Privacy‐preserving generative framework for images against membership inference attacks

Abstract Machine learning has become an integral part of modern intelligent systems in all aspects of life. Membership inference attacks (MIAs), as the significant model attacks, also jeopardize the privacy of the intelligent systems. Previous works on defending MIAs concentrate on the model output perturbation or tampering with the training process. However, data and model reuse are common in intelligent systems, which results in the lack of scalability of previous defending works. This paper proposes a new privacy‐preserving framework for images to transform source data into synthetic data to train models against MIAs. The synthetic data makes it easy to defend MIAs during data and model reuse to improve the scheme's scalability. The framework generates synthetic data satisfying differential privacy through the variational autoencoder model's information extraction and data generation capabilities to improve model accuracy. A noise addition mechanism with metric privacy for the latent code generated from source data is proposed, where noise is the product of Γ‐distribution and unit hyper‐sphere samples. Moreover, it is proved that the synthetic data also satisfies metric privacy. The experimental evaluations demonstrate that the framework reduces MIAs' attack accuracy to about 0.5 and maintains higher utility than DP‐SGD under the same setting