to maintain high utility guarantees. Experimental results confirm our theoretical findings and the efficacy of Priv-GAN.</p>

computer science, information systems

Mohammadhadi Shateri,Francisco Messina,Fabrice Labeau,Pablo Piantanida

2023-11-06

Abstract:Generative Adversarial Networks (GANs) have been widely used for generating synthetic data for cases where there is a limited size real-world dataset or when data holders are unwilling to share their data samples. Recent works showed that GANs, due to overfitting and memorization, might leak information regarding their training data samples. This makes GANs vulnerable to Membership Inference Attacks (MIAs). Several defense strategies have been proposed in the literature to mitigate this privacy issue. Unfortunately, defense strategies based on differential privacy are proven to reduce extensively the quality of the synthetic data points. On the other hand, more recent frameworks such as PrivGAN and PAR-GAN are not suitable for small-size training datasets. In the present work, the overfitting in GANs is studied in terms of the discriminator, and a more general measure of overfitting based on the Bhattacharyya coefficient is defined. Then, inspired by Fano's inequality, our first defense mechanism against MIAs is proposed. This framework, which requires only a simple modification in the loss function of GANs, is referred to as the maximum entropy GAN or MEGAN and significantly improves the robustness of GANs to MIAs. As a second defense strategy, a more heuristic model based on minimizing the information leaked from generated samples about the training data points is presented. This approach is referred to as mutual information minimization GAN (MIMGAN) and uses a variational representation of the mutual information to minimize the information that a synthetic sample might leak about the whole training data set. Applying the proposed frameworks to some commonly used data sets against state-of-the-art MIAs reveals that the proposed methods can reduce the accuracy of the adversaries to the level of random guessing accuracy with a small reduction in the quality of the synthetic data samples.

Machine Learning,Cryptography and Security,Signal Processing

Zhenya Wang,Xiang Cheng,Sen Su,Guangsheng Wang

DOI: https://doi.org/10.1016/j.ins.2022.11.006

IF: 8.1

2023-01-01

Information Sciences

Abstract:This paper considers the problem of differentially private vertically partitioned data sharing. In particular, with the assistance of a semi-honest curator, the involved parties (i.e., data owners) each holds records regarding different features of the same set of individuals collectively generate a shared dataset while satisfying differential privacy. Motivated by the superiority of the generative adversarial network (GAN) in data synthesizing, we present a differentially private generative decomposed adversarial network (DPGDAN) approach for vertically partitioned data sharing. In DPGDAN, the discriminator in the initial GAN is decomposed into several local discriminators and two relational discriminators, i.e., a real relational discriminator and a fake relational discriminator. Each party is assigned with a local discriminator while the curator holds the generator and the two relational discriminators. By combining the sanitized feedback from the local discriminators and the outputs of the relational discriminators, the curator can update the generator to approximate the distribution of the integrated dataset without compromising each party’s privacy. Moreover, to promote the shared data’s utility, we design a snapshot aggregation method by aggregating the synthetic records produced by the generators acquired during training. Furthermore, we show that DPGDAN satisfies (∊,δ)- differential privacy. Extensive experiments validate the effectiveness of DPGDAN.