TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing

TL;DR

This paper introduces TableGAN-MCA, a novel membership collision attack that can recover training data from GAN-synthesized tables, revealing vulnerabilities even against privacy-preserving methods.

Contribution

The paper presents a new attack method, TableGAN-MCA, demonstrating its effectiveness in recovering training data from GAN-synthesized tables and analyzing factors influencing its success.

Findings

TableGAN-MCA achieves high data recovery rates on real-world datasets.

Success correlates with training data size, epochs, and synthetic sample availability.

Frequent and some unique data points are highly vulnerable to recovery.

Abstract

Generative Adversarial Networks (GAN)-synthesized table publishing lets people privately learn insights without access to the private table. However, existing studies on Membership Inference (MI) Attacks show promising results on disclosing membership of training datasets of GAN-synthesized tables. Different from those works focusing on discovering membership of a given data point, in this paper, we propose a novel Membership Collision Attack against GANs (TableGAN-MCA), which allows an adversary given only synthetic entries randomly sampled from a black-box generator to recover partial GAN training data. Namely, a GAN-synthesized table immune to state-of-the-art MI attacks is vulnerable to the TableGAN-MCA. The success of TableGAN-MCA is boosted by an observation that GAN-synthesized tables potentially collide with the training data of the generator. Our experimental evaluations on TableGAN-MCA have five main findings. First, TableGAN-MCA has a satisfying training data recovery rate on three commonly used real-world datasets against four generative models. Second, factors, including the size of GAN training data, GAN training epochs and the number of synthetic samples available to the adversary, are positively correlated to the success of TableGAN-MCA. Third, highly frequent data points have high risks of being recovered by TableGAN-MCA. Fourth, some unique data are exposed to unexpected high recovery risks in TableGAN-MCA, which may attribute to GAN's generalization. Fifth, as expected, differential privacy, without the consideration of the correlations between features, does not show commendable mitigation effect against the TableGAN-MCA. Finally, we propose two mitigation methods and show promising privacy and utility trade-offs when protecting against TableGAN-MCA.