Abstract
Privacy preserving data release is a major concern of many data mining applications. Using Generative Adversarial Networks (GANs) to generate an unlimited number of synthetic samples is a popular replacement for data sharing. However, GAN models are known to implicitly memorize details of sensitive data used for training. To this end, this paper proposes ADAM-DPGAN, which guarantees differential privacy of training data for GAN models. ADAM-DPGAN specifies the maximum effect of each sensitive training record on the model parameters at each step of the learning procedure when the Adam optimizer is used, and adds appropriate noise to the parameters during the training procedure. ADAM-DPGAN leverages Rényi differential privacy account to track the spent privacy budgets. In contrast to prior work, by accurately determining the effect of each training record, this method can distort parameters more precisely and generate higher quality outputs while preserving the convergence properties of GAN counterparts without privacy leakage as proved. Through experimental evaluations on different image datasets, the ADAM-DPGAN is compared to previous methods and the superiority of the ADAM-DPGAN over the previous methods is demonstrated in terms of visual quality, realism and diversity of generated samples, convergence of training, and resistance to membership inference attacks.
Similar content being viewed by others
References
Machanavajjhala A, Kifer D, Gehrke J, Ven-kitasubramaniam M (2007) l-diversity: privacy beyond k-anonymity. ACM Trans Knowl Discov Data (TKDD) 1(1):1–24
Li N, Li T, Venkatasubramanian S (2007) t-closeness: privacy beyond k-anonymity and l-diversity. In: 23rd International conference on data engineering, pp 106–115
Goodfellow I, Pougget-Abadie J, Mirza M, Xu B, Warde-Farely D, Ozair S, Courvalle A, Bongio Y (2014) Generative adversarial nets. In: 27th International conference on neural information processing systems, pp 2672–2680
Hayes J, Melis L, Denerzis G, De Cristofaro E (2019) LOGAN: membership inference attacks against generative models. In: Privacy enhancing technologies symposium, pp 133–152
Hilprecht B, Harterich M, Bernau D (2019) Monte Carlo and reconstruction membership inference attacks against genera-tive models. In: Privacy enhancing technologies symposium, pp 232–249
Chen D, Yu N, Zhang Y, Fritz M (2020) GAN-leaks: a taxonomy of membership inference attacks against generative models. In: the 2020 ACM SIGSAC conference on computer and communications security, pp 343–362
Xu C, Ren J, Zhang D, Zhang Y, Qin Z, Ren K (2019) GANobfuscator: mitigating information leakage under GAN via differential privacy. IEEE Trans Inform Forens Secur 14(9):2358–2371
Torkzadehmahani R, Kairouz P, Paten B (2019) DP-CGAN: differentially private synthetic data and label generation. In: IEEE/CVF Conference on computer vision and pattern recognition workshops (CVPRW), pp 1–8
Jordon J, Yoon J, Schaar M (2019) PATE-GAN: generative synthetic data with differential privacy guarantees. In: Seventh international conference on learning representations, pp 1–21
Long Y, Lin S, Yang Z, Gunter CA, Li B (2019) Scalable differentially private generative student model via PATE. arXiv:1906.09338
Wnag B, Wu F, Long Y, Rimanic L, Zhang C, Li B (2021) DataLens: scable privacy preserving training via gradient compression and aggegation. arXiv:2103.11109
Chen D, Orekondy T, Fritz M (2020) GS-WGAN: a gradient-sanitized approach for learning differentially private generators. In: 34 Conference on neural information processing systems, pp 1–18
Han C, Xue R (2021) Differentially private GANs by adding noise to discriminator’s loss. Comput Secur 107:1–14
Mukherjee S, Xu Y, Trivedi A, Ferres J (2019) PrivGan: protecting GANs from membership inference attack at low cost. arXiv:2001.00071
Kingma DP, Ba JL (2015) ADAM: a method for stochastic optimization. In: International conference on learning representations, pp 1–15
Gulrajani I, Ahmed F, Arjovsky M, Dumoulin V, Courville AC (2017) Improved training of wasserstein GANs. In: Annual conference on neural information processing systems (NIPS), pp 5767–5777
Mironov I, Talwar K, Zhang L (2019) Rényi differential privacy of the sampled gaussian mechanism. arXiv:1908.10530
Salimans T, Goodfellow I, Zaremba W, Cheung V, Radford A, Chen X (2016) Improved techniques for training gans. In: Advances in neural information processing systems, pp 2234–2242
Heusel M, Ramsauer H, Unterthiner T, Nessler B, Hochreiter S (2017) GANs trained by a two time-scale update rule converge to a local Nash equilibrium. In: Annual conference on neural information processing systems (NIPS), pp 6626–6637
Fredrikson M, Jha S, RIstenpart T (2015) Model inversion attacks that exploit confidence information and basic countermeasures. In: 22nd ACM SIGSAC Conference on computer and communications security, pp 1322–1333
Yang Z, Zhang J, Chein-Chang E, Liang Z (2019) Neural network inversion in adversarial setting via background knowledge alignment. In: 2019 ACM SIGSAC conference on computer and communications security, pp 225–240
Shokri R, Stronato M, Song C, Shamatikov V (2017) Membership inference attacks against machine learning models. In: IEEE symposium on security and privacy (SP), pp 3–18
Yeom S, Giacomelli I, Fredrikson M, Jha S (2018) Privacy risk in machine learning: analyzing the connection to over-fitting. In: 2018 IEEE 31st Computer security foundations symposium, pp 268–282
Sablayrolles A, Douze M, Schmid C, Ollivier Y, Jegou H (2019) White-box vs Black-box: bayes optimal strategies for membership inference. In: the 36th International conference on machine learning, pp 1–11
Nasr M, Shokri R, Houmansadr A (2019) Comprehensive privacy analysis of deep learning stand-alone and federated learning under passive and active white-box inference attacks. In: IEEE Symposium on security and privacy, pp 739–853
Abadi M, Chu A, Goodfellow I, McMahan HB, Mironov I, Talwar K, Zhang L (2016) Deep learning with differential privacy. In: 2016 ACM SIGSAC Conference on computer and communications security, pp 308–318
Papernot N, Abadi M, Erlingsson U, Goodfellow I, Talwar K (2017) Semi-supervised knowledge transfer for deep learning from private aggregator. In: the International conference on learning representations (ICLR), pp 1–16
Papernot N, Song S, Mironov I, Raghunathan A, Talwar K, Erlingsson U (2018) Scalable private learning with PATE. In: The International conference on learning representations (ICLR), pp 1–34
Phan N, Wang Y, Wu X, Dou D (2016) Differential privacy preserving for deep auto-encoders: an application of human behavior prediction. In: The Thirtieth AAAI conference on artificial intelligence (AAAI-16), pp 1309–1316
Mirza M, Osindero S (2014) Conditional generative adversarial nets. arXiv:1411.1784
Goodfellow I (2015) Efficient per-example gradient computations. arXiv:1510.01799
Rochette G, Manoel A, Tramel EA (2020) Efficient per-example gradient computations in convolutional neural networks. arXiv:1912.06015
Bu Z, Wang H, Long Q, Su WJ (2021) On the convergence of deep learning with differential privacy. arXiv:2106.07830
Nasr M, Shokri R, Houmansadr A (2018) Machine learning with membership privacy using adversarial regularization. In: The ACM SIGSAC conference on computer and communications security, pp 634–646
Jia J, Salem A, Backes M, Zhang Y, Gong NZ (2019) MemGuard: defending against black-box membership inference attacks via adversarial examples. In: The ACM SIGSAC Conference on computer and communications security, pp 259–274
Yang Z, Shao B, Yuan B, Chein E, Zhang F (2020) Defending model inversion and membership inference attacks via prediction purification. arXiv:2005.03915
Dwork C, Kenthapadi K, McSherry F, Mironov I, Naor M (2006) Our data, ourselves: privacy via distributed noise generation
Dwork C, Roth A (2013) The algorithmic foundations of differential privacy. Theor Comput Sci 9(3):211–407
Dwork C, Rothblum GN, Vadhan S (2010) Boosting and differential privacy. In: Proceedings of IEEE 51st annual symposium on foundations of computer science, pp 51–60
Mironov I (2017) Rényi differential privacy. In: IEEE 30th computer security foundations symposium (CSF), pp 263–275
Arjovsky M, Chintala S, Bottou L (2017) Wasserstein generative adversarial networks. In: International conference on machine learning, pp 214–223
Chen X, Liu S, Sun R, Hong M (2019) On the convergence of a class of ADAM-type algorithms for non-convex optimization. In: 7th International conference on learning representations (ICLR 2019), pp 1–43
Radford A, Metz L, Chintala S (2015) Unsupervised representation learning with deep convolutional generative adver-sarial networks. arXiv:1511.06434
Author information
Authors and Affiliations
Corresponding author
Additional information
Data availability statement
Publicly available datasets were analyzed in this study. This data can be found at: MNIST dataset: http://yann.lecun.com/exdb/mnist/; Fashion-MNIST dataset: https://github.com/zalandoresearch/fashion-mnist/; CelebA dataset: http://mmlab.ie.cuhk.edu.hk/projects/CelebA.html.
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Azadmanesh, M., Ghahfarokhi, B.S. & Talouki, M.A. ADAM-DPGAN: a differential private mechanism for generative adversarial network. Appl Intell 53, 11142–11161 (2023). https://doi.org/10.1007/s10489-022-03902-9
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-022-03902-9