1 Introduction
Advanced machine learning techniques, and in particular deep neural networks (DNNs), have been applied with great success to a variety of areas, including speech processing [35], medical diagnostics [17], image processing [16], and robotics [64]. Such success largely depends on massive collections of data for training machine learning models. However, these data collections often contain sensitive information and therefore raise many privacy concerns. Several privacy violation attacks have been proposed to show that it is possible to extract sensitive and private information from different learning systems. Specifically, Fredrikson et al. [26] proposed to infer sensitive patients’ genomic markers by actively probing the outputs from the model and auxiliary demographic information about them. In a followup study, Fredrikson et al. [24] developed a more robust model inversion attack using predicted confidence values to recover confidential information of a training set (e.g., human faces). Shokri and Shmatikov [57] proposed a membership inference attack, which tries to predict whether a data point belongs to the training set. More recently, a generative adversarial network (GAN) based attack against collaborative deep learning [36] was proposed against distributed machine learning systems, where users collaboratively train a model by sharing gradients of their locally trained models through a parameter server. The GANbased attack has shown that even when the training process is differentially private [8, 48], it is still possible to mount an attack to extract sensitive information from original training data [36] as trusted servers may leak information unintentionally. Given the fact that Google has proposed federated learning based on distributed machine learning [47] and has already deployed it to mobile devices, such a GAN based attack [36] raises serious privacy concerns.
In this paper, we propose to use differentially private data generative models to publish differentially private synthetic data that can both protect privacy and retain high data utility. Such data generative models are trained over private/sensitive data (we will denote it as private data to be aligned with the definition in [49]) in a differentially private manner, and are able to generate new surrogate data for later learning tasks. As a result, the generated data preserves the statistical properties of the private data, which enables high learning efficacy, while also protecting the privacy of the private data. The approach of using differentially private data generative models has several advantages. First, with the generative models, privacy can be preserved even if the entire trained model or the generated data is accessible to an adversary. Second, it can be easily integrated with other learning tasks without adding much overhead, since only the training data is changed. Third, the data generation process can be done locally on the user side, which eliminates the need for a trusted server (that can be attacked and compromised) for protecting the private data from users. Finally, we can prove that any machine learning model trained over the generated data is also differentially private w.r.t. the private data.
To achieve this, we build two distinct differentially private generative models. First, we propose a differentially private autoencoderbased generative model (DPAuGM). DPAuGM works for the scenario when private data is sensitive (i.e., not suitable for releasing to public) while sharing it with other parties will facilitate data analytics. As motivation, consider a hospital not allowed to release its private medical data to public for use, but wants to share the data with universities for, say, datadriven disease diagnosis studies [34, 55]. Under this scenario, instead of publishing the medical data directly, the hospital could locally use the private medical data to train an autoencoder in a differentially private way [8] and then publish it. Any university interested in researching disease diagnosis independently feeds into the autoencoder their own small amounts of sanitized/public medical data for generating new data for machine learning tasks. Here, the sanitized/public data often refers to the publicly available data, such as [4, 7]. Ultimately, the private medical data owned by the hospital are successfully synthesized with public data owned by each university in a differentially private manner, so that the privacy of the private medical data is preserved and the utility of the datadriven disease study is retained. Another motivating example is two companies that want to collaborate on a data intelligence task. A datarich company X may wish to aid company Y in developing a model that helps maximize revenue, but is unwilling or legally unable to share its data with Y directly due to their sensitive nature. Again, company X can train a differentially private autoencoder (i.e., DPAuGM), on its large data set and share it with company Y. Then company Y could use its own, smaller, dataset along with the autoencoder to train a model that synthesizes information from both datasets.
The key advantage of the DPAuGM approach is that the representationlearning task performed on the private data significantly boosts the accuracy of the machine learning task, as compared to using the public^{1}^{1}1 For simplicity, we refer to the dataset that is passed through the autoencoder as public. In the second motivating example, if company Y only uses the trained model internally, both X’s and Y’s datasets remain private, but from an analysis perspective, we focus on the potential privacy leaks of X’s data through either the shared autoencoder or the final trained model. data alone, in cases where the public data has too few samples to successfully train a deep learning model [40]. We demonstrate this using extensive experiments on four datasets (i.e., MNIST, Adult Census Data, Hospital Data, and Malware Data), showing that DPAuGM can achieve high data utility even under a small privacy budget (i.e., ) for private data.
Second, we propose a differentially private variational autoencoderbased generative model (DPVaeGM). Compared with the ordinary autoencoder, the VAE [39]
has an extra sampling layer which can sample data from a Gaussian distribution. Using this feature, DPVaeGM is capable of generating an arbitrary amount of data by feeding Gaussian noise to the model. Similar to DPAuGM, the proposed DPVaeGM is trained on the private data in a differentially private way
[8] and is then released to public for use. Although imposing Gaussian noise on the sampling layer is useful in generating new data (i.e., capable of generating infinite data), we identify that the VAE does not perform stably in generating highquality data points. Thus, in our paper, we only evaluate DPVaeGM on the image dataset MNIST. We show that the data generated from DPVaeGM can successfully retain high utility and preserve data privacy. Under the setting of and , the prediction accuracy of DPVaeGM is more than on MNIST.To further demonstrate the robustness of our two proposed models, we evaluate both DPAuGM and DPVaeGM with three existing attacks—model inversion attack [26, 24], membership inference attack [57], and GANbased attack against collaborative deep learning [36]. The results show that DPAuGM can effectively mitigate all of the aforementioned attacks and DPVaeGM is robust against the membership inference attack. As both DPAuGM and DPVaeGM satisfy differential privacy, while only DPAuGM is robust to the model inversion and GANbased attacks, we conjecture that the key to defend against these two attacks is not due to differential privacy but the perturbation of training data.
Finally, we integrate our proposed generative models with two realworld applications, which are threatened by the aforementioned attacks. The first application is machine learning as a service (MLaaS). Traditionally, users need to upload all of their data to the MLaaS (such as Amazon Machine Learning [1]) to train a model, due to the lack of computational resources on the user side. However, if these platforms are compromised, all of the users’ data will be leaked. Thus, we propose to integrate DPAuGM and DPVaeGM with this application, so that even if the platforms are compromised, the privacy of users’ data can still be protected. We empirically show that after being integrated with DPAuGM and DPVaeGM, this application still maintains high utility. The second application is federated learning [47], which has been recently shown to be vulnerable to GANbased attacks [36]. As DPAuGM is more effective in defending against this attack, we try to combine DPAuGM with this application. We show that for federated learning, even under small privacy budgets (, ), DPAuGM only decreases original utility by .
The contributions of this paper are as follows:

We propose two differentially private data generative models DPAuGM and DPVaeGM, which can provide differential privacy guarantees for the generated data, and retain high data utility for various machine learning tasks. In addition, we compare the learning efficiency of the generated data with stateoftheart private training methods. We show that the utility of DPAuGM outperforms Deep Learning with Differential Privacy (DPDL) [8] and Scalable Private Learning with PATE (sPATE) [49] under any given privacy budget. We also show that DPVaeGM can achieve comparable learning efficiency in comparison with DPDL.

We empirically evaluate and demonstrate that the proposed model DPAuGM is robust against existing privacy attacks—model inversion attack, membership inference attack, and GANbased attack against collaborative deep learning; DPVaeGM is robust against the membership inference attack. We conjecture that the key to defend against model inversion and GANbased attacks is to distort the training data while differential privacy is targeted to protect membership privacy.

We integrate the proposed generative models with machine learning as a service and federated learning to protect data privacy. We show that such integration can retain high utility for these realworld applications, which are currently threatened by privacy attacks.
To the best of our knowledge, this is the first paper to build and systematically examine differentially private data generative models that can defend against contemporary privacy attacks on learning systems.
2 Background
In this section, we introduce some details about privacy attacks, differential privacy, and data generative models.
2.1 Privacy Attacks on Learning Systems
Model Inversion Attack. This attack was first introduced by Fredrikson et al. [26] and further developed in [24]
. The goal of this attack is to recover sensitive attributes within original training data. For example, an attacker can infer the genome type of patients from medical records data or recover distinguishable photos by attacking a facial recognition API. Such a vulnerability mainly results from the rich information captured by the machine learning models, which can be leveraged by the attacker to recover original training data by constructing data records with high confidence. In this paper, we mainly focus on a strong adversarial scenario where attackers have whitebox access to the model so as to evaluate the robustness of our proposed differentially private mechanisms. In this context, an attacker aims to reconstruct data used in the training phase by minimizing the difference between hypothesized and obtained confidence vectors from the machine learning models.
Membership Inference Attack. Shokri and Shmatikov [57] proposed the membership inference attack to determine whether a specific data record is within the training set. This attack also takes advantage of rich information recorded in machine learning models. An attacker first generates data with similar distribution as the original data by querying machine learning models and then uses the generated data to train local models (termed shadow models in [57]
) to mimic the behavior of the original models. Finally, the attacker can apply the data provided by the local models to training a classifier and determine whether a given record belongs to the original training dataset.
GANbased Attack against Collaborative Deep Learning. Hitaj et al. [36] proposed a GANbased attack targeting differentially private collaborative deep learning [56]. They showed that an attacker may use GANs to generate instances which well approximate data from other parties in a collaborative setting. The adversarial generator is improved based on the information returned from the trusted entity, and eventually achieves high attack success rate in the collaborative scenario even when differential privacy is guaranteed for each party.
2.2 Differential Privacy
Differential privacy provides strong privacy guarantees for data privacy analysis [22]. It ensures that attackers cannot infer sensitive information about input datasets merely based on the algorithm outputs. The formal definition is as follows.
Definition 1.
A randomized algorithm with domain and range , is ()differentially private if for any two adjacent training datasets , which differ by at most one training point, and any subset of outputs , it satisfies that:
The parameter is often called a privacy budget: smaller budgets yield stronger privacy guarantees. The second parameter is a failure rate for which it is tolerated that the privacy bound defined by does not hold.
Deep Learning with Differential Privacy (DPDL) [8].
DPDL achieves DP by injecting random noise in stochastic gradient descent (SGD) algorithm. At each step of SGD, DPDL computes the gradient for a random subset of training points, followed by clipping, averaging out each gradient, and adding noise in order to protect privacy. DPDL provides a differentially private training algorithm with tight DP guarantees based on moments accountant analysis
[8].2.3 Data Generative Models
Autoencoder.
An autoencoder is a widely used unsupervised learning model in many scenarios, such as natural language processing
[19] and image recognition [46]. Its goal is to learn a representation of data, typically for the purpose of dimensionality reduction [29, 61, 62]. It simultaneously trains an encoder, which transforms a highdimenstional data point to a lowdimensional representation, and a decoder, which reconstructs a highdimensional data point from the representation, while trying to minimize the
norm distance between the original and reconstructed data. Through this process, the autoencoder is able to discard those irrelevant features and enhance the performance of machine learning models when facing highdimensional input data.Variational Autoencoder (VAE). Resembling the autoencoder, an variational autoencoder also comprises two parts: the encoder and the decoder [39, 54] with a latent variable sampled from a prior distribution
. Different from the autoencoder of which the encoder only tries to reduce the data into lower dimensions, the encoder inside VAE tries to encode the input data into a Gaussian probability density domain
[39]. Mathematically, the encoder approximates , which is also a neural network (encoder), with input conditioned on the data . Then, a representation of the data will be sampled based on the output from the encoder. Finally, the decoder tries to reconstruct a data point based on sampled noise, which approximates the posterior . The two neural networks, encoder and decoder, are trained to maximize a lower bound of the loglikelihood of the data :where
is the KullbackLeibler divergence
[18].Sampling from the VAE is achieved by sampling from the (typically Gaussian) prior and passing the samples through the decoder network.
3 Differentially Private Data Generative Models
3.1 Problem Statement
Let be the set of training data containing sensitive information, and we will denote it as private data similarly with [48]. We denote as a data generative model which is trained on the private data, and is able to generate new data for later training usage, as shown in Figure 1. To protect privacy of the private data, the goal of the generative model is to prevent an attacker from recovering , or inferring sensitive information from based on . Formally, we give the definition of the differentially private generative model as below.
Definition 2.
A generative model with domain and range , is differentially private, if for any adjacent private datasets which only differ by one entry, and any subset of output space , it satisfies that:
The goal of the proposed differentially private generative model is to generate data with high utility while protecting sensitive information within the data. Current research shows that even algorithms proved to be differentially private can also leak private information in the face of certain carefully crafted attacks on different levels. Therefore, in this paper, we will also analyze several existing attacks to show that the proposed differentially private generative models can defend against the stateoftheart attacks.
3.2 Approach Overview
To protect private data privacy, we propose to use the private data to train a differentially private generative model and use this generative model to generate new synthetic data for further learning tasks, which can both protect privacy of original data and retain high data utility. As the newly generated data is differentially private w.r.t. the private data, it will be hard for attackers to recover or synthesize the private data, or infer other information about the private data in learning tasks. Specifically, we choose an autoencoder and a variational autoencoder (VAE) as our two generative models. The overview of our proposed differentially private data generative models is shown in Figure 1. First, the private data is used to train the generative model with differential privacy, which is either an autoencoder (DPAuGM) or a variational autoencoder (DPVaeGM) based model. Then the generated data from the trained differentially private generative model is published and sent to targeted learning tasks. It should be noted that DPAuGM requires the users to hold a small amount of data (denoted as public data in the figure) to generate new data while DPVaeGM is able to directly generate an arbitrary number of new data points by feeding Gaussian noise into the model. The goal of our design is to ensure that the learning accuracy on the generated data is high for ordinary users (high data utility), while the attackers cannot obtain sensitive information from the private data.
3.3 Privacy and Utility Metrics
Here we will briefly introduce privacy and data utility metrics used throughout the paper.
Privacy Metric. We refer to the privacy budget (, ) as the privacy metric during evaluation. We then evaluate how robust the proposed generative models are against three stateoftheart attacks—model inversion attack [25], membership inference attack [57], and GANbased attack against collaborative deep learning [36]. Specifically, to quantitatively evaluate how our models deal with the membership inference attack, we use the metric privacy loss as defined in [51].
Privacy Loss (PL). Within membership inference attack, we measure the privacy loss as the inference precision increment over random guessing baseline (e.g., 0.5), where the adversary’s attack precision rate is defined as the fraction of records that are correctly inferred as members of the training set among all the positive predictions. We define privacy loss as follows:
Utility Metric. We use the prediction accuracy to measure utility for different models. Considering the goal of machine learning is to build an effective prediction model, it is natural to evaluate how our proposed model performs in terms of prediction accuracy. To be specific, we will evaluate the prediction model which is trained on the generated data from the differentially private generative model.
3.4 DP autoencoderbased Generative Model (DPAuGM)
Here we introduce how to apply the differentially private autoencoderbased generative model (DPAuGM) to protect privacy of the private data while retaining high utility for the generated data.
For DPAuGM, we first train an autoencoder with our private data using a differentially private training algorithm. Then, we publish the encoder and drop the decoder. New data will be generated (encoded) by feeding the users’ own data (i.e., public data) into the encoder. These newly generated data can be used to train the targeted learning systems in the future with privacy guarantees for the private data. In this way, the generated data could synthesize the information from both private data and public data which enables high learning efficiency, and provide privacy guarantees for private data at the same time. As we will show in the evaluation section, the user only needs a small amount of data to achieve good learning efficiency and we also compare the learning efficiency when the user only uses his own data to do the training. During inference time, the encoder will also be used to encode the test data for model predictions. Since the encoder is differentially private w.r.t. private data, publishing the encoder does not compromise privacy.
DPAuGM proceeds as below:

First, it is trained with private data using a differentially private algorithm.

Second, it generates new differentially private data by feeding the public data to the encoder.

Third, it uses the generated data to train any machine learning model.
DP Analysis for DPAuGM. In this paper, we adopt the training algorithm developed by Abadi et al. [8] to achieve differential privacy. Based on the moments accountant technique applied in [8], we obtain that the training algorithm is differentially private. Here is the number of training steps, is the sampling probability, and (, ) denotes the privacy budget [8]. Further, by applying the postprocessing property of differential privacy [22], we can guarantee that the generated data is also differentially private w.r.t. the private data and shares the same privacy bound with the training algorithm. In addition, we will also prove that any machine learning model which is trained on the generated data from DPAuGM, is also differentially private w.r.t. the private data and shares the same privacy bound. This also shows the benefit of training a differentially private generative model: we only need to train one DP generative model and all the machine learning models which are trained over the generated data will be differentially private w.r.t. the private data.
Theorem 1.
Let denote the differentially private generative model and be the private data. Any machine learning model trained over the generated data , is also differentially private w.r.t. the private data .
Proof.
We denote the machine learning model trained on , and the learning model trained over the generated data. Then the proof is immediate by directly applying the postprocessing property of differential privacy [22]. ∎
3.5 DP Variational autoencoderbased Generative Model (DPVaeGM)
In this section, we will propose DPVaeGM which could generate an arbitrary number of data points for usage.
DPVaeGM proceeds as below:

[wide=1pt,leftmargin=10pt]

First, it initializes with variational autoencoders (VAEs), where is the number of the classes for the specific data. Each model is responsible for generating the data of a specific class . We empirically observe that training generative models results in higher utility than training a single model; we expect this is because a single model would need to capture the class label latent variables following a Gaussian distribution. Using separate models can also be used to generate a balanced dataset even if the original data are imbalanced.

Second, it uses a differentially private training algorithm (such as DPDL) to train each generative model .

Third, it samples data from Gaussian distribution for the sampling layer of each variational autoencoder. It returns the entire generated data by taking the union of generated data from each generative model .
DP Analysis for DPVaeGM. We have adopted the algorithm developed by Abadi et al. [8] to train each VAE. Thus each training algorithm is differentially private. Next we prove that each variational autoencoder (VAE) is a differentially private generate model (see Theorem 2) and the entire DPVaeGM is also differentially private (see Theorem 3). Formally, to show proofs, we let be the private data, be model parameters, and be the generated data (the output of a single VAE).
Theorem 2.
Let be a VAE training algorithm that is differentially private based on [8]. Let be a mapping that maps model parameters to output, with Gaussian noise generated from a sampling layer of VAE as input. Then is differentially private.
Proof.
The proof is immediate by applying the post processing property of differential privacy [22]. ∎
Theorem 3.
Let a generative model (VAE) of class be differentially private. Then if is defined to be , is differentially private, for any integer .
Proof.
Given two adjacent datasets and , without loss of generalization, assume belongs to class . Fix any subset of events . Since the generative models are pairwise independent, we obtain , where denotes the training data of for the th generative model. Similarly, . Since and only differ in , we have and , for any . Since is differentially private, then we have . Therefore, we obtain . The inequality derives from the fact that any probability is no greater than . Hence, is differentially private, for any . ∎
Remark. Both DPVaeGM and DPAuGM can realize differentially private generative models w.r.t. the private data. The main difference is that DPAuGM requires users’ own data (i.e., public data) to generate new data while DPVaeGM can generate infinite number of data points just based on Gaussian noise. Although the feature of DPVaeGM is pretty good, we do notice that the generated data quality is not always stable while DPAuGM is always stable in terms of utility. More details are presented in the evaluation section.
4 Experimental Evaluation
In this section, we first describe datasets used for evaluation, followed by the empirical results of two data generative models. Note that all the structures of generative models and machine learning model involved in the experiments are specified in Appendix A.
4.1 Datasets
MNIST. MNIST [41] is the benchmark dataset containing handwritten digits from 0 to 9, comprised of 60,000 training and 10,000 test examples. Each handwritten grayscale image of digits is centered in a 2828 or 3232 image. To be consistent with [36], we choose to use the 3232 version of MNIST dataset when evaluating our generative models against the GANbased attack.
Adult Census Data. The Adult Census Dataset [43] includes 48,843 records with 14 sensitive attributes, including gender, education level, marital status, and occupation. This dataset is commonly used to predict whether an individual makes over 50K dollars in a year. 32,561 records serve as a training set and 16,282 records are used for testing.
Hospital Data. This dataset is based on the Public Use Data File released by the Texas Department of State Health Services in 2010Q1 [5]. Within the data, there are personal sensitive information, such as gender, age, race, length of stay, and surgery procedure. We focus on the 10 most frequent main surgery procedures, and exploit part of categorical features to make inference for each patient. The resulting dataset has 186,976 records with 776 binary features. We randomly choose 36,000 instances as testing data and the rest serves as the training data.
Malware Data. To demonstrate the generality of the proposed models, we also include the Android mobile malware dataset [15] for diversity purposes. This dataset is previously used to determine whether an Android application is benign or malicious based on 142 binary features, such as user permission request. We randomly choose 3,240 instances as training data and 2,000 as testing data.
4.2 Evaluation of DPAuGM
In this subsection, we first show how DPAuGM performs in terms of utility under different privacy budgets on four datasets. To evaluate performance, for MNIST, we split the test data into two parts: 90% is used as public data and the rest 10% is used as a hold out to evaluate test performance as in [49]. For Adult Census Data, Hospital Data, and Malware Data, the test data is evenly split into two halves: the first serves as public data and the second is used for evaluating test performance. All the training data is regarded as private data of which the privacy we aim to protect. Then we analyze how public data size influences DPAuGM on MNIST dataset and we also compare the learning efficacy between when only using public data for training and combining it with DPAuGM. In addition, we compare DPAuGM with some stateofart differentially private learning methods.
Effect of Different Privacy Budgets. To evaluate the effects of privacy budgets (i.e., and ) on prediction accuracy for machine learning models, we vary (, ) to test learning efficiency (i.e., the utility metric) on different datasets. The results are shown in Figure 6(a)(d). In these figures, each curve corresponds to the best accuracy achieved given fixed , as varies between and . In addition, we also show the baseline accuracy (i.e., without DPAuGM) on each dataset for the comparison. From Figure 6, we can see that the prediction accuracy decreases as the noise level increases ( decreases), while we see DPAuGM can still achieve comparable utility with the baseline even when is tight (i.e., around ). When , for all the datasets, the accuracy lags behind the baseline within . This demonstrates that data generated by DPAuGM can preserve high data utility for subsequent learning tasks.
Efficacy of DPAuGM. We further examine how DPAuGM helps boost the learning efficacy. We compare the learning accuracy between only public data is used for training and by combining both DPAuGM and public data. For DPAuGM, we set the private budge and to be and , respectively. We do the comparisons on all the datasets and the result is presented in Table 1. As we can see from Table 1, after using DPAuGM, the learning accuracy increases by at least on all the datasets and by on Malware Data dataset. This actually demonstrates the significance of using DPAuGM for sharing the information of private data. Since the amount of private data is huge, DPAuGM trained over the private data can better capture the inner representations of the dataset, which further boosts the following learning accuracy of machine learning models. In addition, we also examine how utility is affected when different amounts of public data is available on the dataset MNIST. We vary the public data size from 1,000 to 9,000 in steps of 1,000. The privacy budget and is set as and , respectively. As we can see from Figure 10, the public data size affects test accuracy slightly, only within dropping. This suggests that private data plays a major role in generating highutility data for learning efficacy.
Datasets  With DPAuGM  Without DPAuGM 

MNIST  0.95  0.89 
Adult Census Data  0.78  0.64 
Hospital Data  0.56  0.42 
Malware Data  0.96  0.62 
In Comparison with the Differentially Private Training Algorithm (DPDL).
Although our method leverages DPDL as the differentially private training algorithm, we show that our method better performs in training the machine learning model under the same privacy budget. For comparison, we choose the feedforward neural network model with the architecture and MNIST dataset specified in
[8]. In addition, we use 90% of the test data as public data and the rest acts as the test data for both methods. For DPDL, the public data simply serves as its training data. As for the privacy budget, we fix as and vary from to . The result is shown in Figure 9(a). As we can see from Figure 9(a), under different , our method outperforms DPDL consistently. Furthermore, DPDL needs to be performed each time on a new model while DPAuGM only needs to be trained once. Then any model which is trained over the generated data from DPAuGM is differentially private w.r.t. the private data (i.e., with the same property of differential privacy achieved by DPDL). Hence, we can see that DPAuGM outperforms DPDL both in accuracy and computational efficiency.In Comparison with Scalable Private Learning with PATE. Scalable Private Learning with PATE (sPATE) [49] is recently proposed by Papernot et al., which can also realize a differentially private training algorithm w.r.t. the private data and provides privacy protection for partial data. We try to compare sPATE with DPAuGM on MNIST in terms of the utility metric. Here, the baseline denotes the scenario where no privacy protection mechanism is used. We follow [49] to split the test data into two parts. One part serves as public data while the second serves as test data. We also use the same CNN machinelearning model as specified in [49]. As we can see from Table 2, DPAuGM outperforms sPATE by 0.2% in terms of prediction accuracy and only sits below the baseline by 0.5%. Note that the reason of making a comparison at a specific pair of the privacy budget is that sPATE [49] only presents the result on MNIST for a specific pair of differential privacy parameters. Furthermore, DPAuGM surpasses sPATE in terms of computational efficiency since 250 teacher models are used in sPATE while DPAuGM only needs to be trained once.
Models  Privacy budget  Privacy budget  Accuracy  Baseline 

sPATE [49]  1.97  0.985  0.992  
DPAuGM  1.97  0.987  0.992 
4.3 Evaluation of DPVaeGM
In this subsection, we empirically evaluate utility performance of our proposed data generative model DPVaeGM. As VAE is usually used to generate high quality images, now we only evaluate DPVaeGM on the image dataset MNIST.
Effect of Different Privacy Budgets. We vary the privacy budget to test DPVaeGM on MNIST dataset. The result is shown in Figure 11, where each curve corresponds to the best accuracy given fixed , and varies between and . We show the baseline accuracy (i.e., without DPVaeGM) using the red line. From this figure, we can see that DPVaeGM can achieve comparable utility w.r.t. the baseline. For instance, when is greater than , the accuracy is always higher than . When is and is , the accuracy is over which is lower than the baseline by . Thus, we can see that DPVaeGM has the potential to generate data with high training utility while providing privacy guarantees for private data.
In Comparison with the Differentially Private Training Algorithm (DPDL). We compare DPVaeGM with DPDL on MNIST. As for the privacy budget, we fix as and vary from to . From Figure 9(b), we can see that DPVaeGM achieves comparable utility with DPDL. In addition, we want to stress that for DPVaeGM, once the data is generated, all machine learning models trained on the generated data will become differentially private w.r.t the private data while for DPDL, we need to rerun the algorithm for each new model. Thus, DPVaeGM outperforms DPDL in computation efficiency.
In Comparison with Scalable Private Learning with PATE. We also compare Scalable Private Learning with PATE (sPATE) [49] with DPVaeGM on MNIST in terms of the utility metric (i.e., prediction accuracy). The learning model applies the CNN structure as specified in [49]. As sPATE requires the presence of public data, we split the test data into two parts in the same way as specified by [49]. Considering DPVaeGM does not need public data, private data is discarded for DPVaeGM. In addition, the privacy budget and is set to be and , respectively. From Table 3, we can see that DPVaeGM falls behind sPATE by approximately 2%. This is because that sPATE trains the model using both public and private data while DPVaeGM is only trained with private data.
Models  Privacy budget  Privacy budget  Accuracy 

sPATE [49]  1.97  0.985  
DPVaeGM  1.97  0.968 
Remark. We have empirically shown that DPAuGM and DPVaeGM can achieve high data utility and protect privacy of private data at the same time.
5 Defending against Existing Attacks
To demonstrate the robustness of proposed generative models, here we evaluate the models against three stateoftheart privacy violation attacks—model inversion attack, membership inference attack, and the GANbased attack against collaborative deep learning.
5.1 Model Inversion Attack
We choose to use the onelayer neural network to mount the model inversion attack [24] over MNIST dataset setting because it is easier to check the effectiveness of the model inversion attack on image dataset. Note that Hitaj et al. [36]
claimed that the model inversion attack might not work on convolutional neural networks (CNN). For the original attack, we use all the training data to train the onelayer neural network and then try to recover digit 0 by exploiting the confidence values
[24]. As we can see from Figure (a)a, the digit 0 is almost recovered. Then, we try to evaluate how DPAuGM performs in defending against the attack. We use the generated data from DPAuGM to train the onelayer neural network. The privacy budget and for DPAuGM is set to be and , respectively. We then mount the same model inversion attack on the onelayer neural network. Figure (b)b shows the result after deploying DPAuGM. We can clearly see that after deploying DPAuGM, nothing can be learned from the attack result as shown in Figure (b)b. So we can see DPAuGM can mitigate the model inversion attack effectively. However, we find that DPVaeGM is not robust enough in mitigating the model inversion attack. We will discuss this in Section 5.4.5.2 Membership Inference Attack
We evaluate how DPAuGM and DPVaeGM perform in mitigating membership inference attack on MNIST using onelayer neural networks. The training set size is set to be 1,000 and the number of shadow models [57] is set to be 50. We have set the privacy budget and to be and , respectively. For this attack, we mainly consider whether this attack can predict the existence of private data in the training set. To evaluate the attack, we use the standard metric—precision, as specified in [57] that the fraction of the records inferred as members of the private training dataset that are indeed members. The result is shown in Figure 15. As we can see from Figure 15, after deploying DPAuGM, the attack precision for all the classes drops at least 10% and for some classes, the attack precision is approaching zero, such as classes 2 and 5. Similarly for DPVaeGM, the attack precision drops over 20% for all the classes. Thus, we conclude that, with DPAuGM and DPVaeGM, the membership inference attack can be effectively defended against. The privacy loss on MNIST is also tabulated in Table 4. As we can see, with our proposed generative models, the privacy loss for each class can be reduced to zero.
Original attack (MNIST)  0.2  0.6  0.2  0.2  0.1  0.2  0.1  0.1  0.2  0.0 
With DPAuGM  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0 
With DPVaeGM  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0  0.0 
5.3 GANbased Attack against Collaborative Deep Learning
We choose to use the MNIST dataset to analyze GANbased attack since the simplicity of the dataset can boost the success rate for the attacker. We create two participants in this setting, where one serves as an adversary and the other serves as an honest user, as suggested in [36]. We follow the same model structure as specified in [36], where the CNN is used as a discriminator and the DCGAN [52] is used as a generator. Users can apply the proposed differentially private generated data or original data to train their local models. We show defense results for DPAuGM in Figures 26 and 37, where Figure 26 represents the images obtained by adversaries without deploying generative models, while Figure 37 shows the obtained images which have been protected by DPAuGM. As we can see from Figure 37, the proposed model DPAuGM significantly thwarts the attacker’s attempt to recover anything from the private data. However, similar with the results from model inversion attack, DPVaeGM is not robust enough to defend against this attack. We will also discuss in detail in Section 5.4.
5.4 Discussion
Although both DPVaeGM and DPAuGM are differentially private generative models, the results show that DPAuGM is robust against all the attacks while DPVaeGM can only defend against the membership inference attack. The main difference between these two models is that DPAuGM uses the output of the encoder (a part of the autoencoder) as the generated data while DPVaeGM uses the output of the VAE. As the encoder functions can reduce the dimensions of the input data, we can envision that this operation will incur a big norm distance between the input data and the generated data in DPAuGM. Considering the model inversion attack and GAN attack both target at recovering part of the training data of a model, the best result on DPAuGM will be successfully recovering those encoded data while for DPVaeGM, the result will be recovering all. Therefore, it seems that the key to defend against these two attacks is not only differential privacy, but also the appearance of the generated data. This is also mentioned by Hitaj et al. [36], as they asserted that differential privacy is not effective in mitigating the developed GAN attack because differential privacy is not designed to solve such a problem. Differential privacy in deep learning targets at protecting the specific elements of training data, while the goal of these two attacks is to construct a data point which is similar to the training data. Even if the attacks are successful, differential privacy is not violated since the specific data points are not recovered.
Models  Model Inversion  Membership  GANbased Attack against 

Attack  Inference Attack  Collaborative Deep Learning  
DPAuGM  
DPVaeGM  
DPDL  
sPATE 
: Robust : Not Robust
Remark. Extensive experiments have shown that DPAuGM can mitigate all the three attacks. DPVaeGM is only robust against the membership inference attack (see Table 5).
6 Deploying Data Generative Models on RealWorld Applications
To demonstrate the applicability of DPAuGM and DPVaeGM, we will show how they can be easily integrated with Machine Learning as a Service (MLaaS) commonly supported by major Internet companies and federated learning supported by Google. We integrate DPAuGM with both MLaaS and federated learning over all the datasets. We mainly focus on the utility performance of DPAuGM when integrated with federated learning, since federated learning is threatened by the GANbased attack but can be effectively defended against by DPAuGM. We integrate DPVaeGM with MLaaS alone and evaluate it on the image dataset MNIST, as currently VAEs are usually used for generating images.
6.1 Machine Learning as a Service
MLaaS platforms are cloudbased systems that provide simple APIs as a web service for users who are interested in training and querying machine learning models. For a given task, a user first submits the private data through a web page interface or an mobile application created by developers, and selects the features for the task. Next, the user chooses a machine learning model from the platform, tunes the parameters of the model, and finally obtains the trained model. All these processes can be completed inside the mobile application. However, the private data submitted by innocent users can be maliciously exploited if the platform is compromised, which raises serious privacy concerns. In this paper, our DPAuGM and DPVaeGM can serve as a data privacy protection module to protect privacy of the private data. To this end, users can first build DPAuGM or DPVaeGM locally, train the generative models with the private data, and then upload the generated data for later training. As we will show in the experiment, this will incur negligible utility loss for training, while significantly protecting data privacy. With DPAuGM and DPVaeGM, even if these platforms are compromised, the privacy of sensitive data can still be preserved. In addition, we will show that training DPAuGM and DPVaeGM locally requires only a few computational resources.
When applying the proposed DPAuGM and DPVaeGM to MLaaS, we choose to examine three mainstream MLaaS platforms, which are Google Prediction API [2], Amazon Machine Learning [1], and Microsoft Azure Machine Learning [3]. We then set the differential privacy budget and to be and , respectively, for DPVaeGM and DPAuGM. Similar with the evaluation section, we regard all the training data as private data and for DPAuGM, we split the test data the same way as we do in Section 4.2. As we can see from Figure 43, using the generated data by DPAuGM for training, we can achieve comparatively high accuracy (accuracy deteriorating within 8%) on all three platforms for all datasets. Strikingly, we find that the model trained with generated data sometimes even outperforms the one trained with original data (see trained models on Amazon over MNIST). For DPVaeGM, the result is shown in Figure (a)a. We can see that DPVaeGM can achieve comparable utility (accuracy deteriorating within 3%) on all the three platforms on MNIST. This clearly shows that DPVaeGM and DPAuGM have the potential to be well integrated into MLaaS platforms and provide privacy guarantees for users’ private data and retain high data utility at the same time.
Furthermore, we show the time cost of training DPAuGM (58.2s) and DPVaeGM (27.9s) under 10 epochs on MNIST dataset. The evaluation is done with Intel Xeon CPU with 2.6GHZ, GPU of GeForce GTX 680, Ubuntu 14.04 and Tensorflow. Most recently, Tensorflow Mobile
[6] has been proposed to deploy machine learning algorithms on mobile devices. We, therefore, believe it will cost much less to train such generative models locally on mobile devices.6.2 Federated Learning
Federated learning [47], which is proposed by Google, enables mobile users to collaboratively train a shared prediction model and keep all their distributed training data local. Users typically train the model locally on their own device, upload the summarized parameters as a small focused update, and download the parameters averaged with other users’ updates collaboratively using secure multiparty computation (MPC), without needing to share their personal training data in the cloud.
Federated learning is demonstrated to be private since the individual users’ data is stored locally and the updates are securely aggregated by leveraging MPC to compute model parameters. However, the recent paper [36] declares that federated learning is secure only if we consider the attacker is the cloud provider who scrutinizes individual updates. If the attackers are the casual colluding participants, private data of one participant can still be recovered by other users who aim to attack. Hitaj et al. [36] have shown that only applying differential privacy in federated learning is not sufficient to mitigate the GANbased attack, and a malicious user is able to successfully recover private data of others.
In Section 5, we show that DPAuGM is robust enough to mitigate the GAN attack. Thus, in this section, we will mainly consider whether DPAuGM can be well integrated into the federated learning to protect privacy and retain high data utility. We show the concrete steps toward integrating DPAuGM as below. Note that the first two steps are added to the original federated learning platform.

[wide=1pt,leftmargin=10pt]

Users first train DPAuGM locally with the private data.

After training DPAuGM, users use DPAuGM and public data to generate new training data.

Users train the local model with generated data locally and upload the summarized parameters to the server.
Next we will empirically show that DPAuGM can be well integrated into federated learning over four datasets.
Settings. The structure of an autoencoder and differential privacy parameters can be specified by a central server such as Google, and will be publicly available to any user. As a proof of concept, we hereby set the differential privacy parameters and to be and , respectively. For each user in the federated learning, we evenly split the private data and public data for usage.
Hyperparameters. We set the default learning rate to be 0.001, the batch size to be 100, the number of users to be 10, and the uploading fraction to be 0.1. We will also test how DPAuGM performs across different parameters later.
In Comparison with the Original Federated Learning. We apply DPAuGM to federated learning and compare it with the original setting without DPAuGM. As we can see from Figure (e)e, after we add DPAuGM model to the pipeline, the accuracy drops only within 5% for all datasets. Hence, it shows the proposed DPAuGM can be well integrated into federated learning without affecting its utility too much. In the following part, we study in detail about the model sensitivity on the MNIST dataset.
Effect of Other Parameters. We further examine the effect of the number of users and the upload fraction over the differentially private federated learning model.
(a) Number of Users. We choose the number of users to be 10, 20, and 40. From Figure (a)a, we can see the difference in number of users will only affect the speed of convergence a bit without affecting the final data utility. We find that although more users will take slightly more time for the model to converge, the accuracy of the differentially private model actually converges to the same result within 50 epochs.
(b) Upload Fraction. We choose the upload fraction as 0.001, 0.01, and 0.1 to analyze the proposed method. As we can see from Figure (b)b, different learning rates only have negligible impacts on the trained model.
Remark. We have shown that DPAuGM can be well integrated with MLaaS and federated learning, and DPVaeGM can be well integrated with MLaaS. The integrated models can protect privacy and preserve high data utility at the same time.
7 Related Work
7.1 Privacy Attacks on Machine Learning Models
Specifically, Homer et al. [37] show that it is possible to learn whether a target individual was related to certain disease by comparing the target’s profile against the aggregated information obtained from public sources. This attack was then extended by Wang et al. [63] by performing correlation attacks, without prior knowledge about the target. Backes et al. [11] propose to conduct the membership inference attack against individuals contributing their microRNA expressions to scientific studies. If an attacker can learn information about individual’s genome expression, he can potentially infer/profile the victim’s future/historical health records, which can lead to severe consequences. Shokri and Shmatikov [57] later show that machine learning models can leak information about medical data records by performing membership attack against well trained models. Recently, Hitaj et al. [36] show that a GANbased attack can compromise user privacy in the collaborative learning setting [56], where each participant collaboratively trains his or her own model with private data locally. Hitaj et al. [36] also warn that simply adding differentially private noise is not robust enough to mitigate the attack. In addition, Hayes et al. [33] investigate the membership inference attack for generative models by using GANs [30] to detect overfitting and recognize training inputs. More recently, Liu et al. [44] define the comembership inference attack against generative models.
Given these existing privacy attacks, learning with generated data from DP generative models can potentially defend against them, such as the representative model inversion attack, membership inference attack, and GANbased attack against collaborative deep learning. To the best of our knowledge, the learning method that can defend against all these attacks has not been proposed or systematically examined before.
7.2 Differentially Private Learning Methods
The goal of differentially private learning models is to protect sensitive information of individuals within the training set. Differential privacy is a strong and common notion to protect the data privacy [22]. Differential privacy can also be used to mitigate membership inference attacks, as its indistinguishabilitybased definition formally proves that the presence or absence of an instance does not affect the output of the learned model significantly [57]. A common approach to achieving differential privacy is to add noise from Laplacian [20] or Gaussian distribution [21]
whose variance is determined by the privacy budget. In practice, differentially private schemes are often tailored to the spatiotemporal location privacy analysis
[45, 53, 58, 9, 60].To protect the privacy of machine learning models, random noise can be injected to input, output, and objectives of the models. Erlingsson et al. [23] propose to randomize the input and show that the randomized input still allows data collectors to gather meaningful statistics for training. Chaudhuri et al. [14] show that by adding noise to the cost function minimized during learning, differential privacy can be achieved. In terms of perturbing objectives, Shokri et al. [56] show that deep neural networks can be trained with multiparty computations from perturbed model parameters to achieve differential privacy guarantees. Deep learning with differential privacy is proposed [8] by adding noise to the gradient during each iteration. They further use moment accountant to keep track of the spent privacy budget during the training phase. However, the prediction accuracy of the deep learning system will degrade more than 13% over the CIFAR10 dataset when large differential privacy noise is added [8], which is unacceptable in many realworld applications where high prediction accuracy is pursued, such as autonomous driving [27] and face recognition [31]. This is also aligned with the warning proposed by Hitaj et al. [36] that using differential privacy to provide strong privacy guarantees cannot be applied to all scenarios, especially where the GANbased attack can be applied. Later, private aggregation of teacher ensembles (PATE) has been proposed, which first learns an ensemble of teacher models on a disjoint subset of training data, and aggregates the output of these teacher models to train a differentially private student model for prediction [48]. The queries performed on the teacher models are designed to minimize the privacy cost of these queries. Once the student models are trained, the teacher models can be discarded. PATE is within the scope of knowledge aggregation and transfer for privacy [50, 32]. An improved version of PATE, scalable PATE, is proposed by introducing new aggregation algorithm to achieve better data utility [49].
At inference, random noise can also be introduced to the output to protect privacy. However, this severely decays the test accuracy, because the amount of noise introduced increases with the number of inference queries answered by the machine learning model. Note that homomorphic encryption [28] can also be applied to protect the confidentiality of each individual input. The main limitations are the performance overhead and the restricted set of arithmetic operations supported by homomorphic encryption.
Various approaches have been proposed for the automatic discovery of sensitive entities, such as identifiers, and redact them to protect privacy. The simplest of these rely on a large collection of rules, dictionaries, and regular expressions (e.g., [12, 59]). Chakaravarthy et al. [13] proposed an automated data sanitization algorithm aimed at removing sensitive identifiers while inducing the least distortion to the contents of documents. However, this algorithm assumes that sensitive entities, as well as any possible related entities, have already been labeled. Similarly, Jiang et al. [38] have developed the plausibility algorithm to replace the known (labeled) sensitive identifiers within the documents and guarantee that the sanitized document is associated with at least documents. Li et al. [42] have proposed a game theoretic framework for automatic redacting sensitive information. In general, finding and redacting sensitive information with high accuracy is still challenging.
In addition, there has been recent work on making generative neural networks differentially private [10]. It achieved their differentially private generative models on VAEs by using differentially private kernel means and differentially private gradient descent. Different from their work, we realize differentially private generative models on both autoencoders and VAEs. We further show that our proposed methods can mitigate realistic privacy attacks and can seamlessly be applied to realworld applications.
In general, unlike previously proposed techniques, our proposed differentially private generative models can guarantee differential privacy while maintaining data utility for learning tasks. Our proposed models achieve all three goals: protect privacy of training data; enable users to locally customize the privacy preference by configuring the generative models; retain high data utility for generated data. The proposed models achieve these goals at a much lower computation cost than aforementioned differentially private mechanisms and cryptographic techniques, such as secure multiparty computation or homomorphic encryption [28]. Our generative models can also seamlessly be integrated with MLaaS and federated learning in practice.
8 Conclusion
We have designed, implemented, and evaluated two differentially private data generative models—a differentially private autoencoderbased generative model (DPAuGM) and a differentially private variational autoencoderbased generative model (DPVaeGM). We show that both models can provide strong privacy guarantees and retain high data utility for machine learning tasks. We empirically demonstrate that DPAuGM is robust against the model inversion attack, membership inference attack, and GANbased attack against collaborative deep learning, and DPVaeGM is robust against the membership inference attack. We conjecture that the key to defend against model inversion and GANbased attacks is to distort the training data while differential privacy is targeted to protect membership privacy. Furthermore, we show that the proposed generative models can be easily integrated with two realworld applications—machine learning as a service and federated learning, which are previously threatened by the membership inference attack and GANbased attack, respectively. We demonstrate that the integrated system can both protect privacy of users’ data and retain high data utility.
Through the study of privacy attacks and corresponding defensive methods, we here emphasize that it is important to generate differentially private synthetic data for various machine learning systems to secure current learning tasks. As we are the first to propose differentially private data generative models that can defend against the contemporary privacy violation attacks, we hope that our work will help pave the way toward designing more effective differentially private learning methods.
References
 [1] Amazon machine learning. https://aws.amazon.com/machinelearning/.
 [2] Google prediction api. https://cloud.google.com/prediction/.
 [3] Microsoft azure machine learning. https://studio.azureml.net/.
 [4] Alzheimer’s disease neuroimaging initiative, 2018.
 [5] Hospital discharge data public use data file, 2018.
 [6] Introduction to tensorflow mobile, 2018.
 [7] Symptom disease sorting, 2018.
 [8] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 308–318. ACM, 2016.
 [9] G. Acs and C. Castelluccia. A case study: Privacy preserving release of spatiotemporal density in Paris. In Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 1679–1688. ACM, 2014.
 [10] G. Acs, L. Melis, C. Castelluccia, and E. De Cristofaro. Differentially private mixture of generative neural networks. IEEE Transactions on Knowledge and Data Engineering, 2018.
 [11] M. Backes, P. Berrang, M. Humbert, and P. Manoharan. Membership privacy in MicroRNAbased studies. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 319–330. ACM, 2016.
 [12] B. A. Beckwith, R. Mahaadevan, U. J. Balis, and F. Kuo. Development and evaluation of an open source software tool for deidentification of pathology reports. BMC Medical Informatics and Decision Making, 6:12, 2006.
 [13] V. T. Chakaravarthy, H. Gupta, P. Roy, and M. K. Mohania. Efficient techniques for document sanitization. In Proceedings of the 17th ACM conference on Information and knowledge management, pages 843–852. ACM, 2008.
 [14] K. Chaudhuri, C. Monteleoni, and A. D. Sarwate. Differentially private empirical risk minimization. Journal of Machine Learning Research, 12(Mar):1069–1109, 2011.
 [15] S. Chen, M. Xue, Z. Tang, L. Xu, and H. Zhu. Stormdroid: A streaminglized machine learningbased system for detecting android malware. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 377–388. ACM, 2016.

[16]
D. Ciregan, U. Meier, and J. Schmidhuber.
Multicolumn deep neural networks for image classification.
In
IEEE Conference on Computer Vision and Pattern Recognition (CVPR)
, pages 3642–3649. IEEE, 2012. 
[17]
D. Ciresan, A. Giusti, L. M. Gambardella, and J. Schmidhuber.
Deep neural networks segment neuronal membranes in electron microscopy images.
In Advances in Neural Information Processing Systems, pages 2843–2851, 2012.  [18] T. Cover. Information theory and statistics. Wiley,, 1959.
 [19] L. Deng, M. L. Seltzer, D. Yu, A. Acero, A.r. Mohamed, and G. Hinton. Binary coding of speech spectrograms using a deep autoencoder. In Eleventh Annual Conference of the International Speech Communication Association, 2010.
 [20] C. Dwork. Differential privacy: A survey of results. In International Conference on Theory and Applications of Models of Computation, pages 1–19. Springer, 2008.
 [21] C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data, ourselves: Privacy via distributed noise generation. In Eurocrypt, volume 4004, pages 486–503. Springer, 2006.
 [22] C. Dwork, A. Roth, et al. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4):211–407, 2014.
 [23] Ú. Erlingsson, V. Pihur, and A. Korolova. Rappor: Randomized aggregatable privacypreserving ordinal response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1054–1067. ACM, 2014.
 [24] M. Fredrikson, S. Jha, and T. Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
 [25] M. Fredrikson, S. Jha, and T. Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1322–1333. ACM, 2015.
 [26] M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart. Privacy in pharmacogenetics: An endtoend case study of personalized warfarin dosing. In USENIX Security Symposium, 2014.
 [27] A. Geiger, P. Lenz, and R. Urtasun. Are we ready for autonomous driving? The KITTI vision benchmark suite. In Computer Vision and Pattern Recognition (CVPR), 2012 IEEE Conference on, pages 3354–3361. IEEE, 2012.
 [28] R. GiladBachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conference on Machine Learning, pages 201–210, 2016.
 [29] I. Goodfellow, Y. Bengio, and A. Courville. Deep learning. MIT press, 2016.
 [30] I. Goodfellow, J. PougetAbadie, M. Mirza, B. Xu, D. WardeFarley, S. Ozair, A. Courville, and Y. Bengio. Generative adversarial nets. In Advances in Neural Information Processing Systems, pages 2672–2680, 2014.
 [31] D. B. Graham and N. M. Allinson. Characterising virtual eigensignatures for general purpose face recognition. In Face Recognition, pages 446–456. Springer, 1998.
 [32] J. Hamm, Y. Cao, and M. Belkin. Learning privately from multiparty data. In International Conference on Machine Learning, pages 555–563, 2016.
 [33] J. Hayes, L. Melis, G. Danezis, and E. De Cristofaro. Logan: Membership inference attacks against generative models. Proceedings on Privacy Enhancing Technologies (PoPETs), 2019(1), 2008.
 [34] K. Hett, V.T. Ta, J. V. Manjón, and P. Coupé. Graph of hippocampal subfields grading for Alzheimer’s disease prediction. In International Workshop on Machine Learning in Medical Imaging, pages 259–266. Springer, 2018.
 [35] G. Hinton, L. Deng, D. Yu, G. E. Dahl, A.r. Mohamed, N. Jaitly, A. Senior, V. Vanhoucke, P. Nguyen, T. N. Sainath, et al. Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Signal Processing Magazine, 29(6):82–97, 2012.
 [36] B. Hitaj, G. Ateniese, and F. PerezCruz. Deep models under the GAN: Information leakage from collaborative deep learning. CCS, 2017.
 [37] N. Homer, S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using highdensity SNP genotyping microarrays. PLoS Genetics, 4(8):e1000167, 2008.
 [38] W. Jiang, M. Murugesan, C. Clifton, and L. Si. tplausibility: semantic preserving text sanitization. In International Conference on Computational Science and Engineering, volume 3, pages 68–75, 2009.
 [39] D. P. Kingma and M. Welling. Autoencoding variational bayes. ICLR, 2014.
 [40] Y. LeCun, Y. Bengio, and G. Hinton. Deep learning. nature, 521(7553):436, 2015.
 [41] Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner. Gradientbased learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
 [42] B. Li, Y. Vorobeychik, M. Li, and B. Malin. Scalable iterative classification for sanitizing largescale datasets. IEEE transactions on knowledge and data engineering, 29(3):698–711, 2017.
 [43] M. Lichman. UCI machine learning repository, 2013.
 [44] K. S. Liu, B. Li, and J. Gao. Performing comembership attacks against deep generative models. arXiv preprint arXiv:1805.09898, 2018.
 [45] A. Machanavajjhala, D. Kifer, J. Abowd, J. Gehrke, and L. Vilhuber. Privacy: Theory meets practice on the map. In IEEE 24th International Conference on Data Engineering (ICDE), pages 277–286. IEEE, 2008.

[46]
J. Masci, U. Meier, D. Cireşan, and J. Schmidhuber.
Stacked convolutional autoencoders for hierarchical feature extraction.
Artificial Neural Networks and Machine Learning–ICANN 2011, pages 52–59, 2011.  [47] B. McMahan and D. Ramage. Federated learning: Collaborative machine learning without centralized training data. Technical report, Technical report, Google, 2017.
 [48] N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar. Semisupervised knowledge transfer for deep learning from private training data. arXiv preprint arXiv:1610.05755, 2016.
 [49] N. Papernot, S. Song, I. Mironov, A. Raghunathan, K. Talwar, and U. Erlingsson. Scalable private learning with PATE. International Conference on Learning Representations, 2018.
 [50] M. Pathak, S. Rane, and B. Raj. Multiparty differential privacy via aggregation of locally trained classifiers. In Advances in Neural Information Processing Systems, pages 1876–1884, 2010.
 [51] A. Pyrgelis, C. Troncoso, and E. D. Cristofaro. Knock knock, who’s there? membership inference on aggregate location data. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 1821, 2018, 2018.
 [52] A. Radford, L. Metz, and S. Chintala. Unsupervised representation learning with deep convolutional generative adversarial networks. arXiv preprint arXiv:1511.06434, 2015.
 [53] V. Rastogi and S. Nath. Differentially private aggregation of distributed timeseries with transformation and encryption. In Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, pages 735–746. ACM, 2010.

[54]
D. J. Rezende, S. Mohamed, and D. Wierstra.
Stochastic backpropagation and approximate inference in deep generative models.
ICML, 2014.  [55] P. Schulam and S. Saria. A framework for individualizing predictions of disease trajectories by exploiting multiresolution structure. In Advances in Neural Information Processing Systems, pages 748–756, 2015.
 [56] R. Shokri and V. Shmatikov. Privacypreserving deep learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1310–1321. ACM, 2015.
 [57] R. Shokri, M. Stronati, C. Song, and V. Shmatikov. Membership inference attacks against machine learning models. In IEEE Symposium on Security and Privacy (SP), pages 3–18. IEEE, 2017.
 [58] R. Shokri, G. Theodorakopoulos, C. Troncoso, J.P. Hubaux, and J.Y. Le Boudec. Protecting location privacy: Optimal strategy against localization attacks. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 617–627. ACM, 2012.
 [59] L. Sweeney. Replacing personallyidentifying information in medical records, the scrub system. In AMIA Fall Symposium, page 333, 1996.
 [60] H. To, K. Nguyen, and C. Shahabi. Differentially private publication of location entropy. In Proceedings of the 24th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems, page 35. ACM, 2016.

[61]
P. Vincent, H. Larochelle, Y. Bengio, and P.A. Manzagol.
Extracting and composing robust features with denoising autoencoders.
In Proceedings of the 25th International Conference on Machine learning, pages 1096–1103. ACM, 2008.  [62] P. Vincent, H. Larochelle, I. Lajoie, Y. Bengio, and P.A. Manzagol. Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion. Journal of Machine Learning Research, 11, 2010.
 [63] R. Wang, Y. F. Li, X. Wang, H. Tang, and X. Zhou. Learning your identity and disease from research papers: Information leaks in genome wide association study. In Proceedings of the 16th ACM Conference on Computer and communications Security, pages 534–544. ACM, 2009.
 [64] F. Zhang, J. Leitner, M. Milford, B. Upcroft, and P. Corke. Towards visionbased deep reinforcement learning for robotic motion control. arXiv preprint arXiv:1511.03791, 2015.
Appendix
Appendix A Model Architectures
MNIST  Adult Census Data  Texas Hospital Stays Data  Malware Data 

FC(400)+Sigmoid  FC(6)+Sigmoid  FC(400)+Sigmoid  FC(50)+Sigmoid 
FC(256)+Sigmoid  FC(100)+Sigmoid  FC(776)+Sigmoid  FC(142)+Sigmoid 
FC(400)+Sigmoid  
FC(784)+Sigmoid 
MNIST 

FC(500)+Sigmoid 
FC(500)+Sigmoid 
FC(20)+Sigmoid ; FC(20)+Sigmoid 
Sampling Vector(20) 
FC(500)+Sigmoid 
FC(500)+Sigmoid 
FC(784)+Sigmoid 
MNIST  Adult Census Data  Texas Hospital Stays Data  Malware Data 

Conv(5x5,1,32)+Relu 
FC(16)+Relu  FC(200)+Relu  FC(4)+Relu 
MaxPooling(2x2,2,2)  FC(16)+Relu  FC(100)+Relu  FC(3)+Relu 
Conv(5x5,32,64)+Relu  FC(2)  FC(10)  FC(2) 
MaxPooling(2x2,2,2)  
Reshape(4x4x64)  
FC(10) 
MNIST 

Conv(5x5,1,32)+Relu 
MaxPooling(2x2,2,2) 
Conv(5x5,32,64)+Relu 
MaxPooling(2x2,2,2) 
Reshape(7x7x64) 
FC(1024) 
FC(10) 
Comments
There are no comments yet.