Privacy Re-identification Attacks on Tabular GANs

Abdallah Alshantti^*, Adil Rasheed, Frank Westad
Department of Engineering Cybernetics
Norwegian University of Science and Technology
Trondheim 7034, Norway
^* [email protected]

Abstract

Generative models are subject to overfitting and thus may potentially leak sensitive information from the training data. In this work. we investigate the privacy risks that can potentially arise from the use of generative adversarial networks (GANs) for creating tabular synthetic datasets. For the purpose, we analyse the effects of re-identification attacks on synthetic data, i.e., attacks which aim at selecting samples that are predicted to correspond to memorised training samples based on their proximity to the nearest synthetic records. We thus consider multiple settings where different attackers might have different access levels or knowledge of the generative model and predictive, and assess which information is potentially most useful for launching more successful re-identification attacks. In doing so we also consider the situation for which re-identification attacks are formulated as reconstruction attacks, i.e., the situation where an attacker uses evolutionary multi-objective optimisation for perturbing synthetic samples closer to the training space. The results indicate that attackers can indeed pose major privacy risks by selecting synthetic samples that are likely representative of memorised training samples. In addition, we notice that privacy threats considerably increase when the attacker either has knowledge or has black-box access to the generative models. We also find that reconstruction attacks through multi-objective optimisation even increase the risk of identifying confidential samples.

Keywords Generative models $\cdot$ privacy risk $\cdot$ tabular data $\cdot$ re-identification attacks

1 Introduction

In recent years, plenty of effort has been dedicated to generating synthetic data as a means of facilitating knowledge exchange whilst maintaining some disparity to protect confidential information. In essence, synthetic data is designed to capture the properties and the general structure of the original data, while simultaneously obscuring the sensitive attributes in the data. Historically, synthetic data was created by omitting or anonymising identifier features in a dataset. Alternatively, modifying sensitive features by adding noise was also considered as an alternative to anonymisation. However, both such approaches have been proven insufficient as sensitive information can be still recovered through de-anonymisation (Narayanan and Shmatikov,, 2008) and de-noising (Agrawal and Srikant,, 2000) techniques. More recently, generative models based on neural networks have become widespread techniques for data synthesis, generating new records by estimating the distribution of a given dataset. In particular, generative adversarial networks (GANs) (Goodfellow et al.,, 2014) are desired primarily due to their superior performance in approximating the distribution of the data and producing highly realistic data records.

Tabular data is prevalent in various domains such as the healthcare, finance, e-commerce and cybersecurity fields. Mixed-type data entails that the data consists of binary, continuous and discrete features, which are often challenging to represent by machine learning and deep learning models (Popov et al.,, 2019). While early tabular GANs struggled with handling categorical attributes (Choi et al.,, 2017; Park et al.,, 2018), more recent tabular GANs have exhibited more success in representing and reproducing categorical features (Zhao et al.,, 2021; Alshantti et al.,, 2024). In addition, GANs demonstrated unprecedented capabilities in capturing the distribution of data features and the correlations between them.

Concerningly though, private tabular data often encapsulates sensitive information about individuals or records. To train models that overfit on the data induces then a privacy risk, since such overfitting may be due to some form of memorising data samples by the models. Releasing such models, or even simply enabling users to query random samples on such models can thus give rise to leaking partial or full confidential information about training data records. The risks of overfitting by discriminative models where the primary prediction tasks are classification or regressions have been well highlighted and considered by Song and Mittal, (2021). On the other hand, privacy risks associated with overfitting generative models have been much less studied. This is supported by the fact that detecting overfitting on GANs is far from being a straightforward task, as confidence values about overfitting cannot be directly obtained (Hayes et al.,, 2019; Chen et al., 2020b, ). One method for analysing the susceptibility of generative models to privacy risks is through the implementation of privacy attacks.

Privacy attacks have been extensively studied in the context of discriminative models. In particular, membership inference attacks attempt to infer whether a given record in a holdout dataset was used for training a discriminative model (Shokri et al.,, 2017). Since then, membership inference attacks have been explored within different contexts. Another type of privacy attacks is the model-inversion attack (Fredrikson et al.,, 2014), where an adversary attempts to use the model’s output to recover training datapoints. While most of the pertinent research on privacy attacks remains to be aimed at discriminative models, privacy attacks have been eventually extended to the generative domain.

Membership inference attacks against GANs were implemented by Hayes et al., (2019), where confidence values about a given record were obtained from the discriminator of the GANs. Meanwhile, Hilprecht et al., (2019) formulated two types of membership attacks and included variational autoencoders (VAEs) as a target generative model. Chen et al., 2020b conducted membership inference attacks on multiple generative models and datasets while demonstrating the factors that influence the success of inference attacks. Inspired by these existing works, we posit that there is a need for considering the implications of potential privacy risks on tabular data. We therefore hypothesise that the increased accessibility of tabular GAN models can threaten the privacy of sensitive information. Moreover, from intuitive perspectives the risk seems heightened for smaller and lower-dimensional datasets, and for mixed-type datasets where categorical features can take a finite range of values.

Finally, to the best of our knowledge the following question remains unanswered: given access to a synthetic dataset, can an attacker exploit the data for predicting which synthetic samples are likely to be identical to or leak a substantial amount of information from corresponding training samples? A positive answer to such a question would imply that privacy attacks may be successful even when an attacker does not have a holdout set for conducting membership inference attacks on. In this case, the growing demand and accessibility of generative models, together with the availability of synthetic data and generative models may enable malicious actors to perform successful attacks without necessarily having access to a query set for inference. Given this risk, we foresee the need for studying the possibility of re-identification attacks on synthetic datasets for recovering training datapoints which were used for training generative models. In other words, we consider the previous question as the core research one for this work, and offer the following contributions:

•

We describe multiple attacking scenarios based on the potential access levels for the attackers. Namely, in addition to the possession of synthetic samples, an attacker might also have knowledge of the generative model’s architecture, have black-box access to the trained model’s API and potentially a machine learning prediction model trained on either the synthetic or the private data.
•

We conduct re-identification attacks using the synthetic samples in the access settings mentioned above. In this context, the re-identification attacks can be referred to as selection attacks, where the attacker selects the most densely surrounded synthetic datapoints as the candidate samples that were possibly memorised by a generative model.
•

We further analyse the effects of formulating re-identification attacks as reconstructions attacks, i.e., where an attacker uses for its purposes evolutionary multi-objective optimisation to perturb the candidate synthetic samples. In this case, the attacker attempts to reduce the proximity of a synthetic sample to its neighbouring synthetic samples and also reduce the prediction error of its target class.
•

We quantitatively evaluate the privacy risk of re-identification attacks as selection or reconstruction ones. In addition, we adapt the existing membership inference attacks from literature as re-identification ones, and compare the success rate of our attacks against the baselines.

The remainder of the paper is structured as follows. Section 2 outlines the fundamentals for GANs, privacy attacks and privacy defenses. We formulate and describe the privacy re-identification attacks in Section 3. In Section 4, we outline our experimental setup including the datasets used, generative models considered and our evaluation criteria, while our results are presented in Section 5. We finally provide a comprehensive summary of the related works in Section 6 and we conclude this work in Section 7.

2 Background

2.1 GANs

Among generative models, GANs (Goodfellow et al.,, 2014) have in recent times become the most widely used approach for creating synthetic data. Ultimately, this is attributed to superiority of GANs in approximating the probability distribution, in contrast to statistical generative models such as Bayesian models (Koller and Friedman,, 2009), Hidden Markov models (Rabiner,, 1989), Gibbs sampling models (Park and Ghosh,, 2014) and other deep generative models such as denoising autoencoders (Gondara and Wang,, 2018) and variational autoencoders (Kingma et al.,, 2014). As such, GANs have been widely adopted in various domains such as image generation (Zhu et al.,, 2017; Karras et al.,, 2019), time-series generation (Esteban et al.,, 2017; Yoon et al.,, 2019) and tabular data generation (Choi et al.,, 2017; Xu et al.,, 2019; Engelmann and Lessmann,, 2021).

The classical GAN is composed of two neural networks competing against each other in an adversarial setting. Namely, a generator $G$ takes a random noise vector $z$ as an input, and produces fake data samples as the output. The other neural network is a discriminator $D$ that receives the real data in addition to the fake data from the generator as inputs, and attempts to distinguish the real samples from the synthetic samples. As the two components aim to maximise their gain in a min-max game, the generator becomes increasingly skilled during the training process at producing samples that closely resemble the real data based on the feedback it receives from the generator, meanwhile, the discriminator improves its capability in discriminating between both inputs. The training process can be resembled as:

\min_{G}\max_{D}V(D,G)=\mathbb{E}_{x\sim p_{data}(\boldsymbol{x})}[log(D(% \boldsymbol{x})]+\mathbb{E}_{z\sim p_{z}(\boldsymbol{z})}[log(1-D(G(% \boldsymbol{z})))

where $p_{data}$ is the distribution of the real data and $p_{z}$ is the distribution of the noise sample.

In addition to generating realistic output without explicitly sampling a parametric likelihood function on the data feature space, GANs also eliminate the one-to-one relationship between the synthetic data and the original data, thus reducing the likelihood of sensitive attribute leakage (Park et al.,, 2018). Nevertheless, it has been demonstrated that GANs are still widely susceptible to privacy attacks (Webster et al.,, 2019). To this end, privacy attacks which were originally devised for deep learning discriminative models can also be adapted for targeting GANs. Such attacks include membership inference attacks (Shokri et al.,, 2017), co-membership inference attacks (Liu et al.,, 2019), training class inference attacks (Yang et al.,, 2019), property inference attacks (Rigaki and Garcia,, 2020) and model inversion attacks (Fredrikson et al.,, 2014).

2.2 Membership Inference Attacks

Membership inference attacks (MIAs) were first devised by Shokri et al., (2017), in which classification models are targeted in a black-box setting. In MIA, an attacker is provided with a query dataset from an unknown source and attempts to identify the data records that were used for training a machine learning model. Whereas, in white-box membership inference attacks the perpetrator has access to the internals of the training model and uses this knowledge to make better-informed decisions about the membership of the records in the query set. It has been demonstrated that white-box MIAs on a neural network’s stochastic gradient descent optimizer are far more powerful than the standard black-box attacks (Nasr et al.,, 2019). Moreover, membership inference is increasingly explored in the federated learning domain, in which a model is trained in a decentralised manner by several actors (Melis et al.,, 2019). Federated learning can however introduce data leakages which add up to the privacy concerns. In addition, it has been observed that while overfitting does contribute to the data leakage (Shokri et al.,, 2017), it was also shown that a well-generalisable model is still largely susceptible to effective membership attacks (Yeom et al.,, 2017; Long et al.,, 2018), thus motivating for further studies on membership inference attacks.

More recently, the application of membership inference attacks has also been extended to generative models. Hayes et al., (2019) presented the first study of membership inference attacks on GANs whereby it was found that white-box attacks can exploit the overfitting in generative models, thus shedding light on the magnitude of privacy leakage issue in generative applications. The membership inference attacks are further bolstered by Hilprecht et al., (2019), who formulated a new type of MIAs based on Monte Carlo and demonstrated their successfulness against GAN models. Meanwhile, Chen et al., 2020b comprehensively studied MIAs on various GAN implementations and demonstrated that full white-box MIAs are persistently more effective than grey-box and black-box attacks.

2.3 Model Inversion Attacks

In model inversion attacks, an adversary, given a machine learning model, aims to retrieve the original input used for training the model. The study of model inversion attacks traditionally assumes that an attacker relies on white-box attacks to extract the model parameters and uses them to revert the functionality of the victim model for exposing the raw data (Fredrikson et al.,, 2014). Meanwhile, Hidano et al., (2017) proposed model inversion attacks without the knowledge of non-sensitive attributes which achieve comparable performance to the attacks in (Fredrikson et al.,, 2014). Similarly, Tramèr et al., (2016) proposed model extraction attacks in which an attacker launches attacks in a black-box setting to emulate the functionality of a discriminative model without relying on prediction confidence values. Meanwhile, Yeom et al., (2017) studied the relationship between model inversion attacks and membership inference attacks, and formulated a new type of attack that can threaten generalisable models. Synonymous to model inversion attacks, Cai et al., (2021) defines reconstruction attacks as those that attempt to recover the raw training data given the model and additional auxiliary information.

In contrast, model inversion attacks have only been explored to a limited extent in the context of generative models. Zhang et al., (2020) developed a framework that utilises a generative adversarial network coupled with some auxiliary knowledge for launching inversion attacks on deep neural networks used for image classification. Whereas, CPGAN is an approach proposed by Tseng and Wu, (2020) as a privacy preserving pre-processing step for compressing representations of image datasets prior to training classification models. Conversely, Aïvodji et al., (2019) proposed using generative adversarial networks for creating black-box inversion attacks against a victim convolutional neural network classification model.

2.4 Defences

Mitigating against privacy attacks for discriminative models and generative models has been explored in the literature. Li et al., (2006) proposed the t-closeness concept as a privacy-preserving technique by ensuring that the distribution of a sensitive feature in a categorical group is similar to the distribution of the feature in the entire dataset. Weight normalisation (Salimans and Kingma,, 2016) and dropout (Srivastava et al.,, 2014) were considered by Hayes et al., (2019) as regularisation mechanisms for preventing overfitting and subsequently hampering the impact of membership inference attacks. However, it has been observed that both techniques significantly slow down the training process and can contribute to training instability. Nasr et al., (2018) introduced membership inference adversarial training as part of the standard target classifier training to induce regularisation that protects against membership inference attacks. Meanwhile, MemGuard was proposed by Jia et al., (2019) where the predictions of a target model are obscured with carefully crafted noises to reduce the effectiveness of membership inference attacks while minimally impacted the classification predictions.

Differential privacy is a concept that has been proposed by Dwork, (2008), which entails that any two datasets differing by a single observation are considered adjacent. Thus an algorithm is considered $(\epsilon,\delta)$ deferentially private if it meets the adjacency condition, where $\epsilon$ represents the privacy budget parameter and $\delta$ is a term that quantifies the violation of differential privacy. The application of differential privacy in deep learning has been explored extensively by Shokri and Shmatikov, (2015) and Abadi et al., (2016), where it was found that differential privacy is capable of providing sufficient privacy guarantees in most cases. Nevertheless, it has been demonstrated that differential privacy exhibits a significant trade-off between model accuracy and privacy mitigation (Shokri and Shmatikov,, 2015; Jayaraman and Evans,, 2019).

3 Methodology

In this section we describe the attack types that are instigated by an adversary, and how does this contribute to the bigger picture. The main research question is therefore: Given the synthetic data, to what extent can the attacker use this synthetic data to re-identify the original training samples?

3.1 Problem Definition

Let $\mathcal{D}=\{\mathbf{x},y\}$ be a private dataset, where $\mathbf{x}=\{\mathrm{x}_{1},\dotsc,\mathrm{x}_{m}\}$ are the $m$ predictive features of the dataset, and $y\in\{1,\dotsc,C\}$ is the target attribute for a classification task of $C$ classes or $y\in\mathbb{R}^{1}$ in the case of a regression task. Within a GAN model, synthetic samples are produced by the generator $G$ , in which the generator typically takes a noise vector $z\sim\mathcal{N}(0,1)$ as input. The synthetic dataset can therefore be denoted as $\mathcal{D}^{\prime}=G(z)$ . Similar to the structure of the private dataset, the synthetic data can be represented as $\mathcal{D}^{\prime}=\{\mathbf{x}^{\prime},y^{\prime}\}$ . Meanwhile, a machine learning model for predicting the target feature can be denoted by $\mathcal{M}(\mathbf{x})\mapsto\hat{y}$ if the model is trained on the real private data or $\mathcal{M}(\mathbf{x}^{\prime})\mapsto\hat{y^{\prime}}$ if the model is trained on the synthetic data.

The idea behind re-identification attacks is to find synthetic samples that are in very close proximity to other synthetic datapoints. A generative model that overfits the training data tends to memorise specific real datapoints (Ganev et al.,, 2022), hence, generating multiple instances of synthetic samples that can be almost identical to a memorised sample. To find the closely packed synthetic samples, an adversary uses the $k$ -nearest neighbours technique to find the closest neighbours and their distances from each query sample in the synthetic dataset. For a given synthetic sample $d^{\prime}_{0}\in\mathcal{D}^{\prime}$ , we define its $k$ -nearest neighbours as:

q_{d^{\prime}_{0}}=\{d^{\prime}_{1},\dotsc,d^{\prime}_{k}\}

(1)

in which the $k$ -nearest-neighbours can be determined by:

\{d^{\prime}_{1},\dotsc,d^{\prime}_{k}\}=\underset{d^{\prime}\in\mathcal{D^{% \prime}}\setminus d^{\prime}_{0}}{\operatorname{argmin}_{1,\dotsc,k}}\;\lVert d% ^{\prime}_{0}-d^{\prime}\rVert^{2}_{2}

(2)

In addition, the vector of the $k$ -nearest-neighbours distances $r_{d^{\prime}_{0}}$ can be denoted by:

r_{d^{\prime}_{0}}=\{\lVert d^{\prime}_{0}-j\rVert^{2}_{2}\}\;\;\text{for}\;\;% j\in q_{r^{\prime}_{0}}

(3)

and subsequently the harmonic mean of distances of the nearest $k$ -nearest-neighbours to the query synthetic sample is represented by:

\bar{r}_{d^{\prime}_{0}}=\frac{\lvert r_{d^{\prime}_{0}}\rvert}{\sum\limits_{r% \in r_{d^{\prime}_{0}}}\frac{1}{r}}

(4)

For targeting the most densely packed synthetic samples, the attacker ranks the synthetic samples in $\mathcal{D}^{\prime}$ in increasing order with respect to their sum of distances to their neighbours $\bar{r}_{d^{\prime}_{0}}$ . In our study, we posit that the attacker aims to recover a subset of the original training set rather than whole training set as they aim to direct their focus towards training datapoints that were memorised by the generative model. While it is reasonable to assume that a subset accounting for 1% to 10% of the training set size is sufficient, we set the subset size to account for 5% of the training set size, $\tau=0.05$ , as this ratio produces an adequate number of recovered samples. Furthermore, while determining the optimal number of nearest neighbours $k$ is a non-trivial task, we argue that adversaries carrying out the attacks in a black-box setting are unable to perform fine hyperparameter tuning since they do not possess the means for evaluating the performance of their reconstruction attacks. Therefore, the number of nearest neighbours $k$ is set to 5, which represents a satisfactory trade-off between the size of the various training sets and the precision of adversary attacks.

During the process of selecting the top 5% synthetic samples as the recovered samples, the attacker omits the synthetic samples that appeared as neighbours to previously selected samples. This is done to diversify the training samples attacked and to avoid the repetitive selection of synthetic samples that could potentially correspond to the same private datapoint. The reconstruction attack process is demonstrated in Algorithm 1.

Algorithm 1 Recovered Samples Selection

N_{train}\,

: size of training set

\mathcal{D^{\prime}}\,

: synthetic dataset

\tau=0.05\,

: ratio of reconstructed samples

k=5\,

: number of nearest neighbours

\bar{R}=\{\}\,

: harmonic mean set

Q=\{\}\,

: nearest neighbours set

\mathcal{R}=\{\}\,

: reconstructed samples set

V=\{\}\,

: discarded samples set

\mathcal{R}

, reconstructed samples set

N_{recon}\leftarrow N_{train}\times\tau

knn\_model_{\text{Train}}(\mathcal{D^{\prime}},k)

for

d^{\prime}\in\mathcal{D^{\prime}}

q_{d^{\prime}},r_{d^{\prime}}\leftarrow knn\_model_{\text{Obtain}}(d^{\prime})

\bar{r}_{d^{\prime}}\leftarrow harmonic\_mean(r_{d^{\prime}})

Q\leftarrow Q\cup q_{d^{\prime}}

\bar{R}\leftarrow\bar{R}\cup\bar{r}_{d^{\prime}}

end for

\mathcal{D^{\prime}},Q,\bar{R}\leftarrow sort\_on(\bar{R})

for

d^{\prime}\in\mathcal{D^{\prime}}

d^{\prime}\notin V

then

V\leftarrow V\cup q_{d^{\prime}}

\mathcal{R}\leftarrow\mathcal{R}\cup d^{\prime}

\lvert\mathcal{R}\rvert==N_{recon}

then

terminate

end if

end for

3.2 Attacks on GAN model

In principle, it is possible for attackers to have different privileges and access levels that could present more serious privacy risks to the data used for generative model training. The prevalence of open source computing, accessibility of model APIs and the availability of partial auxiliary information entail that attackers can exploit such privileges for malicious intent. Subsequently, it is of interest to analyse how much benefit the attackers gain with the possession of additional resources. We therefore consider three scenarios where an attacker might launch reconstruction attacks on the synthetic model.

Level I Attack: In this scenario, an attacker only has access to a synthetic dataset produced by a GAN model.

Level II Attack: This is an attack typically committed by an individual with access to the untrained generative model (e.g. via open-access repository or knowledge of the model’s architecture from a research article) and access to the synthetic data. The attacker uses the synthetic data for training the same model and is capable of generating an indefinite number of samples. Then, the attacker attempts to find the new synthetic samples that are close to the training space via black-box selection attacks.

Level III Attack: The attacker has access to the trained generative model, and can use it to generate an indefinite number of samples. This attack is instigated by someone with access to the generative model’s API e.g. someone with basic authorisation or someone working at an external organisation. As with Level II attacks, by generating a large number of samples the attacker attempts to find the synthetic samples that are in close vicinity to one another and selects them as the re-identified samples. However, in this case, the attacker has the advantage of generating a large number of samples from the generative model trained on the private dataset.

We highlight that in all the aforementioned scenarios, the size of the original synthetic data is equivalent to the number of training samples and the attackers know the size of the training set. While Level II and Level III can fundamentally be used for generating an infinite number of samples, we set the size of synthetic datasets generated by both attacks to be $10\times\lvert\mathcal{D}\rvert$ , which is sufficiently large for reconstructing attacks without incurring extremely high computational cost.

3.3 Research Questions

Based on the objectives of this study, the following research questions are presented:

RQ1: To what extent does the privacy risk increase when attackers possess higher access levels to the generative models?

The aforementioned research question relates to quantifying the success an attacker has if they are able to generate synthetic samples without restriction, in comparison to recovering private samples with access to only a synthetic dataset. In more detail, the main aim of the question is to investigate whether Level II and Level III attacks are generally more effective than a Level I attack, in which an attacker only works with the original synthetic data they have. In addition, we consider analysing the impact of having access to the trained generative model for generating a large number of samples, in contrast to training a tabular generative model on the original synthetic data.

RQ2: Does utilising a discriminative machine learning model help in launching more effective attacks?

It is also interesting to assess whether access to a machine learning model for predicting the target variable can provide an additional advantage for the attacker in reconstructing the private data instances. In particular, a classification or a regression model that performs well in predicting the target variable could indicate more certainty of a given synthetic sample being closely attributed to the original data space. Meanwhile, a synthetic sample that is not representative of any of the training examples is likely to be poorly predicted by the machine learning model. For utilising a prediction model in reconstruction attacks, the adversary assigns weights to the prediction error and the harmonic mean to the nearest neighbours.

RQ3: How effective is the use of evolutionary multi-objective optimisation in reconstructing more precise attacks?

In addition to devising re-identification attacks based on the vicinity of nearby synthetic samples, it is intriguing to investigate whether further perturbing a synthetic sample can direct an attacker closer towards a private training datapoint. By setting the distance to neighbouring synthetic samples and the predicted value of the machine learning model as the two objectives of the multi-objective optimisation problem, the evolutionary algorithm perturbs the synthetic feature space to optimise the two provided objectives. Therefore, we can infer the impact of evolutionary algorithms in the reconstruction process by quantitatively analysing the reconstructed samples at the end of the optimisation process.

3.4 Evolutionary Optimisation

By using evolutionary algorithms, a single-objective optimisation problem is solved using a population-based approach in which an initial population is selected and is continuously evolved to minimise the objectives while adhering to the problem’s constraints, if present. The final valid solution is a single point in space which both minimises the defined objective and adheres to the problem’s defined constraints.

Meanwhile, in multi-objective optimization, a number of defined objectives are optimised simultaneously. The objectives can be conflicting and competing in nature, and this gives rise to an increased complexity in solving the optimisation problem. As opposed to single-objective optimisation where the solution is essentially a single point in space, the final optimal solutions of multi-objective solutions are called Pareto-optimal solutions, which are trade-off solutions to the objectives to be minimized. Subsequently, while a non-trivial task, a single solution can be chosen from the Pareto-optimal solutions based on the desired trade-off between the objectives.

3.4.1 Evolutionary Algorithm

A vast number of evolutionary algorithms exist in the literature, and several comparative studies were conducted for determining the suitability of evolutionary algorithms in solving real-world problems (Zitzler and Thiele,, 1999; Zhang and Li,, 2007; Ishibuchi et al.,, 2016). To this end, the choice of an evolutionary algorithm for a specific application largely depends on the nature of the problem, the desired number of tuning parameters and the domain knowledge of the objectives and trade-offs between them.

In this work, we design the multi-objective optimisation reconstruction attacks based on the Nondominated Sorting Genetic Algorithm II (NSGA-II) (Deb et al.,, 2002). NSGA-II is appraised for its elitism property - where the non-dominated individuals within a population remain unchanged in the next iteration. Consequently, this contributes to the speed-up of the evolutionary algorithm and the reduced computational complexity in finding the solutions to the multi-optimisation problem. Additionally, NSGA-II provides solutions that are spread across the objectives and are converged closer to the Pareto-optimal front. Arguably, while comparative studies tend to explore how state-of-the-art algorithms perform against NSGA-II (Zhou et al.,, 2011; Tian et al.,, 2021), we highlight that the efficiency of the NSGA-II algorithm might be appealing for an attacker that favours choosing a computationally inexpensive and a fairly accessible technique (Verma et al.,, 2021).

3.4.2 Objectives

The multi-objective optimisation problem is characterised by the formulation of objectives to be minimised in order to instigate effective reconstruction attacks. Based on the research questions in this work, we propose two objectives to minimise.

The first objective $f_{1}$ is to minimise the distance of a selected synthetic sample to its nearest synthetic neighbours. As discussed earlier, samples that are in close vicinity to other datapoints could indicate that the generative model overfits on a given private datapoint. By optimising the distance objective, we aim to minimise the harmonic mean of distances to the neighbours in the population selection process. We can thereby represent the first objective for a given sample $d^{\prime}_{0}$ as:

f_{1}=\bar{r}_{d^{\prime}_{0}}

(5)

The second objective $f_{2}$ is concerned with reducing the prediction error of the target variable of the query synthetic sample. A lower prediction error potentially corresponds to a higher certainty of the predictive features being closely aligned with the model training space. Meanwhile, a higher prediction error can generally indicate that a synthetic sample is not sufficiently realistic. The second objective can be denoted by:

f_{2}=\mathcal{L}\left(\hat{y^{\prime}_{0}},\mathcal{M}\left(x^{\prime}_{0}% \right)\right)

(6)

where $\mathcal{L}$ is the cross-entropy loss for classification tasks or the root-mean-squared error for regression tasks. Therefore, in the dual-objective reconstruction attacks, the objective vector $F$ can be denoted as $F=\{f_{1},f_{2}\}$ .

While in principle it is possible to include constraints in the evolutionary multi-objective optimisation, we highlight that this is not strictly necessary for conducting reconstruction attacks for two reasons. First, we assume that an attacker possesses no domain knowledge of the constraints within the dataset and thus wants to launch attacks with minimum effort. Second, the use of GAN as the generative model allows the generation of synthetic samples without implicitly modelling the distributions or defining the correlation and constrained relationship features. Thus, since the GAN models already generate synthetic samples that do not necessarily meet the domain constraints, we refrain from introducing constraints in the evolutionary algorithm to avoid the significant alteration of the synthetic output.

3.4.3 Generation Process

The evolutionary algorithm is initialised by defining the number of generations $N_{gen}$ for evolutionary optimisation and producing a population $P$ consisting of $L$ individuals. While in principle there are several techniques for initialising the population $P$ , we specify our initial population as $L$ replications of the query datapoint to be attacked. This is carried out because the query sample was already selected due to it is close vicinity to its neighbouring synthetic samples, thus, there is a greater confidence that the query datapoint is closer to the training space and therefore less perturbations are needed.

In the survival phase, the NSGA-II algorithm evaluates the individuals of $P$ according to the objectives $F$ . The non-dominance sorting ranks the individuals along multiple Pareto fronts. The individuals within the Pareto fronts are then further ranked according to their crowding distance, where individuals that are further away from the rest of the population in the objective space are ranked higher. Subsequently, the highest $L$ ranking individuals survive, while the other individuals are eliminated.

In the binary tournament selection, samples of two individuals are drawn, the best individuals are selected as parents and are paired with parents selected from other tournament draws. The process ensures that the best parents are continuously selected for reproduction, while the remaining individuals are removed. The crossover phase generates new offspring from the features of the two parents. In the two-point crossover, the two crossover points between the parents are selected at random and the features are swapped to create the new features of the offspring.

Next, polynomial mutation is applied to randomly altering the features of the offspring from the crossover phase. All features have an equal likelihood of being altered. The mutation process contributes to the diversity of the produced population. The aforementioned steps are repeated until the predefined number of generations $N_{gen}$ is reached. The output of the previous steps is the final population from the final iteration.

3.4.4 Multi-Criteria Decision Making (MCDM)

The final population consists of $L$ individuals, all of which are ideally viable solutions to the multi-objective optimisation problem. To select a single solution as our reconstructed sample, we specify a weight vector $\Omega=\{\omega_{1},\omega_{2}\}$ where $\omega_{1},\omega_{2}$ are the weights corresponding to objectives $f_{1},f_{2}$ respectively. We use the Achievement Scalarized Function (ASF) (Wierzbicki,, 1980) for applying the decomposition and finding the optimal sample from the Pareto-front solutions based on the specified weight vector $\Omega$ . The evolutionary optimisation process is summarised in Algorithm 2.

Algorithm 2 Evolutionary multi-objective optimisation

d^{\prime}_{0}\in\mathcal{R}\,

: query sample

F=\{f_{1},f_{2}\}\,

: objectives

N_{gen}\,

: number of generations

L\,

: population size

\Omega=\{\omega_{1},\omega_{2}\}

: MCDM weight vector

\tilde{d}_{0}

: reconstructed sample

P\leftarrow init(d^{\prime}_{0},L)

for

j=1

j=N_{gen}

P_{survive}\leftarrow survive(P,F)

P_{parents}\leftarrow binary\_tournament\_selection(P_{survive})

P_{offspring}\leftarrow two\_point\_crossover(P_{parents})

P_{mutate}\leftarrow mutate(P_{offspring})

P\leftarrow P\cup P_{mutate}

end for

\tilde{d}_{0}\leftarrow ASF(P,\Omega)

4 Experimental Setup

In this section, we present our framework’s setup for conducting and analysing the privacy reconstruction attacks on synthetic datasets.

4.1 Datasets

In this study, we consider the risk of privacy attacks on mixed-type tabular datasets. Tabular datasets are generally more susceptible to privacy attacks than high-resolution image datasets, as this is attributed to their lower dimensionality and the limited attributes of categorical features. Our focus in this work is mixed-type datasets that are typically used in the financial sector, however, the general notion can be applied to any tabular dataset in practice. All the datasets have a binary target feature, and thus are typically used for binary classification tasks. We preprocess the datasets to eliminate redundant features, samples with missing attributes and duplicate samples. The following datasets are used:

1.

Adult (Kohavi and Becker,, 1996) is a popular tabular dataset that consists of a set of personal attributes, and the task is to predict whether each individual (sample) has an annual income greater than $ 50,000.
2.

Lending (Lending Club,, 2018) is a highly-dimensional dataset that encapsulates customers’ financial history when applying for a loan, and the target feature is a binary indicator of whether the loan was repaid on time or not.
3.

PAKDD (PAKDD,, 2009) is a customer risk scoring dataset that gives a binary credit risk rating to each anonymised customer of the Brazilian bank dataset based on the clients’ personal and financial attributes.
4.

Taiwan (Yeh and Lien,, 2016) is a financial dataset where the aim is to predict whether customers will default on their loans based on their payment history and a few demographic attributes.

A 50/50 split is carried out on the processed datasets to separate them into a training set for synthetic data generation and holdout split used only for evaluation. Table 1 presents a description of the datasets used for the synthetic data generation task.

Table 1: Summary of the datasets used for privacy reconstruction attacks.

Dataset	Number of Samples	Continuous Features	Discrete Features
Adult	24395	6	9
Lending	36954	53	8
PAKDD	22908	11	21
Taiwan	14982	20	4

4.2 GAN Models

We select three state-of-the-art tabular GAN models for generating synthetic data samples of the datasets. CTGAN (Xu et al.,, 2019) is a Wasserstein-based gradient penalty loss GAN that utilises the selection of conditional vectors during training in order to ensure sufficient modelling of underrepresented discrete categories. Subsequently, CTGAN’s synthetic output is highly realistic and the framework has been adapted for its applicability in other domains (Rosenblatt et al.,, 2020; Fang et al.,, 2022). Meanwhile, CTAB-GAN (Zhao et al.,, 2021) is a generative tabular GAN that improves the modelling of skewed numerical feature distributions and demonstrating a synthetic output that is well suitable for training machine learning models. CasTGAN (Alshantti et al.,, 2024) adopts a cascaded architecture of generators, where each generator is assigned with the task of generating an individual feature. The model demonstrates significant improvement in modelling the correlations between data attributes and drastically reduces the number of invalid records given the constrained relationship between some data features.

4.3 Evaluation Metrics

The evaluation of privacy attacks on tabular data is a non-trivial task. Whereas in image reconstruction attacks it can be possible to evaluate the preciseness of privacy attacks by visually observing the output and verifying if resembles a real training sample, it is practically impossible to qualitatively assess the success rate of privacy attacks given the scale of dimensionality of the data. Instead, we use the following metrics to quantify the success rate of privacy attacks.

Unique training samples: As the reconstructions attacks are aimed at identifying 5% of the training samples, it is undoubtedly desired by the attackers to target as many records as possible for maximising their benefit from the reconstruction attacks. A large diversity in the reconstructed samples entails that an attacker has high exposure to the different training samples and, thus, possess more knowledge for inflicting more harm.

Hit rate: The hit rate is a measure of how many training records were compromised by the privacy reconstruction attacks. Given that an attacker only targets the top 5% records, we formulate the hit rate as the ratio of compromised samples divided by 5% of the total records of the dataset. A compromised record is one where all the categorical features match those of the targeted training sample. Meanwhile, this is less straightforward for numerical features as they can take an infinite number of samples. Instead, we use the BIRCH clustering technique (Zhang et al.,, 1996) to divide a numeric feature into a number of categories determined by the clustering threshold which we set to $0.025$ . Therefore, the definition of compromised numeric features applies if the reconstructed sample features belong to exactly the same clusters as the training record.

Distance to closest record (DCR): The distance to closest record is a metric for quantifying how close a reconstructed sample is to the private training datapoint. For a given datapoint, a DCR=0 indicates that the reconstructed sample is an exact match of the training sample, and thus is considered a compromised datapoint. The data is both normalised and one-hot encoded for quantifying the DCR. From an attacker’s point of view, the attacks should minimise the DCR in order to closely approach the training space.

Given that the attacks formulated in this study are black-box attacks, the attacker is in fact unable to quantify the success of their own attacks for devising new strategies that would improve the effectiveness of their attacks. Instead, the evaluation metrics are used by the defenders as a way for assessing the privacy robustness of their generative models.

5 Results

5.1 RQ1: The Impact of Access Levels

We compare how different generative models access privileges contribute to the effectiveness of privacy attacks. Table 2 demonstrates the impact of the attack levels on the number of unique training samples targeted by those attacks. From the results, it is evident that Level I attacks, in which the attacker only has access to the synthetic data, evidently outperform Level II and Level III attacks in targeting a larger number of training samples. This is applicable for all the datasets and the three different GANs employed in the experimental analysis. Whereas, Level II and Level III attacks have a comparable performance in terms of attacking a less diverse population. The advantage for Level I attacks in targeting a more diverse subset of samples is attributed to the smaller size of the synthetic dataset in Level I attacks, in contrast to the large number of samples in Level II and Level III attacks stemming from the subsequent generation of synthetic samples. This utilisation of GANs in Level II and Level III attacks contributes to the generation of seemingly similar datapoints, causing the attacks to target a smaller subset of the feature space.

Table 2: Number of unique training samples attacked.

		Unique Samples Attacked
		CTGAN	CTAB-GAN	CasTGAN
Adult	Level I	932	851	1098
	Level II	426	691	711
	Level III	387	498	773
Lending	Level I	1270	1426	1290
	Level II	544	1096	574
	Level III	656	1121	877
PAKDD	Level I	832	762	940
	Level II	357	503	594
	Level III	521	413	680
Taiwan	Level I	601	573	483
	Level II	275	367	327
	Level III	305	249	333

Table 3 outlines the hit rate of the attack levels on synthetic datasets generated by the different GAN models. It can be observed from Table 3 that no attack strategy significantly dominated the other levels. Level III attacks achieved the highest hit rate on four synthetic datasets, while Level I and Level II attacks had the highest hit rate on two and three datasets respectively. Furthermore, it can be observed that no training records were compromised for the Lending dataset, due to its high dimensionality, demonstrating the challenge in matching all the categories and the numerical attributes clusters for a large number of features. This also explains why a low hit rate was achieved on the PAKDD dataset for all the attack levels and the generative models.

Table 3: Hit rate of reconstruction attacks types on GAN models.

		Hit Rate
		CTGAN	CTAB-GAN	CasTGAN
Adult	Level I	0.336	0.525	0.415
	Level II	0.537	0.514	0.680
	Level III	0.645	0.715	0.614
Lending	Level I	0.000	0.000	0.000
	Level II	0.000	0.000	0.000
	Level III	0.000	0.000	0.000
PAKDD	Level I	0.047	0.026	0.063
	Level II	0.102	0.035	0.094
	Level III	0.091	0.024	0.108
Taiwan	Level I	0.757	0.797	0.754
	Level II	0.630	0.661	0.589
	Level III	0.761	0.730	0.578

Table 4 summarises the results of the average DCR of all the attack levels on the datasets. From the results, it can be observed that Level III attacks perform the best in terms of identifying the synthetic samples that are the closest to the training space. This is not surprising, as access to the trained generators for producing an indefinite amount of samples increases the probability of finding synthetic samples that are closer to the private training records. This gives rise to synthetic data records that in close vicinity of the synthetic data space, thus, higher certainty that the closely clustered samples correspond to an existing private datapoint. However, this also highlights the evident trade-off between the proximity to the training data space and the diversity of samples targeted, as it can be observed from Table 2 that the reconstructed samples correspond to a smaller number of training samples, hence several reconstructed synthetic datapoints attributed to the same training record.

Table 4: Distance to closest record (DCR) comparison between the different attack types on GAN models.

		DCR
		CTGAN	CTAB-GAN	CasTGAN
Adult	Level I	0.171	0.081	0.081
	Level II	0.342	0.120	0.081
	Level III	0.102	0.047	0.074
Lending	Level I	0.597	0.559	0.674
	Level II	0.845	0.462	0.848
	Level III	0.471	0.450	0.645
PAKDD	Level I	1.094	1.083	0.468
	Level II	1.050	0.700	0.349
	Level III	0.639	1.251	0.369
Taiwan	Level I	0.054	0.046	0.065
	Level II	0.050	0.052	0.093
	Level III	0.051	0.040	0.107

5.2 RQ2: Selection Attacks Using Machine Learning Predictions

We now investigate the impact of using the prediction error of the synthetic samples in addition to the harmonic mean for reconstructing training samples. The machine learning model is trained on the private data, and it is assumed that an attacker has black-box access to the API of the model; only able to query samples and obtain their prediction. For ranking the synthetic samples, a set of weight vectors is used in order to balance the ratios between the closeness to other synthetic samples, $\omega_{1}$ , and the binary cross-entropy loss between the predictions and the target label of the synthetic data, $\omega_{2}$ . Namely, for $\Omega=\{\omega_{1},\omega_{2}\}$ we use $\Omega_{1}=\{0.50,0.50\}$ , $\Omega_{2}=\{0.75,0.25\}$ and $\Omega_{3}=\{1.00,0.00\}$ , where $\Omega_{3}$ is simply the reconstruction attacks relying only on the distance to the synthetic neighbours.

In order to intuitively present the results of RQ2, we compare the performance of Level III attacks as they exhibited the smallest DCR, entailing a higher significance reconstruction threat to the original training space. In addition, we explore RQ2 using CTGAN since it is the most efficient GAN model to train, and also because the results in Tables 2-4 demonstrate that there is no major disparity between the GAN models, indicating that none of the employed GAN models are particularly more robust or susceptible to reconstruction attacks than the others.

Table 5: The effect of utilising machine learning predictions on the performance of reconstruction attacks.

		Unique Samples	Hit Rate	DCR
Adult	$\Omega_{1}$	287	0.693	0.087
	$\Omega_{2}$	297	0.679	0.088
	$\Omega_{3}$	387	0.645	0.102
Lending	$\Omega_{1}$	596	0.000	0.528
	$\Omega_{2}$	594	0.000	0.483
	$\Omega_{3}$	656	0.000	0.471
PAKDD	$\Omega_{1}$	484	0.109	0.639
	$\Omega_{2}$	499	0.099	0.625
	$\Omega_{3}$	521	0.091	0.639
Taiwan	$\Omega_{1}$	550	0.689	0.057
	$\Omega_{2}$	393	0.801	0.042
	$\Omega_{3}$	305	0.761	0.051

The impact of utilising the prediction loss on the reconstruction attacks can be observed in Table 5. It can be noticed that in general that the most diverse targeting of training samples is attained by $\Omega_{3}$ . Meanwhile, it appears that relying on the BCE loss for attacking the synthetic samples leads to an increased hit rate. On the other hand, we can observe that DCR is highly dependent on the size of the datasets, where assigning equal weights for the proximity and the prediction losses appears to strongly impact lower dimensional datasets. As the difference in the Table 5 results is marginal, it can be deduced that there is little evidence to support that the utilisation of a discriminative model contributes to the the increased effectiveness of reconstruction attacks.

5.3 RQ3: The Role of Evolutionary Multi-Objective Optimisation

We now study the impact of multi-objective optimisation on the performance of reconstruction attacks. As opposed to the experiments for answering RQ2, we assume that in this scenario the attacker has no access to the machine learning model learnt from the training set, but rather trains a new prediction model on the synthetic dataset. In contrast to the attacking scenarios in RQ1 and RQ2, reconstruction attacks using multi-objective optimisation actively perturb the data attributes during the evolutionary process, and thus, the synthetic datapoints have the potential to move closer to or further away from their corresponding private training datapoints. Since there was no evident advantage for weight vectors in RQ2, we further devise reconstruction attacks using the same three weight vectors in the multi criteria decision making stage after the final population has been generated in order to outline the difference in the precision of the attacks. Table 6 demonstrates these results.

Table 6: Comparison of reconstruction attacks performance of evolutionary multi-objective optimisation and non-evolutionary

\Omega_{3}

attacks in RQ2 (w/o MoE).

		Unique Samples	Hit Rate	DCR
Adult	w/o MoE	387	0.645	0.102
	$\Omega_{1}$	290	0.233	0.281
	$\Omega_{2}$	277	0.267	0.194
	$\Omega_{3}$	383	0.679	0.101
Lending	w/o MoE	656	0.000	0.471
	$\Omega_{1}$	496	0.000	0.481
	$\Omega_{2}$	521	0.000	0.453
	$\Omega_{3}$	559	0.000	0.446
PAKDD	w/o MoE	521	0.091	0.639
	$\Omega_{1}$	462	0.098	0.908
	$\Omega_{2}$	425	0.121	0.652
	$\Omega_{3}$	508	0.095	0.638
Taiwan	w/o MoE	305	0.761	0.051
	$\Omega_{1}$	254	0.583	0.062
	$\Omega_{2}$	275	0.698	0.058
	$\Omega_{3}$	279	0.769	0.050

There are multiple observations that can be made from Table 6. First, it can be noticed that allocating a higher weight for the BCE loss in order to select samples from the Pareto solutions that optimise both objectives lead to a drop in the success rate of the attacks. It is clear that in most cases $\Omega_{1}$ and $\Omega_{2}$ perform worse in targeting diverse samples and perturbing the synthetic samples closer to the training space. Meanwhile, there are noticeable trade-offs between not using evolutionary algorithms and using NSGA-II for perturbations and nevertheless selecting the optimal solutions that only minimises the distance to the synthetic neighbours. It is evident that the use of evolutionary algorithms to perturb synthetic samples reduces the diversity of the targeted training samples, even when using $\Omega_{3}$ . On the other hand, we notice that evolutionary algorithms and MCDM using $\Omega_{3}$ moderately increases the precision of the reconstruction attacks as observed from the hit rate and the DCR.

5.4 Against Benchmark Attacks

We further compare the performance of our attacks against the attacks devised by Hayes et al., (2019) and Chen et al., 2020b . While both works formulated the attacks as membership inference attacks, we re-adapt the attacks for the re-identification scenario without a holdout set. For emulating the full black-box LOGAN attack in (Hayes et al.,, 2019), we first train a surrogate CTAB-GAN model on the available synthetic data to generate a number of synthetic samples. We then train another CTAB-GAN model on the newly generated synthetic samples. We then query the synthetic data samples from the CTGAN model on the CTAB-GAN model and rank the samples according to the output of the discriminator. Subsequently, the top 5% samples are selected as the re-identified samples. The full implementation of the full black-box LOGAN attacks can be found in the original paper (Hayes et al.,, 2019).

In addition, we implement two variants of the GAN-Leaks attacks proposed by Chen et al., 2020b . We first consider the base full black-box attacks in which $1$ -nearest neighbour is used to rank the synthetic samples according to the distance to their neighbours. The top 5% samples closest to their neighbours are selected as the candidate samples. Meanwhile, we also consider the calibrated GAN-Leaks attacks which consider the training of a second surrogate model and computing the membership calibrated error between the surrogate and the original GAN model. We refer the reader to the original paper (Chen et al., 2020b, ) for the full implementation details. We compare our reconstruction attacks against the baseline attacks and demonstrate the results in Table 7.

Table 7: Comparing the number of unique samples, hit rate and DCR of our multi-objective optimised

\Omega_{3}

attacks against baseline GAN attacks.

		Unique Samples	Hit Rate	DCR
Adult	LOGAN	827	0.019	1.429
	GAN-Leaks	804	0.489	0.128
	GAN-Leaks Calibrated	766	0.104	0.570
	Ours	383	0.679	0.101
Lending	LOGAN	1701	0.000	1.073
	GAN-Leaks	1224	0.000	0.543
	GAN-Leaks Calibrated	1362	0.000	0.996
	Ours	559	0.000	0.446
PAKDD	LOGAN	757	0.023	1.766
	GAN-Leaks	803	0.052	0.693
	GAN-Leaks Calibrated	835	0.034	1.205
	Ours	508	0.095	0.638
Taiwan	LOGAN	657	0.594	0.139
	GAN-Leaks	493	0.844	0.042
	GAN-Leaks Calibrated	558	0.393	0.203
	Ours	279	0.769	0.050

Inspecting Table 7 demonstrates that the LOGAN attacks achieved the highest diversity in the number of training samples targeted. Querying on the discriminator is minimally deterministic as the output of the discriminator depends on various factors during the training process. As such, we notice that contrastingly the LOGAN achieves the worst hit rate and DCR scores amongst the other approaches. Meanwhile, we observe that the calibrated GAN-leaks attack achieve a lower success rate than the base GAN-Leaks attacks. This can be attributed to the fact that the calibrated attacks are well designed for the membership inference attacks as they aim to estimate the membership probability, thus, they are significantly less effective in our case, where no holdout set is available for querying. Finally, we notice that the base GAN-Leaks attacks achieve the closest performance to our reconstruction attacks. This indeed validates that the use of proximity measures for selecting the samples according to their vicinity to their neighbours can be a good indicator of overfitting or potential data leakage. Nevertheless, we observe that the reconstruction attacks we proposed are the most successful attacks as they achieve the best hit rate and DCR scores on most of the datasets. However, we highlight that this comes at the expense of the reduced number of targeted training samples.

5.5 Defence Mechanisms

While it is common knowledge that differential privacy yields unacceptable trade-offs between the privacy and utility of the synthetic data (Shokri and Shmatikov,, 2015), it is nevertheless interesting to analyse the robustness of differential privacy against our evolutionary multi-objective attacks. For conducting this analysis, we employ DP-auto-GAN (Tantipongpipat et al.,, 2021) for generating differentially private synthetic samples. While there is no scarcity of differentially private tabular GAN models in the literature, we employ DP-auto-GAN as it achieved better performance than some of the existing benchmarks, and for it is ability to handled mixed-type datasets. A more thorough coverage of differentially private GANs can be found in Section 6.

For generating differentially private synthetic samples, we use the same parameters for DP-auto-GAN as in the original paper in (Tantipongpipat et al.,, 2021), where a lower privacy budget parameter $\epsilon$ increases the privacy of the synthetic data, while a higher $\epsilon$ produces less rigid privacy guarantees. The results in Table 8 demonstrate this behaviour on the Adult dataset. We notice that all differentially private models reduced the number of training samples targeted by reconstruction attacks, which reduces the risk of exposure of training datapoints. Moreover, the hit rate has been significantly reduced against our reconstruction attacks, hence, a fewer number of records suffering from leakage. It can also be observed how the DCR grows considerably with stricter privacy guarantees, thus demonstrating the disparity between the training set and the differentially private synthetic datasets.

Table 8: Comparison of differential privacy against our model - attack success

	Unique Samples	Hit Rate	DCR
$\epsilon=0.36$	96	0.049	0.638
$\epsilon=0.51$	78	0.024	0.381
$\epsilon=1.01$	101	0.071	0.103
CTGAN	383	0.679	0.101

For evaluating the utility of the synthetic datasets, we consider some of the metrics presented in (Alshantti et al.,, 2024). We measure the F1-score of the predictions on the test data using models trained on the synthetic datasets. In addition, the Kolmogrov-Smirnov two-sample test score (KS-statistic) is used to quantify the univariate distribution statistical errors of the features of the synthetic output in comparison to the private training set. Meanwhile, the correlation Root Mean Squared Error (correlation RMSE) measures the error of the attribute correlations between the real data and the synthetic data. The results are reported in Table 9. From the results, we can observe how the differential privacy significantly diminishes the quality of the data. We can further notice from the F1-score in Table 9 that the synthetic datasets produced by DP-auto-GAN are significantly less suitable for training predictive errors due to the large error in predicting the target feature. Moreover, the structure of the data is significantly distorted, which is reflected by the high KS-statistic and correlation RMSE measures. Therefore, it is obvious that using differential privacy against our reconstruction attacks comes at the expense of generating synthetic output that represents the properties of the original data.

Table 9: Comparison of differential privacy against our model - data utility

	F1-score	KS-statistic	Correlation RMSE
$\epsilon=0.36$	0.177	0.220	0.288
$\epsilon=0.51$	0.331	0.191	0.230
$\epsilon=1.01$	0.263	0.199	0.234
CTGAN	0.624	0.150	0.057

6 Related Works

6.1 Privacy Attacks

While privacy attacks are adequately studied for discriminative models, they have been explored to a much lesser extent in the generative model literature. Hayes et al., (2019) proposed membership attacks on GANs in the white-box and black-box settings. The attacks work by querying samples on the discriminator and attributing the samples with higher discriminator scores as training samples. Unsurprisingly, it was demonstrated that white-box attacks that query samples on the discriminator are more successful than attacks that were evaluated on GANs trained on a surrogate dataset. Hilprecht et al., (2019) proposed the two types of membership inference attacks: Monte Carlo attacks on generative models and Reconstruction attacks on VAEs. The experimental results demonstrated that the proposed Monte Carlo attacks outperformed existing black-box membership inference attacks on generative models, while showing that reconstruction attacks on the VAEs were extremely effective, which indicates that variational autoencoders are considerably susceptible to overfitting. Moreover, Chen et al., 2020b also devised membership inference attacks against GANs in both knowledgeable white-box settings and less knowledgeable black-box settings and produced findings consistent to previous studies while outperforming existing membership inference attacks. Similarly, Zhang et al., (2022) comprehensively studied the impact of membership inference attacks against longitudinal health data with no assumptions about the structure of the generative model used, and found that partially synthetic data is significantly more prone to inference attacks than fully synthetic data. Meanwhile, Hu et al., (2021) proposed membership collision attacks on generative models by training multiple shadow generative models and attributing the overlap** samples from the shadow models as training samples. However, it is observed that this type of attack is unsuccessful against mixed-type tabular datasets, where the data is discretised to ensure that the overlap of samples takes place. It is worth noting that in the aforementioned works, the success rate of membership inference attacks is reported to significantly drop as the size of the training set increases. Therefore, the attacks are only slightly better than random guessing the query samples when the large datasets were used for training. Additionally, the majority of the literature on generative adversarial attacks is dedicated to computer vision application and image data, while insufficiently addressing the tabular data domain.

6.2 Privacy Defences

On the other hand, mitigation mechanisms for generative models have been adequately explored in the literature. Zhang et al., (2017) presented PrivBayes as a Bayesian network-based generative model to create synthetic data while conforming to differential privacy guarantees. However, it has been demonstrated by Xu et al., (2019) that the data generated by PrivBayes exhibits much lower data utility for machine learning tasks than the GAN counterparts. ** the weights and adding noise to the gradients. Jordon et al., (2018) devised PATE-GAN, which is a generative framework adopting a teacher-student ensemble method to ensure strict privacy guarantees and improved quality of the synthetic output. Chen et al., 2020a proposed a differentially private GAN model that provides rigid privacy guarantees by sanitising the generator’s output, while maintaining optimal training of the discriminator. Lee et al., (2021) designed a generative model consisting of a GAN and a VAE combined with the negative log density regularisation for adjusting the trade-off between the privacy and utility of synthetic tabular data. The combination of VAE and GAN was also implemented by Torfi et al., (2022) where an auto-encoder was combined with a convolutional GAN for achieving differential privacy for tabular data synthesis. PAR-GAN is a framework that composes of a single generator and multiple discriminator for training the GAN on multiple disjoint partitions of the training data in order to generalise on the data and avoid the memorisation of individual samples (Chen et al.,, 2021). Meanwhile, Fed-Avg GAN was proposed by McMahan et al., (2017) for synthesis of decentralised data in federated learning, while providing different privacy guarantees at a user-level. In the aforementioned works, it is evident that the quality of the synthetic data is considerably sacrificed in order to ensure the privacy of the training data. Ganev et al., (2022) conducted a study for investigating the distortion of class distributions in the synthetic datasets induced by several differential privacy synthesis techniques. Notwithstanding, Lu et al., (2019) argue that the strict differential privacy guarantee is a concept that has been thoroughly explored in the research community, whereas, it might be sufficient for industries in practice to rely on the GAN-based synthetic output for legal purposes and improved data quality.

6.3 Privacy Risk Evaluation

In principle, quantifying the threat on training data by privacy attacks is an intrinsically challenging task. Song and Mittal, (2021) proposed a privacy risk score based on the Bayes’ theorem to quantify the probability of a query sample being a member of the training for evaluating the success membership inference attacks. Whereas, Park and Ghosh, (2014) formulated the disclosure risk score as a measure to estimate the likelihood of recovering a feature of a record given the attacker has knowledge of the other features for the record. Meanwhile, Chen et al., (2021) used the generalisation gap between the discriminator scores of the training set and holdout set to quantify how well does differential privacy succeeds in reducing the gap. Qualitative analysis of synthetic data is a widely adopted approach in the image synthesis where the human eye can be used for verifying whether the identity of real individuals or target classes can be determined from the synthetically generated output (Hitaj et al.,, 2017; Tseng and Wu,, 2020; Wang et al.,, 2021). Meanwhile, Aïvodji et al., (2019) relied on human interpretation of the synthetic output by conducting a survey and asking the participants to guess the labels of the synthetic images that were presented to them. The privacy risk on tabular data remains considerably more challenging to quantify than for visual applications.

7 Conclusion

In this work, we designed and implemented reconstruction attacks on tabular synthetic data. Traditionally, the vulnerability of synthetic data is predominantly studied in the context of membership inference attacks; where an attacker with a query set consisting of private training records and synthetic records tries to infer which records were used for training a generative model. We note that while the study of membership inference attacks emphasise the need for better defending mechanisms for generative models, membership inference attacks are built on the strong and potentially unreasonable assumption that an attacker already has a query set that comprises of private samples. Instead, we shed light on the case where an attacker tries to recover training data records via the synthetic data and possibly black-box access to the generative and discriminative models trained on the original data.

Our experimental results demonstrate that reconstruction attacks pose a major threat in recovering sensitive information in the training set. In accordance with intuition, our results demonstrated that access to the generator by an attacker for producing a large number of synthetic samples yields more precise reconstructions of the private datapoints. In addition, the use of multi-objective optimisation and evolutionary algorithms enable the perturbation of synthetic samples for reconstructing training samples more effectively. Nevertheless, we highlight that the evaluation of privacy attacks on mixed-type tabular data is a non-trivial task. Furthermore, the current mitigation techniques for hindering privacy attacks are significantly detrimental to the quality and the utility of the synthetic data. We therefore aim that the introduction of reconstruction attacks in the synthetic tabular domain motivates for more robust defence mechanisms that guarantee privacy whilst not jeopardising the data’s usability.

Acknowledgments

This work was supported by DNB ASA through the funding of this research project. The authors would like to thank Damiano Varagnolo for his insights and valuable contributions.

References

Abadi et al., (2016) Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B., Mironov, I., Talwar, K., and Zhang, L. (2016). Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 308–318.
Agrawal and Srikant, (2000) Agrawal, R. and Srikant, R. (2000). Privacy-preserving data mining. In Proceedings of the 2000 ACM SIGMOD international conference on Management of data, pages 439–450.
Aïvodji et al., (2019) Aïvodji, U., Gambs, S., and Ther, T. (2019). Gamin: An adversarial approach to black-box model inversion. arXiv preprint arXiv:1909.11835.
Alshantti et al., (2024) Alshantti, A., Varagnolo, D., Rasheed, A., Rahmati, A., and Westad, F. (2024). Castgan: Cascaded generative adversarial network for realistic tabular data synthesis. IEEE Access.
Cai et al., (2021) Cai, Z., Xiong, Z., Xu, H., Wang, P., Li, W., and Pan, Y. (2021). Generative adversarial networks: A survey toward private and secure applications. ACM Computing Surveys (CSUR), 54(6):1–38.
(6) Chen, D., Orekondy, T., and Fritz, M. (2020a). Gs-wgan: A gradient-sanitized approach for learning differentially private generators. Advances in Neural Information Processing Systems, 33:12673–12684.
(7) Chen, D., Yu, N., Zhang, Y., and Fritz, M. (2020b). Gan-leaks: A taxonomy of membership inference attacks against generative models. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pages 343–362.
Chen et al., (2021) Chen, J., Wang, W. H., Gao, H., and Shi, X. (2021). Par-gan: Improving the generalization of generative adversarial networks against membership inference attacks. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, pages 127–137.
Choi et al., (2017) Choi, E., Biswal, S., Malin, B., Duke, J., Stewart, W. F., and Sun, J. (2017). Generating multi-label discrete patient records using generative adversarial networks. In Machine learning for healthcare conference, pages 286–305. PMLR.
Deb et al., (2002) Deb, K., Pratap, A., Agarwal, S., and Meyarivan, T. (2002). A fast and elitist multiobjective genetic algorithm: Nsga-ii. IEEE transactions on evolutionary computation, 6(2):182–197.
Dwork, (2008) Dwork, C. (2008). Differential privacy: A survey of results. In International conference on theory and applications of models of computation, pages 1–19. Springer.
Engelmann and Lessmann, (2021) Engelmann, J. and Lessmann, S. (2021). Conditional wasserstein gan-based oversampling of tabular data for imbalanced learning. Expert Systems with Applications, 174:114582.
Esteban et al., (2017) Esteban, C., Hyland, S. L., and Rätsch, G. (2017). Real-valued (medical) time series generation with recurrent conditional gans. arXiv preprint arXiv:1706.02633.
Fang et al., (2022) Fang, M. L., Dhami, D. S., and Kersting, K. (2022). Dp-ctgan: Differentially private medical data generation using ctgans. In International Conference on Artificial Intelligence in Medicine, pages 178–188. Springer.
Fredrikson et al., (2014) Fredrikson, M., Lantz, E., Jha, S., Lin, S., Page, D., and Ristenpart, T. (2014). Privacy in pharmacogenetics: An $\{$ End-to-End $\}$ case study of personalized warfarin dosing. In 23rd USENIX Security Symposium (USENIX Security 14), pages 17–32.
Ganev et al., (2022) Ganev, G., Oprisanu, B., and De Cristofaro, E. (2022). Robin hood and matthew effects: Differential privacy has disparate impact on synthetic data. In International Conference on Machine Learning, pages 6944–6959. PMLR.
Gondara and Wang, (2018) Gondara, L. and Wang, K. (2018). Mida: Multiple imputation using denoising autoencoders. In Pacific-Asia conference on knowledge discovery and data mining, pages 260–272. Springer.
Goodfellow et al., (2014) Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., and Bengio, Y. (2014). Generative adversarial nets. Advances in neural information processing systems, 27.
Hayes et al., (2019) Hayes, J., Melis, L., Danezis, G., and De Cristofaro, E. (2019). Logan: Membership inference attacks against generative models. In Proceedings on Privacy Enhancing Technologies (PoPETs), volume 2019, pages 133–152. De Gruyter.
Hidano et al., (2017) Hidano, S., Murakami, T., Katsumata, S., Kiyomoto, S., and Hanaoka, G. (2017). Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes. In 2017 15th Annual Conference on Privacy, Security and Trust (PST), pages 115–11509. IEEE.
Hilprecht et al., (2019) Hilprecht, B., Härterich, M., and Bernau, D. (2019). Monte carlo and reconstruction membership inference attacks against generative models. Proceedings on Privacy Enhancing Technologies, 2019(4):232–249.
Hitaj et al., (2017) Hitaj, B., Ateniese, G., and Perez-Cruz, F. (2017). Deep models under the gan: information leakage from collaborative deep learning. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 603–618.
Hu et al., (2021) Hu, A., Xie, R., Lu, Z., Hu, A., and Xue, M. (2021). Tablegan-mca: Evaluating membership collisions of gan-synthesized tabular data releasing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2096–2112.
Ishibuchi et al., (2016) Ishibuchi, H., Imada, R., Setoguchi, Y., and Nojima, Y. (2016). Performance comparison of nsga-ii and nsga-iii on various many-objective test problems. In 2016 IEEE Congress on Evolutionary Computation (CEC), pages 3045–3052. IEEE.
Jayaraman and Evans, (2019) Jayaraman, B. and Evans, D. (2019). Evaluating differentially private machine learning in practice. In 28th USENIX Security Symposium (USENIX Security 19), pages 1895–1912.
Jia et al., (2019) Jia, J., Salem, A., Backes, M., Zhang, Y., and Gong, N. Z. (2019). Memguard: Defending against black-box membership inference attacks via adversarial examples. In Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pages 259–274.
Jordon et al., (2018) Jordon, J., Yoon, J., and Van Der Schaar, M. (2018). Pate-gan: Generating synthetic data with differential privacy guarantees. In International conference on learning representations.
Karras et al., (2019) Karras, T., Laine, S., and Aila, T. (2019). A style-based generator architecture for generative adversarial networks. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4401–4410.
Kingma et al., (2014) Kingma, D. P., Mohamed, S., Jimenez Rezende, D., and Welling, M. (2014). Semi-supervised learning with deep generative models. Advances in neural information processing systems, 27.
Kohavi and Becker, (1996) Kohavi, R. and Becker, B. (1996). Adult data set. https://archive.ics.uci.edu/ml/datasets/adult.
Koller and Friedman, (2009) Koller, D. and Friedman, N. (2009). Probabilistic graphical models: principles and techniques. MIT press.
Lee et al., (2021) Lee, J., Hyeong, J., Jeon, J., Park, N., and Cho, J. (2021). Invertible tabular gans: Killing two birds with one stone for tabular data synthesis. Advances in Neural Information Processing Systems, 34:4263–4273.
Lending Club, (2018) Lending Club (2018). Loan default dataset. https://www.lendingclub.com/.
Li et al., (2006) Li, N., Li, T., and Venkatasubramanian, S. (2006). t-closeness: Privacy beyond k-anonymity and l-diversity. In 2007 IEEE 23rd international conference on data engineering, pages 106–115. IEEE.
Liu et al., (2019) Liu, K. S., Xiao, C., Li, B., and Gao, J. (2019). Performing co-membership attacks against deep generative models. In 2019 IEEE International Conference on Data Mining (ICDM), pages 459–467. IEEE.
Long et al., (2018) Long, Y., Bindschaedler, V., Wang, L., Bu, D., Wang, X., Tang, H., Gunter, C. A., and Chen, K. (2018). Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889.
Lu et al., (2019) Lu, P.-H., Wang, P.-C., and Yu, C.-M. (2019). Empirical evaluation on synthetic data generation with generative adversarial network. In Proceedings of the 9th International Conference on Web Intelligence, Mining and Semantics, pages 1–6.
McMahan et al., (2017) McMahan, H. B., Ramage, D., Talwar, K., and Zhang, L. (2017). Learning differentially private recurrent language models. arXiv preprint arXiv:1710.06963.
Melis et al., (2019) Melis, L., Song, C., De Cristofaro, E., and Shmatikov, V. (2019). Exploiting unintended feature leakage in collaborative learning. In 2019 IEEE Symposium on Security and Privacy (SP), pages 691–706. IEEE.
Narayanan and Shmatikov, (2008) Narayanan, A. and Shmatikov, V. (2008). Robust de-anonymization of large sparse datasets. In 2008 IEEE Symposium on Security and Privacy (sp 2008), pages 111–125. IEEE.
Nasr et al., (2018) Nasr, M., Shokri, R., and Houmansadr, A. (2018). Machine learning with membership privacy using adversarial regularization. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 634–646.
Nasr et al., (2019) Nasr, M., Shokri, R., and Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In 2019 IEEE symposium on security and privacy (SP), pages 739–753. IEEE.
PAKDD, (2009) PAKDD (2009). Pakdd 2009 data mining competition. https://pakdd.org/archive/pakdd2009/front/show/competition.html.
Park et al., (2018) Park, N., Mohammadi, M., Gorde, K., Jajodia, S., Park, H., and Kim, Y. (2018). Data synthesis based on generative adversarial networks. arXiv preprint arXiv:1806.03384.
Park and Ghosh, (2014) Park, Y. and Ghosh, J. (2014). Pegs: Perturbed gibbs samplers that generate privacy-compliant synthetic data. Trans. Data Priv., 7(3):253–282.
Popov et al., (2019) Popov, S., Morozov, S., and Babenko, A. (2019). Neural oblivious decision ensembles for deep learning on tabular data. In International Conference on Learning Representations.
Rabiner, (1989) Rabiner, L. R. (1989). A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2):257–286.
Rigaki and Garcia, (2020) Rigaki, M. and Garcia, S. (2020). A survey of privacy attacks in machine learning. arXiv preprint arXiv:2007.07646.
Rosenblatt et al., (2020) Rosenblatt, L., Liu, X., Pouyanfar, S., de Leon, E., Desai, A., and Allen, J. (2020). Differentially private synthetic data: Applied evaluations and enhancements. arXiv preprint arXiv:2011.05537.
Salimans and Kingma, (2016) Salimans, T. and Kingma, D. P. (2016). Weight normalization: A simple reparameterization to accelerate training of deep neural networks. Advances in neural information processing systems, 29.
Shokri and Shmatikov, (2015) Shokri, R. and Shmatikov, V. (2015). Privacy-preserving deep learning. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pages 1310–1321.
Shokri et al., (2017) Shokri, R., Stronati, M., Song, C., and Shmatikov, V. (2017). Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP), pages 3–18. IEEE.
Song and Mittal, (2021) Song, L. and Mittal, P. (2021). Systematic evaluation of privacy risks of machine learning models. In 30th USENIX Security Symposium (USENIX Security 21), pages 2615–2632.
Srivastava et al., (2014) Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., and Salakhutdinov, R. (2014). Dropout: a simple way to prevent neural networks from overfitting. The journal of machine learning research, 15(1):1929–1958.
Tantipongpipat et al., (2021) Tantipongpipat, U. T., Waites, C., Boob, D., Siva, A. A., and Cummings, R. (2021). Differentially private synthetic mixed-type data generation for unsupervised learning. In 2021 12th International Conference on Information, Intelligence, Systems & Applications (IISA), pages 1–9. IEEE.
Tian et al., (2021) Tian, Y., Si, L., Zhang, X., Cheng, R., He, C., Tan, K. C., and **, Y. (2021). Evolutionary large-scale multi-objective optimization: A survey. ACM Computing Surveys (CSUR), 54(8):1–34.
Torfi et al., (2022) Torfi, A., Fox, E. A., and Reddy, C. K. (2022). Differentially private synthetic medical data generation using convolutional gans. Information Sciences, 586:485–500.
Tramèr et al., (2016) Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). Stealing machine learning models via prediction $\{$ APIs $\}$ . In 25th USENIX security symposium (USENIX Security 16), pages 601–618.
Tseng and Wu, (2020) Tseng, B.-W. and Wu, P.-Y. (2020). Compressive privacy generative adversarial network. IEEE Transactions on Information Forensics and Security, 15:2499–2513.
Verma et al., (2021) Verma, S., Pant, M., and Snasel, V. (2021). A comprehensive review on nsga-ii for multi-objective combinatorial optimization problems. IEEE access, 9:57757–57791.
Wang et al., (2021) Wang, K.-C., Fu, Y., Li, K., Khisti, A., Zemel, R., and Makhzani, A. (2021). Variational model inversion attacks. Advances in Neural Information Processing Systems, 34:9706–9719.
Webster et al., (2019) Webster, R., Rabin, J., Simon, L., and Jurie, F. (2019). Detecting overfitting of deep generative networks via latent recovery. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 11273–11282.
Wierzbicki, (1980) Wierzbicki, A. P. (1980). The use of reference objectives in multiobjective optimization. In Multiple criteria decision making theory and application, pages 468–486. Springer.
Xie et al., (2018) Xie, L., Lin, K., Wang, S., Wang, F., and Zhou, J. (2018). Differentially private generative adversarial network. arXiv preprint arXiv:1802.06739.
Xu et al., (2019) Xu, L., Skoularidou, M., Cuesta-Infante, A., and Veeramachaneni, K. (2019). Modeling tabular data using conditional gan. Advances in Neural Information Processing Systems, 32.
Yang et al., (2019) Yang, Z., Zhang, J., Chang, E.-C., and Liang, Z. (2019). Neural network inversion in adversarial setting via background knowledge alignment. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 225–240.
Yeh and Lien, (2016) Yeh, I.-C. and Lien, C.-H. (2016). default of credit card clients data set. https://archive.ics.uci.edu/ml/datasets/default+of+credit+card+clients.
Yeom et al., (2017) Yeom, S., Fredrikson, M., and Jha, S. (2017). The unintended consequences of overfitting: Training data inference attacks. arXiv preprint arXiv:1709.01604, 12.
Yoon et al., (2019) Yoon, J., Jarrett, D., and Van der Schaar, M. (2019). Time-series generative adversarial networks. Advances in neural information processing systems, 32.
Zhang et al., (2017) Zhang, J., Cormode, G., Procopiuc, C. M., Srivastava, D., and Xiao, X. (2017). Privbayes: Private data release via bayesian networks. ACM Transactions on Database Systems (TODS), 42(4):1–41.
Zhang and Li, (2007) Zhang, Q. and Li, H. (2007). Moea/d: A multiobjective evolutionary algorithm based on decomposition. IEEE Transactions on evolutionary computation, 11(6):712–731.
Zhang et al., (1996) Zhang, T., Ramakrishnan, R., and Livny, M. (1996). Birch: an efficient data clustering method for very large databases. ACM sigmod record, 25(2):103–114.
Zhang et al., (2020) Zhang, Y., Jia, R., Pei, H., Wang, W., Li, B., and Song, D. (2020). The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 253–261.
Zhang et al., (2022) Zhang, Z., Yan, C., and Malin, B. A. (2022). Membership inference attacks against synthetic health data. Journal of biomedical informatics, 125:103977.
Zhao et al., (2021) Zhao, Z., Kunar, A., Birke, R., and Chen, L. Y. (2021). Ctab-gan: Effective table data synthesizing. In Asian Conference on Machine Learning, pages 97–112. PMLR.
Zhou et al., (2011) Zhou, A., Qu, B.-Y., Li, H., Zhao, S.-Z., Suganthan, P. N., and Zhang, Q. (2011). Multiobjective evolutionary algorithms: A survey of the state of the art. Swarm and evolutionary computation, 1(1):32–49.
Zhu et al., (2017) Zhu, J.-Y., Park, T., Isola, P., and Efros, A. A. (2017). Unpaired image-to-image translation using cycle-consistent adversarial networks. In Proceedings of the IEEE international conference on computer vision, pages 2223–2232.
Zitzler and Thiele, (1999) Zitzler, E. and Thiele, L. (1999). Multiobjective evolutionary algorithms: a comparative case study and the strength pareto approach. IEEE transactions on Evolutionary Computation, 3(4):257–271.