TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing

We let $D_{t}=\{\mathbf{x}\}$ be a training set sampled from an implicit data distribution $\mathbf{P}_{r}$. Each private entry takes the form as $\mathbf{x}=(x,y)\in\mathbf{X}\times\mathbf{Y}$, where $x$ represents the features and $y$ represents the class label. A data release mechanism GAN trains on the training set $D_{t}$ and outputs a well learned generator $G$. Generator $G$ is a deterministic function that maps a prior distribution, i.e., Gaussian distribution $\mathbf{P}_{z}$, to the generated distribution $\mathbf{P}_{g}$ that mimic real distribution $\mathbf{P}_{r}$. Then, a synthetic dataset $S\sim\mathbf{P}_{g}$ is published and serves as a sanitized version of $D_{t}$. We formalize the membership collisions as : a published synthetic datasets $S\sim\mathbf{P}_{g}$ collide with its training set $D_{t}\sim\mathbf{P}_{r}$ and result in a colliding member set $I=S\cap D_{t}$. Notice that a data point $\mathbf{x}\in I$ result in $\mathbf{x}\in D_{t}$. Similarly, a synthetic data point $\mathbf{x}\not\in I$ result in $\mathbf{x}\not\in D_{t}$.

We aim to study how much an adversary $\mathcal{A}$ increases its ability to assert whether a synthetic data point $\mathbf{x}\sim S$ belongs to the colliding member set $I$ by estimating the generated distribution $\mathbf{P}_{g}$ via the published synthetic dataset $S$. Formally,

In this work, we consider that the prior advantage of the attacker is random guess, that is, $\Pr[\mathcal{A}(\mathbf{x})=1]=\Pr[\mathbf{x}\in I]$. Thus, we evaluate the posterior advantage of the attacker thereafter.

Note that Def. 3.1 differs from the membership inference definition (Shokri et al., 2017) by changing the goal of arbitrary membership inference with membership collision inference of synthetic data. The proposed TableGAN-MIA is an instance of MCA in GAN-synthesized table releasing.

In the context of GAN-synthesized data sharing, adversaries are external parties that wish to learn the statistics of the sensitive dataset by querying data owners or curators. In existing MIAs against GANs (Park et al., 2018; Hayes et al., 2020; Hilprecht et al., 2019; Chen et al., 2020), the adversary’s knowledge is: (1) having only limited synthetic data, (2) accessing a black-box generator API (unlimited synthetic data), (3) accessing a black-box generator plus a discriminator oracle, (4) accessing a white-box GAN. Our study focus on the most strict attack model: (1) and (2) (which is similar to the threat model in MC (Hilprecht et al., 2019) and “Full Black-box Generator” assumption in GAN-Leaks (Chen et al., 2020)). The attacker does not know the priori of the model’s structure, including meta-parameters, training data and any target data to infer membership. In TableGAN-MCA, the adversary’s goal is to recover the value of some members of the training set from the published synthetic datasets that may unintentionally contain colliding members. In this paper, we evaluate TableGAN-MCA under two threat models:

The membership indicator is triggered by two observations. First, the released GAN-synthesized tables often overlap the training dataset of the GAN model. Second, such synthetic data points appearing frequently in the published GAN-synthesized data are more likely to be the colliding member of the training dataset. That is, $\Pr[\mathbf{x}\in D_{t}|\mathbf{P}_{g}]\propto\Pr[\mathbf{x}|\mathbf{P}_{g}]$. Fig. 3 depicts the observations from three datasets used in this paper, where we count the numbers of members and non-members, given numbers of appearance of the data points in the released synthetic tables. In Fig. 3 (left), approximately $96\%$ of synthetic data with a sampled frequency of more than three are colliding members. Conversely, almost $91\%$ unique synthetic data are non-colliding members in the Adult dataset. Thus, sample frequency is highly correlated with membership collisions and can be treated as an indicator to indicate membership. Formally, we estimated the membership indicator by the following equation.

where an indicator function $\mathbbm{1}(\cdot)$ outputs $1$ if its argument is true, $S$ is the synthetic datasets available to the adversary following $\mathbf{P}_{g}$, of size $|S|=n$.

To date, the adversary can launch a data reconstruction attack by setting a threshold for the value of a membership collisions indicator of Eq. (4), similar to (Chen et al., 2020). The adversary then claims that the synthetic data, having collisions indicators greater than a given threshold, are the recovered data. However, choosing an optimal threshold is a non-trivial task for an adversary without background knowledge about training data except the published synthetic data. To deal with it, we additionally leverage shadow model techniques (Shokri et al., 2017) to enhance the knowledge of adversaries to construct a robust TableGAN-MCA framework.

In a nutshell, TableGAN-MCA combines the membership collisions indicator and the shadow models  (Shokri et al., 2017) to train an attack model to learn the relation between membership collisions (labels) and indicator values (features) in released GAN-synthesized tables. Fig. 4 depicts the framework of TableGAN-MCA and Alg. 1 shows the detailed implementation. Each step in Alg. 1 corresponds to the step index in Fig. 4. In summary, steps 2, 3, 4 and 5 train an attack classifier by giving synthetic data. Steps 1 and 6 infer membership collisions to recover training data.

In Steps $1$ and $4$, $\{\#\mathbf{x}\}$ represents estimated sample frequency following from Eq. 4. They are concatenated (“$\bowtie$”) to $S_{i}$ (Step 1) and $\widetilde{S}_{i}$ (Step 4) as an extra feature.

In Step 4, a label function is required to claim membership collisions in shadow datasets. For a shadow dataset $\widetilde{S}_{i}$ such that $S_{i}\cap\widetilde{S}_{i}=\widetilde{I}_{i}$, a membership collisions label for each data $\mathbf{x}^{\prime}_{i}$ will be $y^{\prime}_{i}=\mathbbm{1}\left(\mathbf{x}^{\prime}_{i}\in\widetilde{I}_{i}\right)$.

In Step $6$, attack model $f(\cdot)$ outputs the predicted probability about whether a synthetic data is colliding member. Adversaries then expose a data set $R_{\mathcal{A}}$ that with high prediction scores.

For attack model $(2)$ (unlimited synthetic data) such that $N_{s}>1$, the adversary repeat the Step1 to Step 4 $N_{s}$ times and gets $N_{s}$ labeled shadow datasets $\{\widetilde{S}_{1},\widetilde{S}_{2},...,\widetilde{S}_{N_{s}}\}$ such that each of them with size $N_{s}\times|D_{t}|$. Then the adversary concat (“$\|$”) all shadow datasets together to train the attack model.

Note that in the worst-case (to the adversary), where the intersection between the training set and the synthetic dataset could be empty, the adversary of TableGAN-MCA cannot recover anything from the private training data. To avoid such a case, we would discretize the synthetic dataset to generalize the range of each feature such that there is a non-empty intersection. In this way, we could (at least) recover coarse-grained information regarding the members within the training data. We show the details of the discretization operation in Section 5.1.

We perform experimental evaluations on three commonly used (Ruoss et al., 2020; Xu et al., 2019; Park et al., 2018; Barenstein, 2019; Chen et al., 2018) real-world tables, Adult (Ronny and Barry, 1996), Lawschool (Richard et al., [n.d.]) and Compas (Jeff et al., 2017).

Note that unlike MIAs attacking classifiers that produce predicted labels with probability, generative models only output synthetic samples. The labels in generated datasets serve as an ordinary feature like other features when training attack models. Therefore, for simplicity, we use the three binary-labeled datasets in our experiments.

We evaluate machine learning efficacy of synthetic data generated by four generative models, CTGAN (Xu et al., 2019), TVAE (Xu et al., 2019), WGAN-GP and WGAN-WC vary four binary classifiers: DecisionTreeClassifier, MLPClassifier, AdaBoostClassifier, and LogisticRegression (Standard scikit-learn machine learning library, see middle columns in Table 4). We also compare ECDFs using the average of all attribute-wise Wasserstein distance $\mathbb{E}_{i}(l_{1})$ (see the last column in Table 4). All numerical features are min-max scaled to $(0,1)$ and categorical features are one-hot encoded before feeding into the classifier. For “base”, we trained on the sensitive dataset $D_{t}$ that is used for data synthesis and test on the real test set $D_{s}$ (see Table 3). For synthetic data, we trained on a synthetic dataset $S$ of the same size as the sensitive dataset and test on the same real test set $D_{s}$. To implement CTGAN and TVAE, we directly feed our pre-processed data into the module CTGANSynthesizer and TVAESynthesizer of the SDGym (Carles, 2019) (published code for  (Xu et al., 2019)).

According to Table 4, the synthetic dataset generated by WGAN-GP, WGAN-WC, CTGAN and TVAE can greatly restore the prediction ability of the model trained on original dataset. TVAE is least ideal than the others in the Adult dataset. CTGAN is least ideal than the others in the Compas dataset. We will use these learned generative models to perform TableGAN-MCA experiments later.

For marginal fitness, we depict an additional ECDF comparison between real and synthetic Adult, Lawschool and Compas datasets generated by WGAN-GP in Fig. 5. In our experiments, we depict ECDFs of continuous variables (i.e., age, isat) and more complex categorical variables (i.e., hours per week, priors count) since they are more difficult to fit. As can be seen in Fig. 5, the marginals of the synthetic dataset are almost indistinguishable from the original one, thus supporting any statistical queries.

The size of the training dataset for a GAN model positively impacts the attack performance. Fig. 9 depicts the positive impact of training dataset size on prediction accuracy and AUPRC of TableGAN-MCA, where $1.0$ in x-axis indicates the full size of a given dataset, $N_{s}=1$. Especially, when the size of the training dataset is less than $0.5$ of the full dataset, increasing the size has a significant impact on the attack performance. The intuition behind the experimental results is two-fold. First, less training data decrease the number of colliding members (positives) in fixed amount of synthetic datasets thus decreases the attack effect. Second, GAN learns a less accurate data distribution if trained on a smaller dataset. Synthetic data generated by such a distribution contain less information than the original training data hence hard for the adversary to learn the statistical patterns of the members/non-members. Note that our results do not conflict with (Hayes et al., 2020; Chen et al., 2020; Lin et al., 2021) since we use different measurements (PR space vs ROC space) that focus on different domains (Davis and Goadrich, 2006). Additionally, our attack target (test data) is also different. We aim to recover the colliding member data from the released synthetic dataset whereas they aim to infer the membership of a random target data point, and thus we learn different decision boundaries.

Epochs impact the attack performance of TableGAN-MCA by impacting the knowledge learned by GAN models. We study the attack performance on different training stages by setting different epochs in Fig. 10, where we report the attack prediction accuracy and attack AUPRC.

As seen from Fig. 10, we find that the membership leakage starts at the very beginning of the training epoch, even before the GAN reaches the Nash equilibrium. Interestingly, in Adult and Compas, the attack effect seems to slightly decrease when we set a larger epochs for training GAN models. Since TableGAN-MCA tends to recover the data with high appearance frequency (recall Fig. 3), we conclude that with increasing epochs, GAN models learn more about the training data distribution; hence, the released synthetic data contain more information, which enhances the attack performance. However, once the GAN models learn the details of the data distribution, such details about the distribution would dilute the frequency of those data supposed to have high frequency. The attack performance of TableGAN-MCA is then potentially dropped.

Training data frequencies are positively correlated with training data recovery probabilities by TableGAN-MCA. We first compute the recovery possibility and appearance frequency for each data point. We then plot the recovery possibility over the values of data points frequency in Fig. 11. For each dataset, we set two precision-scores of TableGAN-MCA and plot the training data frequency-recovery rate curves. Overall, highly frequent training data are more susceptible to TableGAN-MCA. For instance, when attacking Adult datasets with $80\%$ precision, $41.5\%(784/1892)$ training data with appearance more than three times are recovered by TableGAN-MCA whereas only $0.6\%(510/25130)$ of unique training data ($\#\mathbf{x}=1$) are recovered by TableGAN-MCA.

For highly frequent training data, GANs inevitably learn and output these common representations frequently; thus it is easy to recover such highly frequent data by TableGAN-MCA. The re-identification threats of these data caused by TableGAN-MCA are limited since each of them correspond to several individuals and lack of uniqueness.

Unique training data, on the other hand, have more risks for being linked to specific people once recovered by TableGAN-MCA. Therefore, it deserves further exploration for the reason of being exposed.

Generalization of GAN models may accidentally increase the appearance of some unique data points in the synthetic data, therefore increasing their probability to be recovered by TableGAN-MCA. Since the TableGAN-MCA is based on data density in modeled distribution $\mathbf{P}_{g}$, for a recovered unique training data point $\mathbf{x}_{i}$, we study how TableGAN-MCA is impacted by the difference between data density of $\mathbf{x}_{i}$ in the training distribution $\mathbf{P}_{r}$ and that of the modeled distribution $\mathbf{P}_{g}$.

According to our experiments, we discover that some unique training data ($\forall\mathbf{x}\in\mathbf{P}_{r}$, $\#\mathbf{x}_{i}=1$) have unexpected high exposure in modeled distribution $\mathbf{P}_{g}$. For example, in Fig. 12, we illustrate the average counts (from $100$ synthetic datasets following modeled distribution $\mathbf{P}_{g}$) of five data points that appear in the training dataset only once. As we can see, these five data points have higher counts than what they have in the training dataset ($=1$). Such an observation indicates that the generator of GAN models unfairly increases the probability of exposure of some data points under TableGAN-MCA. We also find that such an observation is not rare. For instance, according to the statistics in Fig. 12 (Adult), roughly $470$ ($1.5\%$ of the training dataset) unique entries at least double their exposure; roughly $150$ ($0.47\%$ of the training dataset) unique entries at least triple their exposure.

Next, we explore the factors that potentially trigger our observations by a set of experiments inspired by unintended memorization (Carlini et al., 2019). Specifically, unintended memorization identifies the impact of the presence of one training input on the modeled distribution $\mathbf{P}_{g}$ learned by GAN. Note that this experiment resembles the definition of differential privacy (DP) (Dwork et al., 2006b). DP is more generic and rigorous as it measures that the probability difference varies all possible functions and all data points, which is computationally infeasible in our measurements. In this case, we narrow down the design by observing the difference between a sample density in two generated distributions $\mathbf{P_{g}}$ trained on neighboring training sets.

Let $D_{t}$ be the sensitive training set, $\mathbf{x}_{i}\in D_{t}$ be a target data point and $D^{\prime}_{t}=D_{t}^{\setminus\mathbf{x}_{i}}$ be the neighboring dataset such that the Hamming distance ${\rm{d_{H}}}(D_{t},D^{\prime}_{t})=1$. Let $G$ be a learned generator trained on $D_{t}$ and $G^{\prime}$ be a generator trained on $D^{\prime}_{t}$. We measure the difference between the probability of producing a synthetic data point $\mathbf{x}_{i}$ with (prior) and without (posterior) the input data point $\mathbf{x}_{i}$.

Following a recent work (Carlini et al., 2019), GAN models do not memorize a data point if it does not exist in the training dataset $D_{t}$. Thus, if Eq. (6) approaches $1$, we say that the target data $\mathbf{x}_{i}$ is unlikely to be memorized by the GAN. The pseudo-code of the experiment is presented in Alg. 2. In the experiment, we use $20$ different GANs ($N_{k}=20$) and some of target data to estimate Eq. (6). We report the experimental results of five target data ($N_{c}=5$) in Fig. 13.

From Fig. 13, we choose the same samples (data points) as in Fig. 12 to compare how prior (with a target $\mathbf{x}_{i}$) and posterior densities (without target $\mathbf{x}_{i}$) differ in modeled distribution. We find that the presence of the target entry $\mathbf{x}_{i}$ has limited influence on its frequency in modeled distribution $\mathbf{P}_{g}$. Even if some data point $\mathbf{x}_{i}$ is absent in the training set, its probability density in synthetic distribution $\mathbf{P}_{g}$ is still high, e.g., $\mathbf{x}_{4},\mathbf{x}_{5}$ in the Adult dataset. This is perhaps because GAN’s generalization smooths the sudden change that happened in the probability space of the training set. For instance, the density of the a target point $\mathbf{x}_{i}$ in $\mathbf{P}_{r}$ may be lower than the surrounding points, whereas the GAN smooths such sudden changes in the probability space, and thus it is unintended to increase its probability of exposure. In another aspect, such a rough probability space in real distribution may be attributed to insufficient sampling or unbalanced sampling. As such, cautious data collection may have positive impact in mitigating such influence. Understanding this complicated phenomenon with more explicit proof is our future work. Currently, we summarize that the unique training data recovered by TableGAN-MCA is mainly due to the GAN’s generalization rather than the unintended memorization. This result implies that mitigating the attack effect of TableGAN-MCA may inevitably compromise the availability of released synthetic datasets, since GAN generalization is closely related to its generation ability, which potentially impacts the quality of generated data.

Differentially Private WGAN (DP-GAN) only has acceptable trade-offs for larger privacy budgets, and may hardly eliminates TableGAN-MCA without compromise synthetic data utility. Differential privacy (Dwork et al., 2006b) provides a quantified solution to output randomized answers. In this work, we apply a standard approach of differentially private iterative training procedure (DP-SGD, short for DP stochastic gradient descent) (Abadi et al., 2016; McMahan et al., 2018) to the GAN to train a ($\epsilon,\delta$)-differentially private generator oracle. Otherwise, since DP-SGD perturbs the training process of discriminative models, such mitigation may achieve sub-optimal trade-offs between membership collision privacy and synthetic data utility. In the experiments, we implement the DP framework according to (McMahan et al., 2018) and account the privacy budget $(\epsilon,\delta$) using RDP accountant released in Tensorflow/Privacy project. Note that WGAN-GP, TVAE and CTGAN do not have DP versions, and thus we study the DP version of WGAN-WC. The generation quality and TableGAN-MCA effect of non-private baseline are shown in Fig. 14 followed by Table 4 and Fig. 8(a).

To implement DP-WGAN, we train a differentially private discriminator. The generator is differentially private because of the post-processing (Dwork et al., 2014). We add calibrated noise into each gradient of the discriminator during training. The accumulation of multiple Gaussian noise addition (Dwork et al., 2006a) relies on privacy accountant techniques (Abadi et al., 2016) and Rényi differential privacy (Mironov, 2017). We provide DP-related hyper-parameters in Table 8, Appendix C.1.

We provide the experimental results of the machine learning utility and TableGAN-MCA effect when sharing differentially private synthetic data in Fig. 14. The shadow GANs in use are non private WGAN-WC. The privacy budget $\epsilon$ measures the amount of privacy leakage and a smaller value means more privacy-preserved. $\delta$ denotes the probability of violating $\epsilon$-DP, which is set to $\frac{1}{O(|D_{t}|)}$. As can be seen from Fig. 14, the DP method has some positive effect in defending against the TableGAN-MCA. For Adult datasets, when privacy budget $\epsilon\approx 2.0$, the attack AUPRC decreases by $16.01\%$ and model’s predicted accuracy decreases by $1.18\%$ in comparison to the no-DP baseline (see dash dots in Fig. 14). For the Compas dataset, when privacy budget $\epsilon\approx 8.0$, the attack AUPRC decreases by $48.33\%$ and model’s predicted accuracy decreases by $5.13\%$ in comparison to the no-DP baseline. We also depict the ECDF comparison between the original training data and differentially private synthetic data for each marginal to show marginal fitness compromise in Fig. 18 (Appendix C.1). It is not surprising that DP-WGAN achieves sub-optimal trade-offs when protecting against TableGAN-MCA, since the memorization experiment shows that the presence of individuals does not significantly affect the generated distribution. The membership collisions information that we intend to infer is perhaps highly correlated to population statistics (attributes correlation), which will be preserved even under DP training.