Performing Co-Membership Attacks Against Deep Generative Models

TL;DR

This paper introduces co-membership attacks against deep generative models, demonstrating that they can effectively determine whether a group of instances was used in training, thus posing privacy risks.

Contribution

The paper proposes a novel co-membership attack method that outperforms previous attacks and reveals increased vulnerability of VAEs compared to GANs.

Findings

Co-membership attacks outperform prior membership attacks.

VAEs are more vulnerable to membership inference than GANs.

The attack method is effective across various datasets and models.

Abstract

In this paper we propose a new membership attack method called co-membership attacks against deep generative models including Variational Autoencoders (VAEs) and Generative Adversarial Networks (GANs). Specifically, membership attack aims to check whether a given instance x was used in the training data or not. A co-membership attack checks whether the given bundle of n instances were in the training, with the prior knowledge that the bundle was either entirely used in the training or none at all. Successful membership attacks can compromise the privacy of training data when the generative model is published. Our main idea is to cast membership inference of target data x as the optimization of another neural network (called the attacker network) to search for the latent encoding to reproduce x. The final reconstruction error is used directly to conclude whether x was in the training data or not. We conduct extensive experiments on a variety of datasets and generative models showing that: our attacker network outperforms prior membership attacks; co-membership attacks can be substantially more powerful than single attacks; and VAEs are more susceptible to membership attacks compared to GANs.