Bayesian membership inference attacks for generative adversarial networks

doi:10.11772/j.issn.1001-9081.2024101523

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (10): 3252-3258.DOI: 10.11772/j.issn.1001-9081.2024101523

• Cyber security • Previous Articles

Bayesian membership inference attacks for generative adversarial networks

You SHANG¹^,², Xianghua MIAO¹()

^1.Faculty of Information Engineering and Automation，Kunming University of Technology，Kunming Yunnan 650504，China
^2.Key Laboratory of Computer Science （Kunming University of Technology），Kunming Yunnan 650504，China

Received:2024-10-23 Revised:2025-02-11 Accepted:2025-02-17 Online:2025-02-27 Published:2025-10-10
Contact: Xianghua MIAO
About author:Shang you， born in 1998， M. S. candidate. Her research interests include information security， machine learning.
MIAO Xianghua， born in 1972， Ph. D.， associate professor. His research interests include information security， cryptography.
Supported by:
Yunnan Province Major Science and Technology Special Project(202302AD080002)

面向生成式对抗网络的贝叶斯成员推理攻击

尚游¹^,², 缪祥华¹()

^1.昆明理工大学信息工程与自动化学院，昆明 650504
^2.计算机重点实验室（昆明理工大学），昆明 650504

通讯作者: 缪祥华
作者简介:尚游（1998—），女，云南曲靖人，硕士研究生，CCF会员，主要研究方向：信息安全、机器学习
缪祥华（1972—），男，贵州盘州人，副教授，博士，主要研究方向：信息安全、密码学。Email:xianghuamiao@126.com
基金资助:
云南省重大科技专项计划项目(202302AD080002)

Abstract

Abstract:

Currently， there is a controversy about relationship between accuracies of Membership Inference Attacks （MIAs） in Generative Adversarial Networks （GANs） and generalization ability of the generative model itself， and thus effective attack ways are difficult to be widely applied， which limits the improvement of generative models. To solve the above problem， a Bayesian Estimation （BE）-based gray-box MIA scheme was proposed to match parameters in gray-box scenarios efficiently for optimal attacks. Firstly， training frameworks of the target and shadow models were designed under black-box conditions to obtain parameter knowledge required for the attack model. Then， the attack model was trained by combining and utilizing this effective parameter information to update the objective function continuously. Finally， the trained attack model was applied to MIA. Experimental results show that the attack accuracy of the gray-box attack scheme based on BE is improved by 15.89% and 21.64% respectively in average， compared to those of the existing white-box and black-box attack schemes. The above research achievements demonstrate a direct link between parameter exposure and Attack Success Rate （ASR）， and provide a direction for developing defensive strategies in this field.

Key words: Machine Learning (ML), Generative Adversarial Network (GAN), Membership Inference Attack (MIA), Bayesian Estimation (BE), correlation analysis

摘要：

目前，关于生成式对抗网络（GAN）中成员推理攻击（MIA）的准确率与生成模型自身泛化能力之间的关系存在争议，因此有效的攻击手段难以广泛应用，这限制了生成模型的改进。为了解决上述问题，提出一种基于贝叶斯估计（BE）的灰盒MIA方案，旨在灰盒场景下高效匹配参数以实现最优攻击。首先，在黑盒条件下设计目标模型和影子模型的训练框架，以获取攻击模型所需的参数知识；其次，结合并利用这些有效参数信息不断更新目标函数，从而训练攻击模型；最后，将训练好的攻击模型应用于MIA。实验结果表明，与现有的白盒、黑盒攻击方案相比，基于BE的灰盒攻击方案的准确率平均分别提升了15.89%和21.64%。以上研究结果展示了参数暴露与攻击成功率（ASR）之间的直接联系，也为未来该领域开发防御性策略提供了方向。

关键词: 机器学习, 生成式对抗网络, 成员推理攻击, 贝叶斯估计, 关联分析

CLC Number:

TP309.7

You SHANG, Xianghua MIAO. Bayesian membership inference attacks for generative adversarial networks[J]. Journal of Computer Applications, 2025, 45(10): 3252-3258.

尚游, 缪祥华. 面向生成式对抗网络的贝叶斯成员推理攻击[J]. 《计算机应用》唯一官方网站, 2025, 45(10): 3252-3258.

Figures/Tables 7

Fig. 1 Architecture of Gray-box MIA

Tab. 1 Symbol explanations

符号	表达式	含义
$x$	/	目标样本
$y$	/	预测结果，成员取1，非成员取0
$w$	$w = (w 1, w 2, …, w m)$	各网络层的权重参数
$D t r a i n$	$D t r a i n = {x 1, x 2, …, x n}$	生成器中的n个数据点
$μ$	/	均值
$∑$	/	协方差矩阵
$ε$	$ε = (μ, ∑)$	控制分布 $q (w; ε)$ 的一组参数
$E L B O (q)$	/	证据下限常数

Tab. 1 Symbol explanations

符号	表达式	含义
$x$	/	目标样本
$y$	/	预测结果，成员取1，非成员取0
$w$	$w = (w 1, w 2, …, w m)$	各网络层的权重参数
$D t r a i n$	$D t r a i n = {x 1, x 2, …, x n}$	生成器中的n个数据点
$μ$	/	均值
$∑$	/	协方差矩阵
$ε$	$ε = (μ, ∑)$	控制分布 $q (w; ε)$ 的一组参数
$E L B O (q)$	/	证据下限常数

Tab. 2 Average attack success rates of seven types of MIAs under five GANs

模型	CIFAR10					Fashion-MNIST
模型	DCGAN	InfoGAN	WGAN	PIGAN	RS-DPGAN	DCGAN	InfoGAN	WGAN	PIGAN	RS-DPGAN
黑盒1^［9］	0.576	0.514	0.492	0.493	0.466	0.628	0.517	0.500	0.436	0.451
黑盒2^［10］	0.566	0.509	0.498	0.510	0.506	0.616	0.518	0.516	0.435	0.514
黑盒3^［11］	0.561	0.530	0.479	0.517	0.502	0.633	0.545	0.507	0.481	0.509
GAN-Leaks^［6］	0.618	0.530	0.501	0.531	0.492	0.621	0.536	0.512	0.530	0.505
蒙特卡罗^［7］	0.667	0.544	0.505	0.522	0.519	0.636	0.543	0.517	0.551	0.534
GBMIA^［8］	0.649	0.600	0.597	0.506	0.501	0.655	0.612	0.608	0.517	0.517
本文模型（n=50）	0.712	0.638	0.709	0.635	0.614	0.749	0.651	0.709	0.614	0.608
模型	ILSVRC2012					花卉识别
模型	DCGAN	InfoGAN	WGAN	PIGAN	RS-DPGAN	DCGAN	InfoGAN	WGAN	PIGAN	RS-DPGAN
黑盒1^［9］	0.637	0.529	0.503	0.419	0.436	0.624	0.530	0.540	0.429	0.442
黑盒2^［10］	0.631	0.566	0.511	0.423	0.478	0.622	0.546	0.543	0.419	0.504
黑盒3^［11］	0.639	0.572	0.521	0.531	0.550	0.640	0.555	0.551	0.477	0.518
GAN-Leaks^［6］	0.639	0.577	0.520	0.519	0.521	0.638	0.579	0.548	0.468	0.510
蒙特卡罗^［7］	0.644	0.594	0.577	0.545	0.611	0.646	0.601	0.605	0.551	0.543
GBMIA^［8］	0.657	0.608	0.600	0.547	0.630	0.655	0.603	0.594	0.548	0.540
本文模型（n=50）	0.740	0.602	0.730	0.622	0.619	0.737	0.661	0.711	0.632	0.622

Fig. 2 Average accuracies of three attack types on four datasets

Tab. 3 Spearman’s correlation of different network layers and attack success rates on WGAN

网络层	ASR在50%以下	ASR在50%~60%	ASR在60%以上
FC1	0.34	0.71	0.83
FC2	0.13	0.85	0.83
FC3	0.09	0.78	0.87
Deconv1	0.41	0.67	0.70
Deconv2	0.33	0.65	0.76
BN1	0.51	0.52	0.49
BN2	0.57	0.52	0.55
所有层	0.30	0.69	0.95

Tab. 4 Spearman’s correlation of different network layers and attack success rates on DCGAN

网络层	ASR在50%以下	ASR在50%~60%	ASR在60%以上
Deconv1	0.46	0.85	0.74
Deconv2	0.37	0.84	0.89
Deconv3	0.27	0.81	0.86
BN1	0.47	0.56	0.51
BN2	0.50	0.52	0.58
所有层	-0.11	0.71	0.92

Fig. 3 Box plot statistics of attack success rates on different network layers

References 32

[1]	李乐阳，佟国香，赵迎志，等. 基于生成对抗网络的文本生成图像研究综述［J］. 电子科技， 2023， 36（10）： 39-55.
	LI Y Y， TONG G X， ZHAO Y Z， et al. A survey of text-to-image synthesis based on generative adversarial network［J］. Electronic Science and Technology， 2023， 36（10）： 39-55.
[2]	王崇宇，毛琪，金立标. 基于生成对抗网络的图像视频编码综述［J］. 中国传媒大学学报（自然科学版）， 2022， 29（6）： 19-28.
	WANG C Y， MAO Q， JIN L B. Review on image and video coding via generative adversarial networks［J］. Journal of Communication University of China （Science and Technology）， 2022， 29（6）： 19-28.
[3]	PRADHYUMNA P， MOHANA. A survey of modern deep learning based Generative Adversarial Networks （GANs）［C］// Proceedings of the 6th International Conference on Computing Methodologies and Communication. Piscataway： IEEE， 2022： 1146-1152.
[4]	HU H， SALCIC Z， SUN L， et al. Membership inference attacks on machine learning： a survey［J］. ACM Computing Surveys， 2022， 54（11s）： No.235.
[5]	牛俊，马骁骥，陈颖，等. 机器学习中成员推理攻击和防御研究综述［J］.信息安全学报， 2022， 7（6）： 1-30.
	NIU J， MA X J， CHEN Y， et al. A survey on membership inference attacks and defenses in machine learning［J］. Journal of Cyber Security， 2022， 7（6）： 1-30.
[6]	CHEN D， YU N， ZHANG Y， et al. GAN-Leaks： a taxonomy of membership inference attacks against GANs［C］// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2020：343-362.
[7]	HILPRECHT B， HERTERICH M， BERNAU D. Monte Carlo and reconstruction membership inference attacks against generative models［J］. Proceedings on Privacy Enhancing Technologies， 2019（4）：232-249.
[8]	WANG X， WANG N， WU L， et al. GBMIA： gradient-based membership inference attack in federated learning［C］// Proceedings of the 2023 IEEE International Conference on Communications. Piscataway： IEEE， 2023： 5066-5071.
[9]	彭长根，高婷，刘惠篮，等. 面向机器学习模型的基于PCA的成员推理攻击［J］. 通信学报， 2022， 43（1）： 149-160.
	PENG C G， GAO T， LIU H L， et al. PCA-based membership inference attack for machine learning models［J］. Journal on Communications， 2022， 43（1）： 149-160.
[10]	ZHANG M， YU N， WEN R， et al. Generated distributions are all you need for membership inference attacks against generative models［C］// Proceedings of the 2024 IEEE/CVF Winter Conference on Applications of Computer Vision. Piscataway： IEEE， 2024：4827-4837.
[11]	ZHANG Y， ZHOU H， WANG P， et al. Black-box based limited query membership inference attack［J］. IEEE Access， 2022， 10： 55459-55468.
[12]	BLEI D M， KUCUKELBIR A， McAULIFFE J D. Variational inference： a review for statisticians［J］. Journal of the American Statistical Association， 2017， 13（112）： No.859877.
[13]	RADFORD A， METZ L， CHINTALA S. Unsupervised representation learning with deep convolutional generative adversarial networks［EB/OL］. ［2024-09-12］..
[14]	SHOKRI R， STRONATI M， SONG C， et al. Membership inference attacks against machine learning models［C］// Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2017： 3-18.
[15]	WU Y， BURDA Y， SALAKHUTDINOV R， et al. On the quantitative analysis of decoder-based generative models［EB/OL］. ［2024-07-08］..
[16]	YEOM S， GIACOMELLI I， FREDRIKSON M， et al. Privacy risk in machine learning： analyzing the connection to overfitting［C］// Proceedings of the IEEE 31st Computer Security Foundations Symposium. Piscataway： IEEE， 2018： 268-282.
[17]	NASR M， SHOKRI R， HOUMANSADR A. Comprehensive privacy analysis of deep learning： passive and active white-box inference attacks against centralized and federated learning［C］// Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2019： 739-753.
[18]	HU H， PANG J. Membership inference attacks against GANs by leveraging over-representation regions［C］// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2021： 2387-2389.
[19]	ZHENG J， CAO Y， WANG H. Resisting membership inference attacks through knowledge distillation［J］. Neurocomputing， 2021， 452： 114-126.
[20]	EFRON B. Bayes’ theorem in the 21st century［J］. Science， 2013， 240（6137）： 1177-1178.
[21]	STIGLER S M. Thomas Bayes’s Bayesian inference［J］. Journal of the Royal Statistical Society. Series A （General）， 1982， 145（2）：250-258.
[22]	JORDAN M I， GHAHRAMANI Z， JAAKKOLA T S， et al. An introduction to variational methods for graphical models［J］. Machine Learning， 1999， 37（2）： 183-233.
[23]	ISHIGURO K， SATO I， UEDA N. Averaged collapsed variational Bayes inference［J］. Journal of Machine Learning Research， 2017， 18： 1-29.
[24]	BISHOP C M. Pattern recognition and machine learning［M］. New York： Springer， 2006.
[25]	XIAO H， RASUL K， VOLLGRAF R. Fashion-MNIST： a novel image dataset for benchmarking machine learning algorithms［EB/OL］. ［2024-09-12］..
[26]	KRIZHEVSKY A. Learning multiple layers of features from tiny images［R/OL］. ［2024-09-12］..
[27]	RUSSAKOVSKY O， DENG J， SU H， et al. ImageNet large scale visual recognition challenge［J］. International Journal of Computer Vision， 2015， 115（3）： 211-252.
[28]	NILSBACK M E， ZISSERMAN A. Automated flower classification over a large number of classes［C］// Proceedings of the 6th Indian Conference on Computer Vision， Graphics and Image Processing. Piscataway： IEEE， 2008： 722-729.
[29]	CHEN X， DUAN Y， HOUTHOOFT R， et al. InfoGAN： interpretable representation learning by information maximizing generative adversarial nets［C］// Proceedings of the 30th International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2016： 2180-2188.
[30]	MARTIN A， SOUMITH C， LEON B. Wasserstein generative adversarial networks［C］// Proceedings of the 34th International Conference on Machine Learning. New York： JMLR.org， 2017： 214-223.
[31]	HASSANZADEH P H， TILLMAN R E. Generative models with information-theoretic protection against membership inference attacks［EB/OL］. ［2024-10-01］..
[32]	HUANG Y， CAO L. Privacy-preserving remote sensing image generation and classification with differentially private GANs［J］. IEEE Sensors Journal， 2023， 23（18）： 20805-20816.

Bayesian membership inference attacks for generative adversarial networks

面向生成式对抗网络的贝叶斯成员推理攻击

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 32

Related Articles 15

Recommended Articles

Metrics

[1]	Yilin DENG, Fajiang YU. Pseudo random number generator based on LSTM and separable self-attention mechanism [J]. Journal of Computer Applications, 2025, 45(9): 2893-2901.
[2]	Jin ZHOU, Yuzhi LI, Xu ZHANG, Shuo GAO, Li ZHANG, Jiachuan SHENG. Modulation recognition network for complex electromagnetic environments [J]. Journal of Computer Applications, 2025, 45(8): 2672-2682.
[3]	Ying HUANG, Shengmei GAO, Guang CHEN, Su LIU. Low-light image enhancement network combining signal-to-noise ratio guided dual-branch structure and histogram equalization [J]. Journal of Computer Applications, 2025, 45(6): 1971-1979.
[4]	Hui LI, Bingzhi JIA, Chenxi WANG, Ziyu DONG, Jilong LI, Zhaoman ZHONG, Yanyan CHEN. Generative adversarial network underwater image enhancement model based on Swin Transformer [J]. Journal of Computer Applications, 2025, 45(5): 1439-1446.
[5]	Lihu PAN, Shouxin PENG, Rui ZHANG, Zhiyang XUE, Xuzhen MAO. Video anomaly detection for moving foreground regions [J]. Journal of Computer Applications, 2025, 45(4): 1300-1309.
[6]	Hong SHANGGUAN, Huiying REN, Xiong ZHANG, Xinglong HAN, Zhiguo GUI, Yanling WANG. Low-dose CT denoising model based on dual encoder-decoder generative adversarial network [J]. Journal of Computer Applications, 2025, 45(2): 624-632.
[7]	Guoyu XU, Xiaolong YAN, Yidan ZHANG. DU-FastGAN： lightweight generative adversarial network based on dynamic-upsample [J]. Journal of Computer Applications, 2025, 45(10): 3067-3073.
[8]	Li LIU, Haijin HOU, Anhong WANG, Tao ZHANG. Generative data hiding algorithm based on multi-scale attention [J]. Journal of Computer Applications, 2024, 44(7): 2102-2109.
[9]	Haoran WANG, Dan YU, Yuli YANG, Yao MA, Yongle CHEN. Domain transfer intrusion detection method for unknown attacks on industrial control systems [J]. Journal of Computer Applications, 2024, 44(4): 1158-1165.
[10]	Shuai REN, Yuanfa JI, Xiyan SUN, Zhaochuan WEI, Zian LIN. Prediction of landslide displacement based on improved grey wolf optimizer and support vector regression [J]. Journal of Computer Applications, 2024, 44(3): 972-982.
[11]	Sunjie YU, Hui ZENG, Shiyu XIONG, Hongzhou SHI. Incentive mechanism for federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(2): 344-352.
[12]	Hui ZHOU, Yuling CHEN, Xuewei WANG, Yangwen ZHANG, Jianjiang HE. Deep shadow defense scheme of federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(1): 223-232.
[13]	Anyang LIU, Huaici ZHAO, Wenlong CAI, Zechao XU, Ruideng XIE. Adaptive image deblurring generative adversarial network algorithm based on active discrimination mechanism [J]. Journal of Computer Applications, 2023, 43(7): 2288-2294.
[14]	Shaoquan CHEN, Jianping CAI, Lan SUN. Differential privacy generative adversarial network algorithm with dynamic gradient threshold clipping [J]. Journal of Computer Applications, 2023, 43(7): 2065-2072.
[15]	Xin JIN, Yangchuan LIU, Yechen ZHU, Zijian ZHANG, Xin GAO. Sinogram inpainting for sparse-view cone-beam computed tomography image reconstruction based on residual encoder-decoder generative adversarial network [J]. Journal of Computer Applications, 2023, 43(6): 1950-1957.