Title Page
Abstract
Contents
Chapter 1. Introduction 10
Chapter 2. Background 14
2.1. Membership Inference Attack 14
2.2. Generative Adversarial Networks (GANs) 15
2.3. Taxonomy of Membership Inference Attacks Against GANs 17
2.4. Generalization Gap 18
Chapter 3. VoteGAN 20
3.1. Attack Model Framework 20
3.2. Global Optimality of VoteGAN 22
3.3. Training Stability of VoteGAN 22
3.4. Voting Strategy 23
3.5. Black-Box Attack 24
3.5.1. Attack Motivation 25
3.5.2. Attack Overview 25
Chapter 4. Evaluation 27
4.1. Experimental Setup 27
4.2. Attack Implementation 29
4.3. Evaluation of Multiple Discriminators 29
4.4. Evaluation of Target Model Representation 31
4.5. Evaluation of Attack Performance 32
4.5.1. Attack Success Rate on Various Target Models 32
4.5.2. Attack Success Rate with Different Training Dataset Size 33
4.5.3. Resistance to Defense Mechanism 34
Chapter 5. Discussion 36
Chapter 6. Related work 40
6.1. Membership Inference Attacks Against Generative Models 40
6.2. Training GANs with Multiple Discriminators 41
Chapter 7. Conclusion 43
Bibliography 44
Appendices 51
Table 4.1. Comparison of the FID scores. 31
Table 4.2. Generalization gap of LOGAN and VoteGANs. 31
Table 4.3. Attack success rate of membership inference attacks on various target models and datasets. 33
Table 4.4. Attack success rate against PrivGAN with defense mechanisms. 34
Table 6.1. Comparison of necessary conditions for GANs target attacks in the black-box setting. ('✓' means the adversary needs the information while '-' indicates the information... 41
Figure 2.1. Overview of the GAN architecture. 15
Figure 3.1. Overview of VoteGAN framework. 21
Figure 3.2. Membership inference method of VoteGAN. 26
Figure 4.1. Comparison of distributions produced by LOGAN and VoteGANs. The first column shows the original distributions of the Blobs and Circles. The second column shows... 30
Figure 4.2. Attack success rate against DCGAN with different training dataset size. 33
Figure 5.1. Comparison between GAN models with different numbers of discriminators in terms of model training time, VRAM usage, and attack success rate. (a), (b) show the... 36
Figure 5.2. Comparison of average attack success rates for VoteGAN with JS divergence and Wasserstein distance. 37
Figure 5.3. Comparison of average attack success rates for sample size per partition. In the legend, '2,000', '4,000', and '6,000' refer to the amount of data used to train the target model. 38